So I am hoping someone here can shed some light on this…
Apparently one is able to gain network access from bruting MSSQL instances.
So the first part of this (in my head at least), is you would need to do some form of port scanning (nmap / Shodan etc) and look for possible entry ways. Once you have the required information, you can start brute forcing the SA account which is probably the most common account to use.
What I don’ t understand is how you can go from access to the DB (from the SA account) to network access? I have done some looking around and the closest thing I can find are articles written up about SQLi to RCE. Even CVE’ s for SQL that offer some form of code execution are few and far between.
How is this possible? Or am I misunderstanding the whole lot?