The following are techniques used to manipulate the SQL injection flaw:
- By altering the SQL query, the attacker can retrieve extra data from the database that a normal user is not authorized to access
- Run a DoS attack by deleting critical data from the database
- Bypass authentication and perform privilege escalation attacks
- Using batched queries, multiple SQL operations can be executed in a single request
- Advance SQL commands can be used to enumerate the schema of the database and then alter the structure too
- Use the load_file() function to read and write files on the database server and the into outfile() function to write files
- Databases such as Microsoft SQL allow OS commands to run through SQL statements using xp_cmdshell; an application vulnerable to SQL injection can allow the attacker to gain complete control over the database server and also attack other devices on the network through it