[ad]
MultiInjector claims to the first configurable automatic website defacement software, I’m not sure if that’s a good thing – or a bad thing.
But well here it is anyway.
Features
- Receives a list of URLs as input
- Recognizes the parameterized URLs from the list
- Fuzzes all URL parameters to concatenate the desired payload once an injection is successful
- Automatic defacement – you decide on the defacement content, be it a hidden script, or just pure old “cyber graffiti” fun
- OS command execution – remote enabling of XP_CMDSHELL on SQL server, subsequently running any arbitrary operating system command lines entered by the user
- Configurable parallel connections exponentially speed up the attack process – one payload, multiple targets, simultaneous attacks
- Optional use of an HTTP proxy to mask the origin of the attacks
The author highly recommend running a HTTP sniffer such as IEInspector HTTP Analyzer in order to see all attack requests going out to the targets.
Requirements
- Python >= 2.4
- Pycurl (compatible with the above version of Python)
- Psyco (compatible with the above version of Python)
You can download MultiInjector v0.2 here:
Or read more here.
navin says
whoa…..now i wonder how this can be a good thing!!
Pantagruel says
Oh dear, they just made a whole bunch of wannebee SQL crackers happy.
And indeed is this a good thing??, in a sense it is this allow even the pen-test nitwit to test their sql frontend before releasing it.
navin says
yeah
now even skiddies will be able to flex their ‘so-called’ L337 |-|@x0r skills!!
l33t0n3 says
Traceback (most recent call last):
File “multiinjector.py”, line 18, in
import psyco
ImportError: No module named psyco
wery thanks i get this :D
Raviv Raz says
You may download MultiInjector v0.3 at:
http://chaptersinwebsecurity.blogspot.com/2008/11/multiinjector-v03-released.html
New features include:
1) Automatic defacement:
Try to concatenate a string to all user-defined text fields in DB
2) Run OS shell command on DB server:
Run any OS command as if you’re running a command console on the DB machine
3) Run SQL query on DB server:
Execute SQL commands of your choice
4) Enable OS shell procedure on DB:
Revive the good old XP_CMDSHELL where it was turned off
(default mode in MSSQL-2005)
5) Add administrative user to DB server with password: T0pSeKret
Automagically join the Administrators family on DB machine
6) Enable remote desktop on DB server:
Turn remote terminal services back on…
It’s a more stable and field-tested version.
Hope you enjoy.
Peace in the Middle East!
Raviv Raz
navin says
thanks for the update Raviv