From phpinfo page to many P1 bugs and RCE. [Symfony]

3 min readSep 16, 2021

[Symfony]: is a set of reusable PHP components and a PHP framework to build web applications, APIs, microservices and web services

Story:-

while hunting I have found [phpinfo] page which considered as P4 bug,
but I decided to reach hieghr impact from it, so I take a fast look at It for database creds or keys,
Because many time I found sensitive data at it like [DB creds , Sensitive tokens ,and so on]
Like this

While reading I founed the app_secret.
[app_secret]: APP_SECRET environment variable is required to generate CSRF tokens. By default for symfony/framework-bundle generates one when it’s installed via Symfony Flex.

After reading [phpinfo] file I found [app_secret] token

How can use this secret token:-

we can exploit it with /_fragment path

/_fragment path: could be exploited to call the System() function, which allows the execution of system commands on the server
normally this path will return [403 Forbidden] and like this response => Oops! An Error Occurred

I developed a tool to gather all hosts which have this path with specific response [Oops! An Error Occurred]

You can find this tool at my github --> matchizer_Tool
python3 matchizer.py -urls hosts.txt -URL /_Fragment -match ‘Oops! An Error Occurred’ -include

I found many of hosts have [Symfony] framework , and then I used this script to automate exploit — > automate-exploit

I added the app_secret token which I have found as a -secret parameter in this script

python3 exploit.py ‘http://sub.website.com/_fragment' — method 1 — secret ‘<seceret>’ — algo ‘sha256’ — internal-url ‘http://sub.website.com/_fragment' — function phpinfo — parameters what:-1

This script will give you full path to execute functions

phpinfo function execute

phpcredits function execute

Remediation

Disable ESI (Edge-Side Includes) and to change the Symfony’s application secret (APP_SECRET)
Disable phpinfo file

Today’s Tips

If you found any [phpinfo] page don’t report it as P4 , but first read this file and search for any sensitive data leakage like [DB_USER , DB_PASSWORD , SECURE_AUTH_KEY , AUTH_SALT , SECURE_AUTH_SALT , APP_SECRET] , to get P1 submissions or RCE by symfony , etc ..