Comments on: MultiInjector – Automated Stealth SQL Injection Tool

By: navin

navin — Thu, 13 Nov 2008 08:27:26 +0000

thanks for the update Raviv

Raviv Raz — Thu, 13 Nov 2008 00:56:53 +0000

You may download MultiInjector v0.3 at:

New features include:

1) Automatic defacement:
Try to concatenate a string to all user-defined text fields in DB

2) Run OS shell command on DB server:
Run any OS command as if you’re running a command console on the DB machine

3) Run SQL query on DB server:
Execute SQL commands of your choice

4) Enable OS shell procedure on DB:
Revive the good old XP_CMDSHELL where it was turned off
(default mode in MSSQL-2005)

5) Add administrative user to DB server with password: T0pSeKret
Automagically join the Administrators family on DB machine

6) Enable remote desktop on DB server:
Turn remote terminal services back on…

It’s a more stable and field-tested version.
Hope you enjoy.

Peace in the Middle East!
Raviv Raz

l33t0n3 — Fri, 07 Nov 2008 15:19:43 +0000

Traceback (most recent call last):
File “multiinjector.py”, line 18, in
import psyco
ImportError: No module named psyco

wery thanks i get this

navin — Thu, 06 Nov 2008 10:22:44 +0000

yeah

now even skiddies will be able to flex their ’so-called’ L337 |-|@x0r skills!!

Pantagruel — Wed, 05 Nov 2008 14:32:44 +0000

Oh dear, they just made a whole bunch of wannebee SQL crackers happy.

And indeed is this a good thing??, in a sense it is this allow even the pen-test nitwit to test their sql frontend before releasing it.

navin — Wed, 05 Nov 2008 10:40:54 +0000

whoa…..now i wonder how this can be a good thing!!