Attention: My purpose in sharing this post is for your learning and attention only. If your company, organization, or site has been exposed to this vulnerability, I suggest you report it.
I will tell you how I found RCE on a site I came across while searching for exploit while preparing for OSCP. When I entered the site, I saw that it was built on a VPS, and I could access 28 websites from here. So there were 28 victims because of a mistake. While testing, I found that I could make changes to other sites. Now let’s move on to how I found it.
A feature in Symfony, a popular open source framework for building PHP applications, could expose websites to remote code execution (RCE) if configured improperly, a security researcher has found.
Attackers could exploit the feature, which allows browsers to download fragments of web pages, to run arbitrary commands on the Symfony server.
Symfony servers support a “/_fragment” command that allows clients to provide custom PHP commands and return the HTML output. To prevent misuse, Symfony requires requesters to sign their messages with a cryptographic key stored on the server.
Symfony-based websites open to RCE attack, research finds
Ben Dickson 23 October 2020 at 15:01 UTC Updated: 26 October 2020 at 10:59 UTC Researcher’s methods rely on…
- Step 1
I first came across the site while searching the internet for “_fragment”.
- Step 2
When I looked at the site, I came across “403 forbidden”. I am convinced once again that there is abuse here.
- Step 3
I started using an exploit code I found on Github.
symfony-exploits/secret_fragment_exploit.py at main · ambionics/symfony-exploits
You can’t perform that action at this time. You signed in with another tab or window. You signed out in another tab or…
Exploitation took place here. Let’s go to the link shown.
- Step 4
Now let’s use the “system” function and enter the command to use it as rce.
Here is the result.
And looking at the “/etc/hosts” file:
I also checked other sites, and they were successful. More than 50 sites I’ve discovered are currently affected by this vulnerability. I wrote this in everyone’s mail and added it to the link for the POC.
“Thank you for reading. I hope that will be useful.If you have any questions or comments, please do not hesitate to write. Have a good days”