Many high-profile Web sites have fallen victim to the technique over the last couple of years. The attacks themselves are fairly straightforward, but the results can be devastating. Using features like XP_cmdshell in Microsoft SQL Server, SQL injection can be leveraged to run shell commands against the underlying operating system of the SQL Server at the same privilege level as the database application, which is most often SYSTEM level. Using this vector, an attacker could infiltrate deep into an infrastructure and be relatively unseen.
Source: https://threatpost.com/sql-injection-tactics-revealed-051109/72695/