22 December 2008 | 11,012 views

MultiInjector v0.3 Released – Automatic SQL Injection and Defacement Tool

Check Your Web Security with Acunetix

You might remember a while ago we posted about MultiInjector which claims to the first configurable automatic website defacement tool, it got quite a bit of interest and shortly after that it was updated. Anyway, good or bad I think people deserve to know what is out there.


  • Receives a list of URLs as input
  • Recognizes the parameterized URLs from the list
  • Fuzzes all URL parameters to concatenate the desired payload once an injection is successful
  • Automatic defacement – you decide on the defacement content, be it a hidden script, or just pure old “cyber graffiti” fun
  • OS command execution – remote enabling of XP_CMDSHELL on SQL server, subsequently running any arbitrary operating system command lines entered by the user
  • Configurable parallel connections exponentially speed up the attack process – one payload, multiple targets, simultaneous attacks
  • Optional use of an HTTP proxy to mask the origin of the attacks


  • Automatic defacement – Try to concatenate a string to all user-defined text fields in DB
  • Run any OS command as if you’re running a command console on the DB machine
  • Execute SQL commands of your choice
  • Enable OS shell procedure on DB – Revive the good old XP_CMDSHELL where it was turned off
  • Add administrative user to DB server with password: T0pSeKret
  • Enable remote desktop on DB server
  • Fixed nvarchar cast to varchar. Verified against MS-SQL 2000
  • Added numeric / string parameter type detection
  • Improved defacement content handling by escaping quotation marks
  • Improved support for Linux systems
  • Fixed the “invalid number of concurrent connections” failure due to non-parameterized URLs

You can download MultiInjector v0.3 here


Or read more here.


Recent in Database Hacking:
- OAT – Oracle Auditing Tools For Database Security
- ODAT (Oracle Database Attacking Tool) – Test Oracle Database Security
- Navy Sys Admin Hacks Into Databases From Aircraft Carrier

Related Posts:
- MultiInjector – Automated Stealth SQL Injection Tool
- The Mole v0.3 Released For Download – Automatic SQL Injection Exploitation Tool
- sqlmap 0.9 Released – Automatic Blind SQL Injection Tool

Most Read in Database Hacking:
- Pangolin – Automatic SQL Injection Tool - 73,901 views
- bsqlbf 1.1 – Blind SQL Injection Tool - 53,903 views
- Absinthe Blind SQL Injection Tool/Software - 39,062 views

Advertise on Darknet

Comments are closed.