: This is likely a placeholder or a legitimate input value followed by a single quote ( ' ). The quote is used to "break out" of the intended SQL query string.
In a "blind" injection, the database doesn't return error messages or data directly to the screen. Instead, the attacker observes the : The attacker sends the request. MEGA'/**/and/**/DBMS_PIPE.RECEIVE_MESSAGE('a',2)='a
: Ensure the database user account used by the application does not have permission to execute high-risk packages like DBMS_PIPE unless absolutely necessary. : This is likely a placeholder or a
The second parameter ( 2 ) tells the database to wait for for a message. MEGA'/**/and/**/DBMS_PIPE.RECEIVE_MESSAGE('a',2)='a
: This is the core of the attack. It calls a built-in Oracle function.