SQL Injection (SQLi) is a web based attack used by hackers to steal sensitive information from organizations through web applications. It is one of the most common application layer attacks used today. This attack takes advantage of improper coding of web applications, which allows hackers to exploit the vulnerability by injecting SQL commands into the prior web application.The underlying fact that allows for SQLi is that the fields available for user input in the web application allow SQL statements to pass through and interact with or query the database directly.
For example, let us consider a web application that implements a form-based login mechanism to store the user credentials and performs a simple SQL query to validate each login attempt. Here is a typical example:
select * from users where username=’admin’ and password=’admin123′;
If the attacker knows the username of the application administrator is admin, then he can log into the app as admin by entering the username as admin’– and without supplying any password. The query in the back-end looks like:
Select * from users where username=’admin’–’ and password=’xxx’;
Note the comment sequence (–-) causes the followed query to be ignored, so query executed is equivalent to:
Select * from users where username=’admin’;
Hence the password check is bypassed and the attacker is logged into the app as admin. SQL Injection can be tested in two ways – Manual Pen-Testing & Automation.
Read full article – http://www.securitylearn.net/tag/sqlmap-tutorial/
Hope this will help !!!!!