This is a time-based SQL injection attack.
The attacker knows whether the query is true or not by how fast the page loads with waitfor delay
. If true then there will be a 4 second delay.
Next the attacker could use substring to slowly extract data from any column in your database that the current database user has permissions to.
example:
first character = a?
if(ASCII(SUBSTRING((SELECT password FROM admin), 1, 1))=97) waitfor delay ...
second character = b?
if(ASCII(SUBSTRING((SELECT password FROM admin), 1, 2))=98) waitfor delay ...
if the first letter of column password is 'a' (ASCII('a') === 97
), the page will delay. By iterating over each character using substring, they could slowly extract your data.