• 本地SQL密码破解

     --drop procedure [dbo].[p_getpassword]
    go
    /*--穷举法破解 sql server 用户密码

    可以破解中文,特殊字符,字符+尾随空格的密码
    为了方便显示特殊字符的密码,在显示结果中,显示了组成密码的ascii

    理论上可以破解任意位数的密码
    条件是你的电脑配置足够,时间足够

    --邹建 2004.08(引用请保留此信息)--*/

    /*--调用示例

    --测试特殊字符
    declare @pwd sysname
    set @pwd=char(0)+'a '
    exec sp_password null,@pwd,'sa'
    exec p_getpassword

    --测试带空格的密码
    exec sp_password null,'a  ','sa'
    exec p_getpassword

    --测试中文
    exec sp_password null,'我 ','sa'
    exec p_getpassword

    --清除密码
    exec sp_password null,null,'sa'
    --*/
    create proc p_getpassword
    @username sysname=null,--用户名,如果不指定,则列出所有用户
    @pwdlen int=3--密码破解的位数,默认只破解3位及以下的密码
    as
    --生成要破解的密码的用户表
    select name,password
    ,type=case when xstatus&2048=2048 then 1 else 0 end
    ,jm=case when password is null or datalength(password)<46
    then 1 else 0 end
    ,pwdstr=case when datalength(password)<46
    then cast(password as sysname)
    else cast('' as sysname) end
    ,pwd=cast('' as varchar(8000))
    into #pwd
    from master.dbo.sysxlogins a
    where srvid is null
    and name=isnull(@username,name)

    --生成临时表
    select top 255 id=identity(int,0,1) into #t from sysobjects a,sysobjects b
    alter table #t add constraint pk_#t primary key(id)

    --清理不需要的字符
    if not exists(select 1 from #pwd where type=1)
    delete from #t where id between 65 and 90 or id between 129 and 254

    --密码破解处理
    declare @l int
    declare @s1 varchar(8000),@s2 varchar(8000),@s3 varchar(8000),@s4 varchar(8000)

    --破解1位密码
    select @l=0
    ,@s1='id=a.id'
    ,@s2='#t a'
    ,@s3='char(b.id)'
    ,@s4='cast(b.id as varchar)'
    exec('
    update pwd set jm=1,pwdstr='+@s3+'
    ,pwd='+@s4+'
    from #pwd pwd,#t b
    where pwd.jm=0
    and pwdcompare('+@s3+',pwd.password,pwd.type)=1
    ')

    --破解超过2位的密码
    while exists(select 1 from #pwd where jm=0 and @l<@pwdlen-1)
    begin
    select @l=@l+1
    ,@s1=@s1+',id'+cast(@l as varchar)
    +'='+char(@l/26+97)+char(@l%26+97)+'.id'
    ,@s2=@s2+',#t '+char(@l/26+97)+char(@l%26+97)
    ,@s3=@s3+'+char(b.id'+cast(@l as varchar)+')'
    ,@s4=@s4+'+'',''+cast(b.id'+cast(@l as varchar)+' as varchar)'
    exec('
    select '+@s1+' into #tt from '+@s2+'
    update pwd set jm=1,pwdstr='+@s3+'
    ,pwd='+@s4+'
    from #pwd pwd,#tt b
    where pwd.jm=0
    and pwdcompare('+@s3+',pwd.password,pwd.type)=1
    ')
    end

    --显示破解的密码
    select 用户名=name,密码=pwdstr,密码ascii=pwd
    from #pwd
    go


     

