| xp_cmdshell is essentially a mechanism for executing arbitrary calls into the system using either the SQL Server context or a proxy account that can be configured to execute xp_cmdshell using different credentials. Because of its nature, xp_cmdshell is very flexible, as it allows users to execute any arbitrary command using the system (or proxy) context without any good way to limit this flexibility, pretty much opening the door for abusing it. |
