He is testing your server for SQL Injection, specifically this is a robust test that will work even if its Blind SQL Injection. Blind SQL Injection is when an attacker is able to execute SQL however, there isn't a viewable response. If the http request takes at least 15 seconds the attacker will know that he can execute SQL, and that your running MS-SQL. After this attack he will follow it up with a xp_cmpdshell()to infect your server.

他正在测试您的服务器的 SQL 注入，特别是这是一个强大的测试，即使它的Blind SQL Injection也能工作。SQL Blind Injection 是指攻击者能够执行 SQL 但没有可见响应。如果 http 请求需要至少 15 秒，攻击者就会知道他可以执行 SQL，并且您正在运行 MS-SQL。在这次攻击之后，他会用一个xp_cmpdshell()来感染你的服务器。

According to http://bytes.com/topic/mysql/answers/888849-hacker-attemptit looks like it's trying to run:

根据http://bytes.com/topic/mysql/answers/888849-hacker-attempt看起来它正在尝试运行：

WAITFOR DELAY '00:00:15'

等待延迟 '00:00:15'

As others have pointed out it's not a DOS attack (as I originally stated) but merely a way to easily determine if the SQL Server is vulnerable and can be added to a list of hosts to perhaps further hack away at later on.

正如其他人指出的那样，这不是 DOS 攻击（正如我最初所说的那样），而只是一种轻松确定 SQL Server 是否易受攻击的方法，并且可以将其添加到主机列表中，以便稍后进一步破解。

In simpler terms he/she/it is very slick. Using the "WAITFOR DELAY..." strategy allows he/she/it to see if the server is vulnerable without logging anything. The check is being done to see what access the connectionstring user has in the db. And like @Rook said, thT WOULD LEAD TO XP_CMDSHELL() which can give the intruder access to the server and even your network.

简单来说，他/她/它非常圆滑。使用“WAITFOR DELAY...”策略允许他/她/它在不记录任何内容的情况下查看服务器是否易受攻击。正在进行检查以查看连接字符串用户在数据库中的访问权限。就像@Rook 所说的那样，这会导致 XP_CMDSHELL()，它可以让入侵者访问服务器甚至您的网络。

That is a hex string. When you translate it, it translates into: "WAITFOR DELAY '00:00:15'"

那是一个十六进制字符串。当你翻译它时，它会翻译成：“WAITFOR DELAY '00:00:15'”

WAITFORcould be used for time-based SQL Injection attack.

WAITFOR可用于基于时间的 SQL 注入攻击。

Time-Based Blind SQL Injection Attacks

Time-based techniques are often used to achieve tests when there is no other way to retrieve information from the database server. This kind of attack injects a SQL segment which contains specific DBMS function or heavy query that generates a time delay. Depending on the time it takes to get the server response, it is possible to deduct some information.As you can guess, this type of inference approach is particularly useful for blind and deep blind SQL injection attacks.

Time-Based Attacks Pros and Cons

One main advantage of this technique is to have little to no impact on logs, especially when compared to error-based attacks.However, in situations where heavy queries or CPU intensive functions like MySQL's BENCHMARK() must be used, chances are good that system administrators realize something is going on.

基于时间的 SQL 盲注攻击

当没有其他方法可以从数据库服务器检索信息时，通常使用基于时间的技术来实现测试。这种攻击会注入包含特定 DBMS 函数或产生时间延迟的繁重查询的 SQL 段。根据获取服务器响应所需的时间，可以扣除一些信息。您可以猜到，这种类型的推理方法对于盲注和深度盲注 SQL 注入攻击特别有用。

基于时间的攻击利弊

这种技术的一个主要优点是对日志几乎没有影响，尤其是与基于错误的攻击相比时。但是，在必须使用大量查询或 CPU 密集型函数（如 MySQL 的 BENCHMARK()）的情况下，系统管理员很有可能意识到某些事情正在发生。

This vulnerability could be mitigated with new SQL Server 2019/SQL Azure Database feature:

可以使用新的 SQL Server 2019/SQL Azure 数据库功能缓解此漏洞：

Feature Restrictions(discountinued)

One common source of SQL Server attacks is through web applications that access the database where various forms of SQL injection attacks are used to glean information about the database. Ideally, application code is developed so it does not allow for SQL injection. However, in large code-bases that include legacy and external code, one can never be sure that all cases have been addressed, so SQL injections are a fact of life that we have to protect against. The goal of feature restrictions is to prevent some forms of SQL injection from leaking information about the database, even when the SQL injection is successful.

EXEC sp_add_feature_restriction <feature>, <object_class>, <object_name>

WAITFOR Feature Restriction

A Blind SQL Injection is when an application does not provides an attacker with the results of the injected SQL or with an error message, but the attacker can infer information from the database by constructing a conditional query in which the two conditional branches take a different amount of time to execute. By comparing the response time, the attacker can know which branch was executed, and thereby learn information about the system. The simplest variant of this attack is using the WAITFOR statement to introduce the delay.

功能限制（折扣）

SQL Server 攻击的一个常见来源是通过访问数据库的 Web 应用程序，其中使用各种形式的 SQL 注入攻击来收集有关数据库的信息。理想情况下，应用程序代码的开发不允许 SQL 注入。然而，在包含遗留代码和外部代码的大型代码库中，我们永远无法确定所有情况都已得到解决，因此 SQL 注入是我们必须防范的现实。特性限制的目标是防止某些形式的 SQL 注入泄漏数据库信息，即使 SQL 注入成功。

EXEC sp_add_feature_restriction <feature>, <object_class>, <object_name>

WAITFOR 功能限制

SQL 盲注入是指应用程序不向攻击者提供注入 SQL 的结果或错误消息，但攻击者可以通过构造两个条件分支取不同数量的条件查询从数据库中推断信息执行的时间。通过比较响应时间，攻击者可以知道执行了哪个分支，从而了解系统的信息。这种攻击的最简单变体是使用 WAITFOR 语句来引入延迟。

EXEC sp_add_feature_restriction N'Waitfor', N'User', N'MyUserName'

EXEC sp_add_feature_restriction N'Waitfor', N'User', N'MyUserName'