How I hacked 28 sites at once [RCE]


Attention: My purpose in sharing this post is for your learning and attention only. If your company, organization, or site has been exposed to this vulnerability, I suggest you report it.


I will tell you how I found RCE on a site I came across while searching for exploit while preparing for OSCP. When I entered the site, I saw that it was built on a VPS, and I could access 28 websites from here. So there were 28 victims because of a mistake. While testing, I found that I could make changes to other sites. Now let’s move on to how I found it.

A feature in Symfony, a popular open source framework for building PHP applications, could expose websites to remote code execution (RCE) if configured improperly, a security researcher has found.

Attackers could exploit the feature, which allows browsers to download fragments of web pages, to run arbitrary commands on the Symfony server.

Symfony servers support a “/_fragment” command that allows clients to provide custom PHP commands and return the HTML output. To prevent misuse, Symfony requires requesters to sign their messages with a cryptographic key stored on the server.

Reference link:

  • Step 1

I first came across the site while searching the internet for “_fragment”.

  • Step 2

When I looked at the site, I came across “403 forbidden”. I am convinced once again that there is abuse here.

  • Step 3

I started using an exploit code I found on Github.

Exploitation took place here. Let’s go to the link shown.


  • Step 4

Now let’s use the “system” function and enter the command to use it as rce.

Here is the result.

And looking at the “/etc/hosts” file:

I also checked other sites, and they were successful. More than 50 sites I’ve discovered are currently affected by this vulnerability. I wrote this in everyone’s mail and added it to the link for the POC.

“Thank you for reading. I hope that will be useful.If you have any questions or comments, please do not hesitate to write. Have a good days”