You are right /if/ you know that you have a SQL injection. However, if you're not sure, you might just introduce one and see if you can break in using sqlninja. After all, being able to get full access to a server by exploiting a SQL injection is pretty serious. If you can, IMHO you better do something about it, even if you don't currently vulnerable to SQL injections. Like, for instance, move away from MS SQL Server (which seems to be the only SQL server sqlninja supports).