<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Directory listing for /</title>
</head>
<body>
<h1>Directory listing for /</h1>
<hr>
<ul>
<li><a href=".font-unix/">.font-unix/</a></li>
<li><a href=".ICE-unix/">.ICE-unix/</a></li>
<li><a href=".Test-unix/">.Test-unix/</a></li>
<li><a href=".X11-unix/">.X11-unix/</a></li>
<li><a href=".XIM-unix/">.XIM-unix/</a></li>
<li><a href="1.c">1.c</a></li>
<li><a href="a.out">a.out</a></li>
<li><a href="fish.root/">fish.root/</a></li>
<li><a href="ocvm.modem.lock">ocvm.modem.lock</a></li>
<li><a href="systemd-private-d2c68ee49ea64be1ac701be4077eb0a3-endlessh.service-i3NNLi/">systemd-private-d2c68ee49ea64be1ac701be4077eb0a3-endlessh.service-i3NNLi/</a></li>
<li><a href="systemd-private-d2c68ee49ea64be1ac701be4077eb0a3-mariadb.service-myYsnf/">systemd-private-d2c68ee49ea64be1ac701be4077eb0a3-mariadb.service-myYsnf/</a></li>
<li><a href="systemd-private-d2c68ee49ea64be1ac701be4077eb0a3-php-fpm.service-qc3wAf/">systemd-private-d2c68ee49ea64be1ac701be4077eb0a3-php-fpm.service-qc3wAf/</a></li>
<li><a href="systemd-private-d2c68ee49ea64be1ac701be4077eb0a3-systemd-logind.service-RyUK8e/">systemd-private-d2c68ee49ea64be1ac701be4077eb0a3-systemd-logind.service-RyUK8e/</a></li>
<li><a href="systemd-private-d2c68ee49ea64be1ac701be4077eb0a3-systemd-resolved.service-eruawi/">systemd-private-d2c68ee49ea64be1ac701be4077eb0a3-systemd-resolved.service-eruawi/</a></li>
</ul>
<hr>
</body>
</html>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Directory listing for /</title>
</head>
<body>
<h1>Directory listing for /</h1>
<hr>
<ul>
<li><a href=".font-unix/">.font-unix/</a></li>
<li><a href=".ICE-unix/">.ICE-unix/</a></li>
<li><a href=".Test-unix/">.Test-unix/</a></li>
<li><a href=".X11-unix/">.X11-unix/</a></li>
<li><a href=".XIM-unix/">.XIM-unix/</a></li>
<li><a href="1.c">1.c</a></li>
<li><a href="a.out">a.out</a></li>
<li><a href="fish.root/">fish.root/</a></li>
<li><a href="ocvm.modem.lock">ocvm.modem.lock</a></li>
<li><a href="systemd-private-d2c68ee49ea64be1ac701be4077eb0a3-endlessh.service-i3NNLi/">systemd-private-d2c68ee49ea64be1ac701be4077eb0a3-endlessh.service-i3NNLi/</a></li>
<li><a href="systemd-private-d2c68ee49ea64be1ac701be4077eb0a3-mariadb.service-myYsnf/">systemd-private-d2c68ee49ea64be1ac701be4077eb0a3-mariadb.service-myYsnf/</a></li>
<li><a href="systemd-private-d2c68ee49ea64be1ac701be4077eb0a3-php-fpm.service-qc3wAf/">systemd-private-d2c68ee49ea64be1ac701be4077eb0a3-php-fpm.service-qc3wAf/</a></li>
<li><a href="systemd-private-d2c68ee49ea64be1ac701be4077eb0a3-systemd-logind.service-RyUK8e/">systemd-private-d2c68ee49ea64be1ac701be4077eb0a3-systemd-logind.service-RyUK8e/</a></li>
<li><a href="systemd-private-d2c68ee49ea64be1ac701be4077eb0a3-systemd-resolved.service-eruawi/">systemd-private-d2c68ee49ea64be1ac701be4077eb0a3-systemd-resolved.service-eruawi/</a></li>
</ul>
<hr>
</body>
</html>

ENV_API_TOKEN=What are you looking at, buddy?
HOSTNAME=6a9548306b73
PWD=/
HOME=/home/dmitry
LANG=en_US.UTF-8
SHLVL=1
PATH=/allowed/
_=/bin/env

ENV_API_TOKEN=What are you looking at, buddy?
HOSTNAME=6a9548306b73
PWD=/
HOME=/home/dmitry
LANG=en_US.UTF-8
SHLVL=1
PATH=/allowed/
_=/bin/env

Как я говорил - вообще изи обойти

ENV_API_TOKEN=What are you looking at, buddy?
HOSTNAME=6a9548306b73
PWD=/
HOME=/dev/zero
LANG=en_US.UTF-8
SHLVL=1
PATH=/allowed/
_=/bin/env

/bin/bash -c "../bin/pkill python"

🤡

А без \x50 можно?

да, я смогу исхитриться и в другой системе счисления

да, я смогу исхитриться и в другой системе счисления

allowed
bin
boot
dev
etc
home
lib
lib64
mnt
opt
proc
regexp.py
requirements.txt
root
run
sbin
srv
sys
tmp
usr
var

да, я смогу исхитриться и в другой системе счисления

А без eval?

Заблочишь баш - есть awk