As we mentioned before, the impact of a SQL injection vulnerability can affect, not just the application or the information stored in the database, but also the database server or even the operating system.

Using the same example, with the next statement you can get the DBMS version:

SELECT student_name, average FROM students WHERE kardex=' UNION SELECT @@version,NULL,NULL--

So, the limit is the commands included in the DBMS and the user privileges in the running database instance, that usually is at least database operator.