# Lab: Basic server-side template injection (code context)

We see the following web page

<figure><img src="https://251574581-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlTgE7hbyi7mSyXsMcq44%2Fuploads%2F00TFgjgwF5jBQGxUHv2y%2Fimage.png?alt=media&#x26;token=4a204650-c874-4d3f-9c3e-be64332091fd" alt=""><figcaption></figcaption></figure>

Login with the credentials we have, we can see

<figure><img src="https://251574581-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlTgE7hbyi7mSyXsMcq44%2Fuploads%2FPyVRaveiGStCnWTLOIhX%2Fimage.png?alt=media&#x26;token=98cb36a8-41ed-47bc-921d-33743c37cb20" alt=""><figcaption></figcaption></figure>

We can change the preferred name. Capturing the request:

<figure><img src="https://251574581-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlTgE7hbyi7mSyXsMcq44%2Fuploads%2FhtNteQMBSRM5RPcO88NY%2Fimage.png?alt=media&#x26;token=50ed6617-50ea-4917-9a30-41273fd82ca0" alt=""><figcaption></figcaption></figure>

If we inject a basic Tornado SSTI

<figure><img src="https://251574581-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlTgE7hbyi7mSyXsMcq44%2Fuploads%2FhHkv2I5lwYj1tGel8zkC%2Fimage.png?alt=media&#x26;token=2bd8d5e9-df1d-41f2-a14d-e857b520679c" alt=""><figcaption></figcaption></figure>

And we go to the blog for write a comment

<figure><img src="https://251574581-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlTgE7hbyi7mSyXsMcq44%2Fuploads%2FAM6zlNFtbAc7m82JJVYc%2Fimage.png?alt=media&#x26;token=62f9f252-1e41-467c-88a2-e7df2d002352" alt=""><figcaption></figcaption></figure>

We injected template

Trying this payload&#x20;

<figure><img src="https://251574581-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlTgE7hbyi7mSyXsMcq44%2Fuploads%2FgIgdO0CsuRJ1p4FqpM6M%2Fimage.png?alt=media&#x26;token=03a69873-94c0-44b6-be43-e405fac41600" alt=""><figcaption></figcaption></figure>

<figure><img src="https://251574581-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlTgE7hbyi7mSyXsMcq44%2Fuploads%2FgoVYArI6gho8uqNRcOzz%2Fimage.png?alt=media&#x26;token=3addd440-795a-4c87-ac87-0b52c49c4307" alt=""><figcaption></figcaption></figure>

We see an error

<figure><img src="https://251574581-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlTgE7hbyi7mSyXsMcq44%2Fuploads%2FFE01BE3BdUP1XlQZm9sP%2Fimage.png?alt=media&#x26;token=a2fcd0f2-6ff4-4e69-a313-869c06bfb11a" alt=""><figcaption></figcaption></figure>

If we encode '+' and add '}}' for closing before template

<figure><img src="https://251574581-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlTgE7hbyi7mSyXsMcq44%2Fuploads%2F5HHA8yrCiYliskhVK22F%2Fimage.png?alt=media&#x26;token=7d17ebcf-db30-4459-9869-0c80210da40c" alt=""><figcaption></figcaption></figure>

We see

<figure><img src="https://251574581-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlTgE7hbyi7mSyXsMcq44%2Fuploads%2Fpg8XQCL2MA0VdmVZgHAX%2Fimage.png?alt=media&#x26;token=e695f63e-f05d-4225-8a36-dcce298161e1" alt=""><figcaption></figcaption></figure>

Let's try rm morale.txt

<figure><img src="https://251574581-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlTgE7hbyi7mSyXsMcq44%2Fuploads%2FV4M3zIIrSxJcGApPzefi%2Fimage.png?alt=media&#x26;token=bb23f9f2-fa1a-44ca-8512-a6a88579d2ea" alt=""><figcaption></figcaption></figure>

<figure><img src="https://251574581-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlTgE7hbyi7mSyXsMcq44%2Fuploads%2FjNc2RLJ1ME3OqvVE59fE%2Fimage.png?alt=media&#x26;token=e80b38f7-d804-4511-9005-8cc37230fef2" alt=""><figcaption></figcaption></figure>