Rating:
https://gist.github.com/parrot409/e8a499a17f286ef8f462bcde3d7ef065
php tricks came in use again lol
the tmp file uploads are written at /tmp/undertowXXXXXXXXXXXXX
we don't know the filename but the management-upload endpoint can save us here.
This endpoint is used for commands that require fileupload like deploying or patching.
We can use this endpoint for the "enable deploy" command.
So first we create an unmanaged deploy
```
name: lol.war
runtime-name: lol.war
path: /proc/self/fd/BRUTEFORCE
```
This won't give error because paths are not checked while creating the container but while enabling the container
then use the management-upload endpoint to send the enable command for the container and also upload 10-15 files.
undertow automatically writes all files to /tmp and keeps FDs open while processing our command.
```
curl ... -F a=@/tmp/payload2.war b=@/tmp/payload.war c=@/tmp/payload.war
```
so this command allocates 10 FDs and process the enable command.
when we hit the right FD, the jsp webshell is uploaded!
