Skip to content

Commit 85e8cf8

Browse files
carlospolopgitbook-bot
carlospolop
authored and
gitbook-bot
committed
GitBook: [master] one page modified
1 parent 1a216ec commit 85e8cf8

File tree

1 file changed

+20
-0
lines changed

1 file changed

+20
-0
lines changed

pentesting/pentesting-web/symphony.md

+20
Original file line numberDiff line numberDiff line change
@@ -509,3 +509,23 @@ _Sample output using `Inline::parse` with a serialized payload_
509509

510510
The exploit will therefore run through every possible variable combination, and then try out the two exploitation methods. The code is available on [our GitHub](https://github.com/ambionics/symfony-exploits).
511511

512+
## Accessing symphony /\_profiler information
513+
514+
\(info taken from [https://flattsecurity.hatenablog.com/entry/2020/11/02/124807](https://flattsecurity.hatenablog.com/entry/2020/11/02/124807)\)
515+
516+
![f:id:flattsecurity:20201021204553p:plain](https://cdn-ak.f.st-hatena.com/images/fotolife/f/flattsecurity/20201021/20201021204553.png)
517+
518+
As you see the screenshot above, there is `sf` logo on the right bottom side of the page. This logo is shown when the Symfony is under the debug mode. There are some cases that this logo doesn’t show up, so try accessing `/_profiler` and you will see the page as shown below
519+
520+
![f:id:flattsecurity:20201021204605p:plain](https://cdn-ak.f.st-hatena.com/images/fotolife/f/flattsecurity/20201021/20201021204605.png)
521+
522+
This feature is called Symfony Profiler, and there is not much information about this feature on the internet. The intention of this feature crystal clear; it helps you debug when there is an error or a bug. Of course, this feature can only be used when the debug mode is enabled.
523+
524+
The Symfony framework itself is very secure, but enabling debug mode will make this framework will make it extremely vulnerable. For example, Profiler has a feature called Profile Search, as the following screenshot.
525+
526+
![f:id:flattsecurity:20201021204624p:plain](https://cdn-ak.f.st-hatena.com/images/fotolife/f/flattsecurity/20201021/20201021204624.png)
527+
528+
As you see in the screenshot above, you can access all sent requests to the server. By clicking hashes in the token, you will see that all POST parameters can be read, as seen in the following screenshot. With this feature, we can hijack the administrator and user’s account credentials.
529+
530+
![f:id:flattsecurity:20201021204637p:plain](https://cdn-ak.f.st-hatena.com/images/fotolife/f/flattsecurity/20201021/20201021204637.png)
531+

0 commit comments

Comments
 (0)