We recently identified a security floor in some old code which was vulnerable to SQL injection attack.
The server is MS SQL Server 2012 running on Windows 2012.
During the investigation I have been asked if any malicious code has been installed via the vulnerability. The SQL server is once removed from the Webserver but does have access to the internet for Operating system Updates.
I was not aware and haven't heard of code being installed / downloaded via SQL injection and my immediate response would be no this isn't possible. However I thought I would ask the good people on Stack Overflow as there is always the possibility I'm wrong :)
Yes, SQL server can execute master..xp_cmdshell command which executes windows command line operations, allowing further taking over the server and installing things on it. SQL Server also supports C# code embedding. I would take the server for forensics analysis if its important, or delete it altogether if it's not.