MultiInjector – Automated Stealth SQL Injection Tool

Outsmart Malicious Hackers


MultiInjector claims to the first configurable automatic website defacement software, I’m not sure if that’s a good thing – or a bad thing.

But well here it is anyway.

Features

  • Receives a list of URLs as input
  • Recognizes the parameterized URLs from the list
  • Fuzzes all URL parameters to concatenate the desired payload once an injection is successful
  • Automatic defacement – you decide on the defacement content, be it a hidden script, or just pure old “cyber graffiti” fun
  • OS command execution – remote enabling of XP_CMDSHELL on SQL server, subsequently running any arbitrary operating system command lines entered by the user
  • Configurable parallel connections exponentially speed up the attack process – one payload, multiple targets, simultaneous attacks
  • Optional use of an HTTP proxy to mask the origin of the attacks

The author highly recommend running a HTTP sniffer such as IEInspector HTTP Analyzer in order to see all attack requests going out to the targets.

Requirements

  • Python >= 2.4
  • Pycurl (compatible with the above version of Python)
  • Psyco (compatible with the above version of Python)

You can download MultiInjector v0.2 here:

MultiInjector.py

Or read more here.

Posted in: Database Hacking, Hacking Tools, Web Hacking

, , , , ,


Latest Posts:


snallygaster - Scan For Secret Files On HTTP Servers snallygaster – Scan For Secret Files On HTTP Servers
snallygaster is a Python-based tool that can help you to scan for secret files on HTTP servers, files that are accessible that shouldn't be public and can pose a s
Portspoof - Spoof All Ports Open & Emulate Valid Services Portspoof – Spoof All Ports Open & Emulate Valid Services
The primary goal of the Portspoof program is to enhance your system security through a set of new camouflage techniques which spoof all ports open and also emulate valid services on every port.
Cambridge Analytica Facebook Data Scandal Cambridge Analytica Facebook Data Scandal
One of the biggest stories of the year so far has been the scandal surrounding Cambridge Analytica that came out after a Channel 4 expose that demonstrated the depths they are willing to go to profile voters, manipulate elections and much more.
GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.
QualysGuard - Vulnerability Management Tool QualysGuard – Vulnerability Management Tool
QualysGuard is a web-based vulnerability management tool provided by Qualys, Inc, which was the first company to deliver vulnerability management services as a SaaS-based web-service.


6 Responses to MultiInjector – Automated Stealth SQL Injection Tool

  1. navin November 5, 2008 at 10:40 am #

    whoa…..now i wonder how this can be a good thing!!

  2. Pantagruel November 5, 2008 at 2:32 pm #

    Oh dear, they just made a whole bunch of wannebee SQL crackers happy.

    And indeed is this a good thing??, in a sense it is this allow even the pen-test nitwit to test their sql frontend before releasing it.

  3. navin November 6, 2008 at 10:22 am #

    yeah

    now even skiddies will be able to flex their ‘so-called’ L337 |-|@x0r skills!!

  4. l33t0n3 November 7, 2008 at 3:19 pm #

    Traceback (most recent call last):
    File “multiinjector.py”, line 18, in
    import psyco
    ImportError: No module named psyco

    wery thanks i get this :D

  5. Raviv Raz November 13, 2008 at 12:56 am #

    You may download MultiInjector v0.3 at:

    http://chaptersinwebsecurity.blogspot.com/2008/11/multiinjector-v03-released.html

    New features include:

    1) Automatic defacement:
    Try to concatenate a string to all user-defined text fields in DB

    2) Run OS shell command on DB server:
    Run any OS command as if you’re running a command console on the DB machine

    3) Run SQL query on DB server:
    Execute SQL commands of your choice

    4) Enable OS shell procedure on DB:
    Revive the good old XP_CMDSHELL where it was turned off
    (default mode in MSSQL-2005)

    5) Add administrative user to DB server with password: T0pSeKret
    Automagically join the Administrators family on DB machine

    6) Enable remote desktop on DB server:
    Turn remote terminal services back on…

    It’s a more stable and field-tested version.
    Hope you enjoy.

    Peace in the Middle East!
    Raviv Raz

  6. navin November 13, 2008 at 8:27 am #

    thanks for the update Raviv