This document discusses how SQL injection attacks can be used to steal database information. It begins by providing background on databases and SQL queries. It then explains how SQL injection works by altering existing SQL commands. Several examples are given of SQL injection attacks, like exploiting unvalidated login forms. The document outlines a step-by-step strategy an attacker could use to extract metadata and data from a database using SQL injection, including getting the database type and table/column names. It concludes by demonstrating how an attacker could use the extracted information to add an administrative account.