In this tutorial, we'll look at how we can crack the password on the system admin (sa) account on the database, install a meterpreter payload through calling the stored procedure xp_cmdshell, and wreak havoc on their system.
BackTrack has a wordlist specially built for MS SQL password hacking with over 57,000 commonly used SQL passwords at /pentest/exploits/fasttrack/bin/wordlist.txt. In this case, our target is at 192.168.1.103, and we will set our THREADS to 20.
As you can see, after testing over 57,000 passwords (it takes a few minutes, so be patient), it found the password on our sa account of "NullByte". Success! Now we have full sysadmin privileges on the database that we can hopefully convert to full system sysadmin privileges. 2b1af7f3a8