werkzeug
Last updated
Last updated
If debug is active you could try to access to /console and gain RCE.
In some occasions the /console endpoint is going to be protected by a pin. Here you can find how to generate this pin:
Copied from the first link. See Werkzeug “console locked” message by forcing debug error page in the app.
Locate vulnerable Werkzeug debug console at path vulnerable-site.com/console, but is locked by secret PIN number.
In this file, see relevant method outlining steps to generate console PIN:
Variables needed to exploit the console PIN:
username is the user who started this Flask
modname is flask.app
getattr(app, '__name__', getattr (app .__ class__, '__name__')) is Flask
getattr(mod, '__file__', None) is the absolute path of app.py in the flask directory (e.g. /usr/local/lib/python3.5/dist-packages/flask/app.py). If app.py doesn't work, try app.pyc
uuid.getnode() is the MAC address of the current computer, str (uuid.getnode ()) is the decimal expression of the mac address
get_machine_id() read the value in /etc/machine-id or /proc/sys/kernel/random/boot_id and return directly if there is, sometimes it might be required to append a piece of information within /proc/self/cgroup that you find at the end of the first line (after the third slash)
To find server MAC address, need to know which network interface is being used to serve the app (e.g. ens3). If unknown, leak /proc/net/arp for device ID and then leak MAC address at /sys/class/net/<device id>/address.
Convert from hex address to decimal representation by running in python e.g.:
Once all variables prepared, run exploit script to generate Werkzeug console PIN:
There is also several exploits on the internet like or one in metasploit.
You can reverse the algorithm generating the console PIN. Inspect Werkzeug’s debug __init__.py file on server e.g. python3.5/site-packages/werkzeug/debug/__init__.py. View , but better to leak source code through file traversal vulnerability since versions likely differ.