Node.js

How to perform sql injection in this case?

Good afternoon. I train in attacks and defense (the first steps towards web defense). I'm trying to get information from the forum server of some small GTA 5 server. I am working on this article. There are a number of questions that bother me and put me in a stupor:

In the terminal, part of the query is displayed in green, does this mean that this sql has been successfully launched on the server? If so, then it works very strange for me - I had to stick 2 select and starting with an asterisk => * the request starts to be processed for some reason, if I remove it or put something else there - the green part of the code disappears, but in any case I I get status 200. However, there is also a nuance here - the result of my selection is 0 records, you can see it in the screenshot ( counter: 0 ). And even if I write a query that is normal in my opinion, that is, like this:

https://forum.gtavrp.ru/index.php?whats-new/posts/-1%20UNION%20SELECT%20title%20FROM%20posts%20WHERE%20id=1%20--%20

The standard link is this to the post: https://forum.gtavrp.ru/index.php?whats-new/posts/... . Although there is no green selection of the request, however, I still get the same 200 status + counter: 0. I will try everything on my resource at night too. I suppose that perhaps I didn’t guess the name of the field, but in this case, an asterisk (select all) => * - it would select everything, but this is not specified in Habré. By the way, about Habr, group by 1 and union are mentioned there, I tried to use group by and get not found, but it seems to work with union.


On another resource, a larger one, I was immediately banned by the system when I tried such a request, does this mean that the current target is vulnerable and can be experimental for my training?

Thank you very much.