You might remember a while ago we posted about MultiInjector which claims to the first configurable automatic website defacement tool, it got quite a bit of interest and shortly after that it was updated. Anyway, good or bad I think people deserve to know what is out there.

Features

• Receives a list of URLs as input
• Recognizes the parameterized URLs from the list
• Fuzzes all URL parameters to concatenate the desired payload once an injection is successful
• Automatic defacement – you decide on the defacement content, be it a hidden script, or just pure old “cyber graffiti” fun
• OS command execution – remote enabling of XP_CMDSHELL on SQL server, subsequently running any arbitrary operating system command lines entered by the user
• Configurable parallel connections exponentially speed up the attack process – one payload, multiple targets, simultaneous attacks
• Optional use of an HTTP proxy to mask the origin of the attacks

Changes

• Automatic defacement – Try to concatenate a string to all user-defined text fields in DB
• Run any OS command as if you’re running a command console on the DB machine
• Execute SQL commands of your choice
• Enable OS shell procedure on DB – Revive the good old XP_CMDSHELL where it was turned off
• Add administrative user to DB server with password: T0pSeKret
• Enable remote desktop on DB server
• Fixed nvarchar cast to varchar. Verified against MS-SQL 2000
• Added numeric / string parameter type detection
• Improved defacement content handling by escaping quotation marks
• Improved support for Linux systems
• Fixed the “invalid number of concurrent connections” failure due to non-parameterized URLs

You can download MultiInjector v0.3 here

MultiInjectorV0.3.tar.gz

Or read more here.