├── requirements.txt
├── README.md
└── service-now.py


/requirements.txt:
--------------------------------------------------------------------------------
1 | requests
2 | selenium
3 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # service-now
 2 | Service-Now Article Bruteforcer
 3 | 
 4 | 
 5 | The idea here is that there is misconfiguration with articles and could expose sensitive information.
 6 | 
 7 | Any Issues raise the it here - https://github.com/RandomRobbieBF/service-now/issues
 8 | 
 9 | or submit a PR!
10 | 
11 | 
12 | How to Use
13 | ---
14 | 
15 | ```
16 | python3 service-now.py -u somecompanyservice-now.com
17 | ```
18 | 
19 | ```
20 | usage: service-now.py [-h] -u URL [-p PROXY]
21 | service-now.py: error: the following arguments are required: -u/--ur
22 | ```
23 | 


--------------------------------------------------------------------------------
/service-now.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #
 3 | # 
 4 | #
 5 | # service-now.py - Finding paths KB articles that should only be internal
 6 | #
 7 | # By @RandomRobbieBF
 8 | # 
 9 | #
10 | 
11 | import requests
12 | import sys
13 | import argparse
14 | import time
15 | import os
16 | from selenium import webdriver
17 | from selenium.webdriver.common.desired_capabilities import DesiredCapabilities
18 | from requests.packages.urllib3.exceptions import InsecureRequestWarning
19 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
20 | session = requests.Session()
21 | 
22 | 
23 | 
24 | parser = argparse.ArgumentParser()
25 | parser.add_argument("-u", "--url", required=True ,default="my.service-now.com",help="URL to test - no need for https://")
26 | parser.add_argument("-p", "--proxy",required=False, help="Proxy for debugging")
27 | 
28 | args = parser.parse_args()
29 | url = args.url
30 | proxy = args.proxy
31 | 
32 | if proxy:
33 | 	http_proxy = proxy
34 | else:
35 | 	http_proxy = ""
36 | 
37 | 
38 | 
39 | proxyDict = { 
40 |               "http"  : http_proxy, 
41 |               "https" : http_proxy, 
42 |               "ftp"   : http_proxy
43 |             }
44 |   
45 |   
46 | def test_url(url,i):
47 | 	headers = {"User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0","Connection":"close","Accept":"*/*"}
48 | 	try:
49 | 		newurl = "https://"+url+"/kb_view_customer.do?sysparm_article=KB00"+str(i)+""
50 | 		response = session.get(newurl, headers=headers,verify=False, proxies=proxyDict,timeout=30)
51 | 		if response.status_code == 200:
52 | 			if "1 out of 5 Star Rating" in response.text:
53 | 				if "INSUFFICIENT ROLES TO VIEW PROTECTED ARTICLE" not in response.text:
54 | 					if "ARTICLE NOT FOUND" not in response.text:
55 | 						if not os.path.exists(""+url+""):
56 | 							os.mkdir(""+url+"")
57 | 						print("[+] Found article for KB00"+str(i)+" [+]")
58 | 						# Create a list of url that we can access
59 | 						text_file = open(""+url+"/found-"+url+".txt", "a")
60 | 						text_file.write(""+newurl+"\n")
61 | 						text_file.close()
62 | 						
63 | 						# Create a text file of the HTML for grepping later
64 | 						text_file = open(""+url+"/KB00"+str(i)+".txt", "a")
65 | 						text_file.write(response.text)
66 | 						text_file.close()
67 | 						
68 | 						# Screenshots to maybe help review whats there and evidence.
69 | 						driver = webdriver.Remote('http://127.0.0.1:4444',DesiredCapabilities.CHROME)  
70 | 						driver.get(newurl)
71 | 						driver.set_window_size(1290, 1080)
72 | 						driver.save_screenshot(""+url+"/KB00"+str(i)+".png")
73 | 						driver.close()
74 | 					else:
75 | 						print("[-] No Luck for KB00"+str(i)+" [-]")
76 | 			else:
77 | 				print("[-] No Luck for KB00"+str(i)+" [-]")
78 | 		else:
79 | 			print("[-] No Luck for KB00"+str(i)+" [-]")
80 | 	except Exception as e:
81 | 		print('Error: %s' % e)
82 | 		print ("[-]Check Url might have Issues[-]")
83 | 		sys.exit(0)
84 | try:
85 | 	os.system("docker run --name screenshotter -d --rm -p:4444:4444 txt3rob/headless-chromedriver")		
86 | 	for i in range(10040,30000):
87 | 		test_url(url,i)
88 | 	os.system("docker stop screenshotter")
89 | except KeyboardInterrupt:
90 | 		print ("Ctrl-c pressed ...")
91 | 		os.system("docker stop screenshotter")
92 | 		sys.exit(1)
93 | 				
94 | except Exception as e:
95 | 		print('Error: %s' % e)
96 | 		os.system("docker stop screenshotter")
97 | 		sys.exit(1)
98 | 


--------------------------------------------------------------------------------