From phpinfo page to many P1 bugs and RCE. [Symfony]

[Symfony]: is a set of reusable PHP components and a PHP framework to build web applications, APIs, microservices and web services

Story:-

while hunting I have found [phpinfo] page which considered as P4 bug,
but I decided to reach hieghr impact from it, so I take a fast look at It for database creds or keys,
Because many time I found sensitive data at it like [DB creds , Sensitive tokens ,and so on]
Like this

Sensitive data leakage
Triaged as P1 bug

While reading I founed the app_secret.
[app_secret]: APP_SECRET environment variable is required to generate CSRF tokens. By default for symfony/framework-bundle generates one when it’s installed via Symfony Flex.

After reading [phpinfo] file I found [app_secret] token

app_secret token is leakage

How can use this secret token:-

we can exploit it with /_fragment path

/_fragment path: could be exploited to call the System() function, which allows the execution of system commands on the server
normally this path will return [403 Forbidden] and like this response => Oops! An Error Occurred

Coding python time

I developed a tool to gather all hosts which have this path with specific response [Oops! An Error Occurred]

You can find this tool at my github --> matchizer_Tool
python3 matchizer.py -urls hosts.txt -URL /_Fragment -match ‘Oops! An Error Occurred’ -include

I found many of hosts have [Symfony] framework , and then I used this script to automate exploit — > automate-exploit

I added the app_secret token which I have found as a -secret parameter in this script

python3 exploit.py ‘http://sub.website.com/_fragment' — method 1 — secret ‘<seceret>’ — algo ‘sha256’ — internal-url ‘http://sub.website.com/_fragment' — function phpinfo — parameters what:-1

This script will give you full path to execute functions

phpinfo function execute

phpcredits function execute

Remediation

  • Disable ESI (Edge-Side Includes) and to change the Symfony’s application secret (APP_SECRET)
  • Disable phpinfo file

Today’s Tips

If you found any [phpinfo] page don’t report it as P4 , but first read this file and search for any sensitive data leakage like [DB_USER , DB_PASSWORD , SECURE_AUTH_KEY , AUTH_SALT , SECURE_AUTH_SALT , APP_SECRET] , to get P1 submissions or RCE by symfony , etc ..

Links

linkedin

--

--

--

Penetration tester | Bug Hunter

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Fastlane scan- automate testing

Every experience teaches something

Creating a Saavn Downloader Bot for Telegram — Part 2

Inheritance In Java

SRP: Single Responsibility Principle

Using OBD protocol to read live metrics from a car engine

Linked List in Kotlin

How to pull out the User Explorer report with Python (userActivity.search)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Abdelrahman Khaled

Abdelrahman Khaled

Penetration tester | Bug Hunter

More from Medium

Zero Click To Account Takeover

How I hacked into one of India’s biggest online book stores(RCE and more)

Bypassing HttpOnly with phpinfo file

CVE-2021–38314 Leads to Sensitive Information Disclosure