First of all, opc.three is right: sa is a NO GO

No failed penetration test would ever give you enough confidence, that it cannot be exploitet.

As you notice, those tools each have their flaws. I know it, I have tested a lot of them, too.

And usually I get further into the system if I do a manual penetration test.

Those tools are good for being quick, for an "easy try". But a determined hacker will try harder - and might also just use a different tool with different results(!).

And as you see, even sqlmap, being one of the better ones, is by far not perfect. And it does NOT know all attack techniques.

A penetration tester (person) should, though.

Also usually those tools are not written by experts for a specific database product. So do NOT rely barely on them ever. Your SQL Server expertise or from someone on your team should make it up.

To wrap up and to make sure 🙂

"sa and dbo_owner are both absolute no-go's for Application Users"

You can get a glance at what's possible from my list of one of my sessions on SQL Server Security: www.insidesql.org/blogs/andreaswolter/2013/07/security-session-sql-server-attack-ed