nuclei-templates icon indicating copy to clipboard operation
nuclei-templates copied to clipboard

Published 20 hours ago verified publisher icon projectdiscovery

Create symfony-default-key-rce

Open S4lt5 opened this issue 1 year ago • 0 comments

Add check for common symfony default key for easy unauthenticated RCE

Template / PR Information

When investigating https://github.com/projectdiscovery/nuclei-templates/blob/main/http/misconfiguration/symfony-fragment.yaml I found a bunch of hits in the wild. Using the walkthrough, I was able to identify a lot of sites, in the wild, using the default symfony key. RCE was really trivial and there really isn't a CVE here I don't think.

I created this template to catch the lowest hanging fruit. There are some other defaults coverd in the primary reference in the template, but I'm not sure how many extra requests are worth sending out on a 'critical' scan.

There may be a case to add the following keys and make this a multiple 'step 2' set of requests:

  • ff6dc61a329dc96652bb092ec58981f7
  • ThisEzPlatformTokenIsNotSoSecret_PleaseChangeIt
  • and some others from the git POC

That said, this covers what was overwhelmingly most common in my experience, the old default "changeme" symfony key.

  • References:
  • https://portswigger.net/daily-swig/symfony-based-websites-open-to-rce-attack-research-finds
  • https://medium.com/@m4cddr/how-i-got-rce-in-10-websites-26dd87441f22
  • https://al1z4deh.medium.com/how-i-hacked-28-sites-at-once-rce-5458211048d5
  • https://github.com/ambionics/symfony-exploits

Template Validation

I've validated this template locally?

  • [X] YES
  • [ ] NO

S4lt5 avatar Jul 07 '23 17:07 S4lt5