首先要感謝哥們對(duì)我的指點(diǎn)，多謝。

當(dāng)我們遇到類似情況下，如何獲取保存在MSSQL工具里的憑證呢？

?//如果對(duì)方連接地址后面加了IP\sqlexpress 連接的時(shí)候你也記得加上，不然即使密碼正確，也會(huì)說(shuō)登錄失敗。

?

通過(guò)和哥們討論研究分析以及查找資料，知道了密碼存放的地方：

C:\Users\Administrator\AppData\Roaming\Microsoft\Microsoft SQL Server\90\Tools\ShellSEM\mru.dat (當(dāng)前MSSQL 連接工具為2005)

我們通過(guò)C32來(lái)查看MRU.DAT，會(huì)發(fā)現(xiàn)一串BASE64編碼：

?

這個(gè)就是我們的保存的憑證，但是并不是直接還原BASE64就可以了，需要DECODE后還需要DPAPI來(lái)進(jìn)行解密：

?

代碼如下：

?

// Encode.cpp : 定義控制臺(tái)應(yīng)用程序的入口點(diǎn)。 // #include "stdafx.h" #include <Windows.h> #include <stdio.h> #include <iostream> #include <cstdlib> #include <stdio.h> #pragma comment(lib, "crypt32.lib") using namespace std;int Base64Decoder(char *input, unsigned char *output) {char base64string[]="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";BYTE dataBuffer[4];BYTE outputBuffer[3];BYTE finalBuffer[1000];int count=0;int padCount=0;int length;length = strlen(input);//Validate the data for BASE64if( length % 4 ){printf("%s - Invalid base64 data is supplied %s (%d) ", input, length);return 0;}//count the no of paddingif (input[length-1] == '=')padCount++;if (input[length-2] == '=')padCount++;// Process 4 chars in each loop to produce 3 charsfor (int i=0; i < length; i += 4){// Populate data buffer with position of Base64 characters for// next 4 bytes from encoded datafor (int j=0; j < 4 && (i + j < length); j++) dataBuffer[j] = ( (int)strchr(base64string, input[i+j]) - (int)base64string );//Decode data buffer back into bytesoutputBuffer[0] = (dataBuffer[0] << 2) + ((dataBuffer[1] & 0x30) >> 4);outputBuffer[1] = ((dataBuffer[1] & 0x0f) << 4) + ((dataBuffer[2] & 0x3c) >> 2); outputBuffer[2] = ((dataBuffer[2] & 0x03) << 6) + dataBuffer[3];// Add all non-padded bytes in output buffer to decoded datafor (int k = 0; k < 3; k++)finalBuffer[count++]=outputBuffer[k];}count = count-padCount;//copy the decoded data into input buffer memcpy(output, finalBuffer, count);output[count]='\0';printf("Base64 decoded string is [%s] (%d) ", output, count);// std::cout << "11111" << std::endl;std::cout << finalBuffer << std::endl;return count; }int main(int argc,char** argv) {unsigned char output[1000] = {0};//Base64Decoder("ZnVja3lvdQ==",output);int i=Base64Decoder("AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAfKVVCtCkz0SDfRfzGeyufQAAAAAQAAAARABlAGYAYQB1AGwAdAAAABBmAAAAAQAAIAAAAIDhFHSsCl9qoM1CbxlSVXqLXSDUuBs5sCx2hzy+tnkuAAAAAA6AAAAAAgAAIAAAAAdEQoQTYAeQGJYMsDfuOJdLHMGK4VtTu6SOzbla/TZFEAAAAACxb3rEQZjUHOpYTlkfwnhAAAAASc5uN4LAZ9A2IZadYsBRG87JhQjbWaQLY18FKf0fbyRlxIEQmxJm+1FLBCep32aWY4qkPy+1aELhj6IjnbCq/A==",output);if (i == 0){printf("Encode error\r\n");return -1;}DATA_BLOB DataPassword;DATA_BLOB DataOutput;DataPassword.cbData = i;DataPassword.pbData = output;if(CryptUnprotectData(&DataPassword,0,0,0,0,CRYPTPROTECT_UI_FORBIDDEN,&DataOutput)) //Crypt Mssql password {wcout << "Mssql credence Password Length: " << DataOutput.cbData << "\r\n"; wcout << "Mssql credence Password: " << (wchar_t*)DataOutput.pbData; }else{wcout << "Error";
　　　　 return -1;}return 0;}

?

還有一份C#，是我哥們寫(xiě)的：

?

using System; using System.Collections.Generic; //using System.Linq; using System.Text;namespace Mssql {class Program{static void Main(string[] args){Console.WriteLine(Encoding.Unicode.GetString(System.Security.Cryptography.ProtectedData.Unprotect(Convert.FromBase64String("AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAfKVVCtCkz0SDfRfzGeyufQAAAAAQAAAARABlAGYAYQB1AGwAdAAAABBmAAAAAQAAIAAAAIDhFHSsCl9qoM1CbxlSVXqLXSDUuBs5sCx2hzy+tnkuAAAAAA6AAAAAAgAAIAAAAAdEQoQTYAeQGJYMsDfuOJdLHMGK4VtTu6SOzbla/TZFEAAAAACxb3rEQZjUHOpYTlkfwnhAAAAASc5uN4LAZ9A2IZadYsBRG87JhQjbWaQLY18FKf0fbyRlxIEQmxJm+1FLBCep32aWY4qkPy+1aELhj6IjnbCq/A=="), null, System.Security.Cryptography.DataProtectionScope.LocalMachine)));}} }

?

?

還原后：

VC

?

?

C#

?

轉(zhuǎn)載于:https://www.cnblogs.com/killbit/p/4355950.html

總結(jié)

以上是生活随笔為你收集整理的获取本机MSSQL保存凭证的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺(jué)得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。