Before we start, we need to know what SQL injection(SQLi) is. SQLi is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Most commonly it gives these attackers access to information they are not supposed to have, for example, a password. Sometimes this allows attackers to even interfere with the server to perform a DDoS attack. I will briefly write about three types of attacks which include: Retrieving hidden data, Subverting application logic, and Retrieving data from other database tables.
When retrieving hidden data from an unprotected site you can basically change the URL in order to execute an SQL command that you would not want ran through your database.
For example on a website if you are running a SELECT query for some form of data. The attacker would be able to instead run:
SELECT * FROM
tablename WHERE 1=1
Which would just give the attacker access to anything in the table being presented.
With this method, the attackers are able to do something to a website that is unwanted. For example, being able to log into an account with only the username.
An example statement that would do this is:
SELECT * FROM users WHERE username = 'administrator'--' AND password = ''
This would return the user whose username is "administrator" and effectively just log them in with no password.
In cases where the results of an SQL query are returned within the application's responses, the attacker is able to manipulate that in order to make it expose data from other datasets. This is done via the UNION keyword. An attacker could use something along the lines of:
' UNION SELECT username, password FROM users--
This would display the username and password from everyone who is located in the user's category.