From phpinfo page to many P1 bugs and RCE. [Symfony]

[Symfony]: is a set of reusable PHP components and a PHP framework to build web applications, APIs, microservices and web services

Story:-

Sensitive data leakage
Triaged as P1 bug

While reading I founed the app_secret.
[app_secret]: APP_SECRET environment variable is required to generate CSRF tokens. By default for symfony/framework-bundle generates one when it’s installed via Symfony Flex.

After reading [phpinfo] file I found [app_secret] token

app_secret token is leakage

How can use this secret token:-

/_fragment path: could be exploited to call the System() function, which allows the execution of system commands on the server
normally this path will return [403 Forbidden] and like this response => Oops! An Error Occurred

Coding python time

I developed a tool to gather all hosts which have this path with specific response [Oops! An Error Occurred]

You can find this tool at my github --> matchizer_Tool
python3 matchizer.py -urls hosts.txt -URL /_Fragment -match ‘Oops! An Error Occurred’ -include

I found many of hosts have [Symfony] framework , and then I used this script to automate exploit — > automate-exploit

I added the app_secret token which I have found as a -secret parameter in this script

python3 exploit.py ‘http://sub.website.com/_fragment' — method 1 — secret ‘<seceret>’ — algo ‘sha256’ — internal-url ‘http://sub.website.com/_fragment' — function phpinfo — parameters what:-1

This script will give you full path to execute functions

phpinfo function execute

phpcredits function execute

Remediation

  • Disable phpinfo file

Today’s Tips

Links

Penetration tester | Bug Hunter