    ----------------------------

    alter proc p_GetPassword2 
        @username sysname=null, --用户名,如果不指定,则列出所有用户 
        @pwdlen int=2 --要破解的密码的位数,默认是2位及以下的 
    as 
        set nocount on

        if object_id(N'tempdb..#t') is not null
            drop table #t
        if object_id(N'tempdb..#pwd') is not null
            drop table #pwd

        set @pwdlen=case when isnull(@pwdlen,0)<1 then 1 else @pwdlen-1 end

        declare @ss varchar(256)
        --select @ss= '123456789'
        select @ss=    'abcdefghijklmnopqrstuvwxyz'
        select @ss=@ss+ '`0123456789-=[]\;,./'
        select @ss=@ss+ '~!@#$%^&*()_+{}|:<>?'
        --select @ss=@ss+    'ABCDEFGHIJKLMNOPQRSTUVWXYZ'

        create table #t(c char(1) not null)
        alter table #t add constraint PK_#t primary key CLUSTERED (c) 
        declare @index int
        select @index=1
        while (@index <=len(@ss))
        begin
            insert #t select SUBSTRING(@ss, @index, 1)
            select @index = @index +1
        end

        select name,password 
            ,type=case when xstatus&2048=2048 then 1 else 0 end 
            ,jm=case when password is null then 1 else 0 end 
            ,pwdstr=cast('' as sysname) 
            ,pwd=cast('' as varchar(8000)) 
            ,times =cast('' as varchar(8000))
            into #pwd 
        from master.dbo.sysxlogins a 
        where srvid is null 
            and name=isnull(@username,name) 
        declare @s1 varchar(8000),@s2 varchar(8000),@s3 varchar(8000), @stimes varchar(8000)

        declare @l int, @t bigint

        select @t = count(1)*POWER(len(@ss),1) from #pwd

        select @l=0 
            ,@s1='aa.c' 
            ,@s2='cast(ASCII(aa.c) as varchar)' 
            ,@s3=',#t aa'
            ,@stimes='1th,' + cast(@t as varchar(20)) + 'rows'

        exec(' 
            update pwd set jm=1,pwdstr='+@s1+' 
            ,pwd='+@s2+' 
            from #pwd pwd'+@s3+' 
            where pwd.jm=0 
            and pwdcompare('+@s1+',pwd.password,pwd.type)=1 
            ') 
        while exists(select 1 from #pwd where jm=0 and @l<@pwdlen) 
        begin 
            select @l=@l+1
            select @t = count(1)*POWER(len(@ss),@l+1) from #pwd
            print @t

            select
            @s1=@s1+'+'+char(@l/26+97)+char(@l%26+97)+'.c' 
            ,@s2=@s2+'+'',''+cast(ASCII('+char(@l/26+97)+char(@l%26+97)+'.c) as varchar)' 
            ,@s3=@s3+',#t '+char(@l/26+97)+char(@l%26+97)
            ,@stimes=@stimes+';'+ cast(@l+1 as varchar(1)) + 'th,' + cast(@t as varchar(20)) + 'rows'

            exec(' 
            update pwd set jm=1,pwdstr='+@s1+' 
            ,pwd='+@s2+' 
            ,times='''+@stimes+'''
            from #pwd pwd'+@s3+' 
            where pwd.jm=0 
            and pwdcompare('+@s1+',pwd.password,pwd.type)=1 
            ') 
        end 
        select 用户名=name,密码=pwdstr,密码ASCII=pwd, 查询次数和行数=times 
        from #pwd 

        if object_id(N'tempdb..#t') is not null
            drop table #t
        if object_id(N'tempdb..#pwd') is not null
            drop table #pwd
  • 相关阅读:
    POJ 3710 Christmas Game#经典图SG博弈
    POJ 2599 A funny game#树形SG(DFS实现)
    POJ 2425 A Chess Game#树形SG
    LeetCode Array Easy 122. Best Time to Buy and Sell Stock II
    LeetCode Array Easy121. Best Time to Buy and Sell Stock
    LeetCode Array Easy 119. Pascal's Triangle II
    LeetCode Array Easy 118. Pascal's Triangle
    LeetCode Array Easy 88. Merge Sorted Array
    ASP.NET MVC 学习笔记之 MVC + EF中的EO DTO ViewModel
    ASP.NET MVC 学习笔记之面向切面编程与过滤器
  • 原文地址:https://www.cnblogs.com/qanholas/p/2378112.html
Copyright © 2020-2023  润新知