The general thesis of this talk I attended by Scott Sutherland and Antti Rantasaari from @NetSpi is that SQL Server is mostly very well designed with respect to security so that most of the vulnerabilities are due to careless configuration… which abounds in the wild. Further, being integrated with the Windows operating system, that makes it open to approaches that use Windows API calls.
Often people use weak passwords, unencrypted connections, and same privilege levels for SQL Server as some easily hackable user domain for the convenience of the DBA and/or developers and then nobody bothers to change this when the application goes live. Another common thing people do is to put a blog on the same privilege level as the portion of the website that is to be PCI compliant. This rather begs the question of whether it is PCI compliant… if with the letter then certainly not with the spirit since blogs of course tend to be very susceptible to XSS and SQL injection and thus the “PCI compliant” portion of the site can likely be DB-enumerated as well once the blog is compromised.
The talk went into details of how to use Metasploit to hack vulnerable SQL server instances and execute SQL queries and even obtain command shells. For World War II history enthusiasts, this all has a familiar ring to it. The German Enigma machine coded messages were theoretically unhackable but the Bletchley Park team exploited human weaknesses in the form of sloppy use of the system that compromised its entropy. That seems to characterize most SQL Server exploits and underscores the need for an enterprise to be very regimented about sequestering off the dev environment and the dev test site where all the security is lax to expedite development from the live environment where everything needs to be properly locked down.