CQURE Hacks #77: From SQL Login to Full System Compromise

Starting from an exposed SQL Server instance, we demonstrate how weak credentials can be exploited to gain access using a brute-force attack. Once authenticated as the powerful sa account, the attack quickly escalates beyond the database.

We show how an attacker can:

• Validate access to the SQL Server instance
• Enable dangerous features like xp_cmdshell
• Execute operating system commands directly from SQL
• Pivot from database access to full OS-level control
• Create administrative users and completely compromise the machine

This episode highlights how small security gaps — like weak passwords and excessive privileges — can lead to catastrophic consequences.

Want to learn how to both exploit and defend against attacks like this in real environments?

Check out our hands-on training:

👉 https://cqureacademy.com/cyber-security-training/lvc-hacking-and-securing-windows-infrastructure/

In this course, you’ll dive deep into attacking and securing Windows infrastructure, understanding real attack paths, and building practical defensive skills that go far beyond theory.

Secure Your Spot here

🔐 Key takeaways:

• Always enforce strong authentication
• Avoid exposing database services to the internet
• Follow the principle of least privilege
• Disable or restrict dangerous features like xp_cmdshell

Because in real environments… this isn’t just theory — it’s a real attack path.

👍 If you found this useful, don’t forget to like, subscribe, and share!

TRANSCRIPT

[Intro]

Welcome to Cqure Hacks,

In today’s episode, we’re looking at how an exposed SQL Server, combined with weak credentials, can give an attacker complete control over a machine.

[Phase 1 – Initial Access]

We begin on a Kali Linux machine.
The target is a SQL Server instance exposed to the network.

Using a dictionary-based brute-force attack, we attempt to guess credentials for the SQL service.

We recover valid credentials for the sa account – the built-in SQL Server administrator.

Weak passwords on exposed services are often all an attacker needs.

[Phase 2 – Authentication & Access Validation]

With credentials in hand, we switch to SQL Server Management Studio.

Windows authentication is restricted…
but SQL Server authentication using the compromised sa account works perfectly.

At this point, the attacker has full administrative access to the database.

[Phase 3 – Post-Exploitation Begins]

Now the real escalation starts.

Inside SQL Server, we open a new query window and attempt to execute operating system commands.

Initially, this functionality is disabled.

However, because we are logged in as sa, we can modify server configuration.

We enable advanced options…
and activate extended stored procedures that allow command execution.

[Phase 4 – Command Execution]

With that in place, we execute simple system commands.

This confirms two things:

• We have access to the underlying operating system
• And SQL Server is running with high privileges

This is a critical pivot point, we are no longer limited to the database.

[Phase 5 – Full System Compromise]

We create a new local user directly from SQL Server.

Then… we add that user to the local administrators group.

At this stage, the attacker has completely compromised the machine.

What started as a database login…
has now become full operating system control.

[Conclusion – Key Takeaways]

So why did this attack work?

• Weak credentials on a critical account
• Exposed SQL Server service
• Excessive privileges
• And dangerous features enabled without restriction

This is exactly why least privilege, strong authentication, and proper hardening are essential.

Because in real environments…
this isn’t just a demo — it’s a real attack path.

[Outro]

Thanks for watching Cqure Hacks.
Stay secure… and see you in the next episode.

Want to know more?