BOOK THIS SPACE FOR AD
ARTICLE AD[Symfony]: is a set of reusable PHP components and a PHP framework to build web applications, APIs, microservices and web services
while hunting I have found [phpinfo] page which considered as P4 bug,
but I decided to reach hieghr impact from it, so I take a fast look at It for database creds or keys,
Because many time I found sensitive data at it like [DB creds , Sensitive tokens ,and so on]
Like this
While reading I founed the app_secret.
[app_secret]: APP_SECRET environment variable is required to generate CSRF tokens. By default for symfony/framework-bundle generates one when it’s installed via Symfony Flex.
After reading [phpinfo] file I found [app_secret] token
we can exploit it with /_fragment path
/_fragment path: could be exploited to call the System() function, which allows the execution of system commands on the server
normally this path will return [403 Forbidden] and like this response => Oops! An Error Occurred
I developed a tool to gather all hosts which have this path with specific response [Oops! An Error Occurred]
You can find this tool at my github --> matchizer_Tool
python3 matchizer.py -urls hosts.txt -URL /_Fragment -match ‘Oops! An Error Occurred’ -include
I found many of hosts have [Symfony] framework , and then I used this script to automate exploit — > automate-exploit
I added the app_secret token which I have found as a -secret parameter in this script
python3 exploit.py ‘http://sub.website.com/_fragment' — method 1 — secret ‘<seceret>’ — algo ‘sha256’ — internal-url ‘http://sub.website.com/_fragment' — function phpinfo — parameters what:-1This script will give you full path to execute functions