[Symfony]: is a set of reusable PHP components and a PHP framework to build web applications, APIs, microservices and web services
while hunting I have found [phpinfo] page which considered as P4 bug,
but I decided to reach hieghr impact from it, so I take a fast look at It for database creds or keys,
Because many time I found sensitive data at it like [DB creds , Sensitive tokens ,and so on]
While reading I founed the app_secret.
[app_secret]: APP_SECRET environment variable is required to generate CSRF tokens. By default for symfony/framework-bundle generates one when it’s installed via Symfony Flex.
After reading [phpinfo] file I found [app_secret] token
How can use this secret token:-
we can exploit it with /_fragment path
/_fragment path: could be exploited to call the System() function, which allows the execution of system commands on the server
normally this path will return [403 Forbidden] and like this response => Oops! An Error Occurred
I developed a tool to gather all hosts which have this path with specific response [Oops! An Error Occurred]
You can find this tool at my github --> matchizer_Tool
python3 matchizer.py -urls hosts.txt -URL /_Fragment -match ‘Oops! An Error Occurred’ -include
I found many of hosts have [Symfony] framework , and then I used this script to automate exploit — > automate-exploit
I added the app_secret token which I have found as a -secret parameter in this script
python3 exploit.py ‘http://sub.website.com/_fragment' — method 1 — secret ‘<seceret>’ — algo ‘sha256’ — internal-url ‘http://sub.website.com/_fragment' — function phpinfo — parameters what:-1
This script will give you full path to execute functions
phpinfo function execute
phpcredits function execute
- Disable ESI (Edge-Side Includes) and to change the Symfony’s application secret (APP_SECRET)
- Disable phpinfo file
If you found any [phpinfo] page don’t report it as P4 , but first read this file and search for any sensitive data leakage like [DB_USER , DB_PASSWORD , SECURE_AUTH_KEY , AUTH_SALT , SECURE_AUTH_SALT , APP_SECRET] , to get P1 submissions or RCE by symfony , etc ..