Hacking MSSQL on Cloud. All of them. How I became sysadmin on Azure, AWS, GCP and Alibaba.
Regular 50 minute session for SQLBits 2026Saturday - 25 Apr 2026 - 09:00 - 09:50 AuditoriumTL; DR
It began as a small security research project on a local SQL Server, one vulnerability quickly led much further. That initial finding enabled privilege escalation across multiple managed platforms, including Azure SQL Database, GCP CloudSQL for SQL Server, Amazon RDS, and Alibaba ApsaraDB. In this presentation, I'll demonstrate how an attacker can escalate from a low-privileged user to sysadmin in cloud-managed SQL Server environments. I'll also explain why these flaws existed, how to defend against similar attack paths, and how each cloud provider responded.
Session Details
It started as a simple security research project on a local SQL Server instance. A single vulnerability led me down a rabbit hole from compromising Azure SQL Database to successfully escalating privileges on GCP CloudSQL for SQL Server, Amazon RDS, and Alibaba ApsaraDB.
In this session, I’ll walk you through the techniques I used to escalate from a limited user to sysadmin on managed SQL Server platforms offered by the four biggest cloud providers. I’ll also demonstrate post-exploitation techniques, including how I retrieved plaintext [sa] passwords from internal logs and accessed highly sensitive internal metadata.
More importantly, I’ll share lessons on how these vulnerabilities were possible in the first place and what you, as a developer, DBA, or security professional, can do to secure your applications against similar attack vectors.
Finally, I’ll share how each cloud provider responded to the vulnerabilities I disclosed, the remediation timelines, and the broader lessons this experience teaches us about cloud security.
In this session, I’ll walk you through the techniques I used to escalate from a limited user to sysadmin on managed SQL Server platforms offered by the four biggest cloud providers. I’ll also demonstrate post-exploitation techniques, including how I retrieved plaintext [sa] passwords from internal logs and accessed highly sensitive internal metadata.
More importantly, I’ll share lessons on how these vulnerabilities were possible in the first place and what you, as a developer, DBA, or security professional, can do to secure your applications against similar attack vectors.
Finally, I’ll share how each cloud provider responded to the vulnerabilities I disclosed, the remediation timelines, and the broader lessons this experience teaches us about cloud security.
3 things you'll get out of this session
Cloud customers trust the "managed" label and rarely penetration-test the underlying platform.
The talk gives both red- and blue-teams a repeatable methodology to validate (or break) those assumptions.
The talk gives both red- and blue-teams a repeatable methodology to validate (or break) those assumptions.
Speakers
Fabiano Amorim's other proposed sessions for 2026
Future-Proofing SQL Server: High Availability, Performance, and Key Innovations from 2022 to 2025 - 2026
Your MSSQL environment is vulnerable and I can prove it - 2026