ServiceNow
Insecure Access Control in ChartDataProcessor (xmlhttp.do)
- Initial access via
$interactive_analysis.do located here:
- https://[service_now_instance]/$interactive_analysis.do?sysparm_field=password&sysparm_table=sys_user&sysparm_from_list=true&sysparm_query=active%3Dtrue%5Ecaller_id%3Djavascript:gs.getUserID()&sysparm_list_view=&sysparm_tiny_url=f040a8971ba38150d88b624c274bcbb3
- Click the horizontal bar graph to view
report_viewer.do
- GET
report_viewer.do can be modified to a POST request (Exhibit A)
report_viewer.do send an XMLHTTPRequest to xmlhttp.do- Using: “table”:”sys_db_object”, we can automate to retrieve all the table names in the system
- Enumerate table names against REST APIs to locate sensitive information – this is from another vulnerability: /api/now/v2/table/{table_name}
- Some tables can be accessed with 200 OK, others return 403 error
- View the 200 OK tables and determine if there is sensitive information
- Can then use the same
xmlhttp.do exploit to enumerate the 403 error tables to find new tables
- Some of these tables return information, however we can only view names and not data
- When selecting
groupby, use “name” or “subject”.
- List of tables: https://demo.erm4sn.com/tables/tree/300
- Table data can be enumerated by ‘groupby’.
