https://gist.github.com/parrot409/e8a499a17f286ef8f462bcde3d7ef065

php tricks came in use again lol  
the tmp file uploads are written at /tmp/undertowXXXXXXXXXXXXX  
we don't know the filename but the management-upload endpoint can save us
here.  
This endpoint is used for commands that require fileupload like deploying or
patching.  
We can use this endpoint for the "enable deploy" command.

So first we create an unmanaged deploy  
```  
name: lol.war  
runtime-name: lol.war  
path: /proc/self/fd/BRUTEFORCE  
```

This won't give error because paths are not checked while creating the
container but while enabling the container

then use the management-upload endpoint to send the enable command for the
container and also upload 10-15 files.  
undertow automatically writes all files to /tmp and keeps FDs open while
processing our command.  
```  
curl ... -F a=@/tmp/payload2.war b=@/tmp/payload.war c=@/tmp/payload.war  
```

so this command allocates 10 FDs and process the enable command.  
when we hit the right FD, the jsp webshell is uploaded!  

Original writeup
(https://gist.github.com/parrot409/e8a499a17f286ef8f462bcde3d7ef065).https://gist.github.com/parrot409/e8a499a17f286ef8f462bcde3d7ef065

php tricks came in use again lol  
the tmp file uploads are written at /tmp/undertowXXXXXXXXXXXXX  
we don't know the filename but the management-upload endpoint can save us
here.  
This endpoint is used for commands that require fileupload like deploying or
patching.  
We can use this endpoint for the "enable deploy" command.

So first we create an unmanaged deploy  
```  
name: lol.war  
runtime-name: lol.war  
path: /proc/self/fd/BRUTEFORCE  
```

This won't give error because paths are not checked while creating the
container but while enabling the container

then use the management-upload endpoint to send the enable command for the
container and also upload 10-15 files.  
undertow automatically writes all files to /tmp and keeps FDs open while
processing our command.  
```  
curl ... -F a=@/tmp/payload2.war b=@/tmp/payload.war c=@/tmp/payload.war  
```

so this command allocates 10 FDs and process the enable command.  
when we hit the right FD, the jsp webshell is uploaded!  

Original writeup
(https://gist.github.com/parrot409/e8a499a17f286ef8f462bcde3d7ef065).https://gist.github.com/parrot409/e8a499a17f286ef8f462bcde3d7ef065

php tricks came in use again lol  
the tmp file uploads are written at /tmp/undertowXXXXXXXXXXXXX  
we don't know the filename but the management-upload endpoint can save us
here.  
This endpoint is used for commands that require fileupload like deploying or
patching.  
We can use this endpoint for the "enable deploy" command.

So first we create an unmanaged deploy  
```  
name: lol.war  
runtime-name: lol.war  
path: /proc/self/fd/BRUTEFORCE  
```

This won't give error because paths are not checked while creating the
container but while enabling the container

then use the management-upload endpoint to send the enable command for the
container and also upload 10-15 files.  
undertow automatically writes all files to /tmp and keeps FDs open while
processing our command.  
```  
curl ... -F a=@/tmp/payload2.war b=@/tmp/payload.war c=@/tmp/payload.war  
```

so this command allocates 10 FDs and process the enable command.  
when we hit the right FD, the jsp webshell is uploaded!  

Original writeup
(https://gist.github.com/parrot409/e8a499a17f286ef8f462bcde3d7ef065).