Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-25 14:10:41 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [master] one page modified

Browse source
This commit is contained in:
CPol 2021-07-06 08:22:01 +00:00 committed by gitbook-bot
parent 1a216ec66a
commit 85e8cf8586
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
1 changed files with 20 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
pentesting/pentesting-web/symphony.md
View file

@ -509,3 +509,23 @@ _Sample output using `Inline::parse` with a serialized payload_
The exploit will therefore run through every possible variable combination, and then try out the two exploitation methods. The code is available on [our GitHub](https://github.com/ambionics/symfony-exploits).
## Accessing symphony /\_profiler information
\(info taken from [https://flattsecurity.hatenablog.com/entry/2020/11/02/124807](https://flattsecurity.hatenablog.com/entry/2020/11/02/124807)\)
![f:id:flattsecurity:20201021204553p:plain](https://cdn-ak.f.st-hatena.com/images/fotolife/f/flattsecurity/20201021/20201021204553.png)
As you see the screenshot above, there is `sf` logo on the right bottom side of the page. This logo is shown when the Symfony is under the debug mode. There are some cases that this logo doesnt show up, so try accessing `/_profiler` and you will see the page as shown below
![f:id:flattsecurity:20201021204605p:plain](https://cdn-ak.f.st-hatena.com/images/fotolife/f/flattsecurity/20201021/20201021204605.png)
This feature is called Symfony Profiler, and there is not much information about this feature on the internet. The intention of this feature crystal clear; it helps you debug when there is an error or a bug. Of course, this feature can only be used when the debug mode is enabled.
The Symfony framework itself is very secure, but enabling debug mode will make this framework will make it extremely vulnerable. For example, Profiler has a feature called Profile Search, as the following screenshot.
![f:id:flattsecurity:20201021204624p:plain](https://cdn-ak.f.st-hatena.com/images/fotolife/f/flattsecurity/20201021/20201021204624.png)
As you see in the screenshot above, you can access all sent requests to the server. By clicking hashes in the token, you will see that all POST parameters can be read, as seen in the following screenshot. With this feature, we can hijack the administrator and users account credentials.
![f:id:flattsecurity:20201021204637p:plain](https://cdn-ak.f.st-hatena.com/images/fotolife/f/flattsecurity/20201021/20201021204637.png)