In a SQL Injection attack, the attacker submits a string that is interpreted as a SQL database command. This allows the attacker to manipulate the database by executing arbitrary SQL code, which can lead to unauthorized access to sensitive data, modification of data, or even deletion of data. The goal is to exploit vulnerabilities in the application's handling of input to manipulate the SQL queries the application performs.