SQL Injection Trap - what does this mean

Question

In the past, when I see someone try to mess with input vars - I just block their IP... but it seems they just use a different IP and try again. So, I have setup traps to alert me when there is an attempt and try to figure out what they are trying to get, so I can fix any possible vulnerabilities.

I had an attempt, they changed a var to this:

-999.9 /*!30000 UNION ALL SELECT 0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536*/--

I was hoping someone could help explain what this means?

Answer 1

The attacker is trying to inject a UNION SELECT that is wrapped in a MySQL’s variant of C style comments, which allow a conditional exclusion of the contents.

In this case the comment would not be considered a comment if the MySQL version is greater or equal to 3.0.0. In that case a UNION SELECT with strings in hexadecimal notation (i. e., 0x31303235343830303536) equivalent to '1025480056' gets appended to the existing statement. Any remaining code in the same line is ignored by injecting the line-end comment -- .