CVE-2024-50340 PoC — Symfony 注入漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-50340.yaml

Associated Vulnerability

Title:Symfony 注入漏洞 (CVE-2024-50340)
Description:Symfony是Symfony公司的一个用于 Web 和控制台应用程序的 PHP 框架以及一组可重用的 PHP 组件。 Symfony存在注入漏洞，该漏洞源于允许将PHP应用程序与全局状态分离。

Description

symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the `argv` values for non-SAPI PHP runtimes.

File Snapshot


 id: CVE-2024-50340

info:
  name: Symfony Profiler - Remote Access via Injected Arguments
  author: 

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!