Arbitrary File Write → Code Overwrite → Gunicorn Restart

Arbitrary write is rarely the end goal. In Python web apps, code execution often becomes available only after you land a file in an executable location and get the process to reload it. Admin-only rename/move features are frequently the missing second primitive that turns a messy write into a clean overwrite of a real module path.

Why It Works

• The interpreter imports whatever sits at the module path; a rename can place ugly uploaded bytes exactly there.
• A process manager that reloads changed code on restart provides the trigger.

Vulnerable Pattern

• A partially controllable user upload path, a second admin file-management action, and a process manager that eventually reloads changed code.
• Static-file XSS that lets you steal or reuse admin capabilities to invoke the move endpoint.

Exploit Flow

1. Get a stable arbitrary write, even if the resulting filename is ugly or malformed.
2. Use a frontend sink, SVG, or other browser-executed artifact to gain admin context.
3. Use the admin move/rename to place a Python file exactly where the interpreter imports it.
4. Trigger a worker reload and verify the side effect in a low-risk way (copy a flag to a readable path).

Variations

• Overwrite __init__.py, route files, app config, or template filters — whatever loads earliest and most reliably.

Common Blockers

• Write ends up outside the import path, filename sanitation adds junk, or the process manager caches modules until a hard restart.

PoC Sketch

# 1) upload poc.js + an SVG that loads it (gain admin)
# 2) admin move: rename uploads/poc.py'] -> app/__init__.py
# 3) flood requests to force worker recycling

Good Situations To Use It

• You have a write primitive plus an admin rename/move endpoint.
• The upload filename is too ugly to be importable on its own.
• Workers recycle on a schedule or under load.

Sources

• breizhctf2026/web/no_thanks_i_use_ai