他正在测试您的服务器的 SQL 注入，特别是这是一个强大的测试，即使它的 盲 SQL 注入.SQL Blind Injection 是指攻击者能够执行 SQL 但没有可见响应.如果 http 请求需要至少 15 秒，攻击者就会知道他可以执行 SQL，并且您正在运行 MS-SQL.在这次攻击之后，他将使用 xp_cmpdshell() 来感染您的服务器.

He is testing your server for SQL Injection, specifically this is a robust test that will work even if its Blind SQL Injection. Blind SQL Injection is when an attacker is able to execute SQL however, there isn't a viewable response. If the http request takes at least 15 seconds the attacker will know that he can execute SQL, and that your running MS-SQL. After this attack he will follow it up with a xp_cmpdshell() to infect your server.