MultiInjector v0.3 Released – Automatic SQL Injection and Defacement Tool

The New Acunetix V12 Engine


You might remember a while ago we posted about MultiInjector which claims to the first configurable automatic website defacement tool, it got quite a bit of interest and shortly after that it was updated. Anyway, good or bad I think people deserve to know what is out there.

Features

  • Receives a list of URLs as input
  • Recognizes the parameterized URLs from the list
  • Fuzzes all URL parameters to concatenate the desired payload once an injection is successful
  • Automatic defacement – you decide on the defacement content, be it a hidden script, or just pure old “cyber graffiti” fun
  • OS command execution – remote enabling of XP_CMDSHELL on SQL server, subsequently running any arbitrary operating system command lines entered by the user
  • Configurable parallel connections exponentially speed up the attack process – one payload, multiple targets, simultaneous attacks
  • Optional use of an HTTP proxy to mask the origin of the attacks

Changes

  • Automatic defacement – Try to concatenate a string to all user-defined text fields in DB
  • Run any OS command as if you’re running a command console on the DB machine
  • Execute SQL commands of your choice
  • Enable OS shell procedure on DB – Revive the good old XP_CMDSHELL where it was turned off
  • Add administrative user to DB server with password: T0pSeKret
  • Enable remote desktop on DB server
  • Fixed nvarchar cast to varchar. Verified against MS-SQL 2000
  • Added numeric / string parameter type detection
  • Improved defacement content handling by escaping quotation marks
  • Improved support for Linux systems
  • Fixed the “invalid number of concurrent connections” failure due to non-parameterized URLs

You can download MultiInjector v0.3 here

MultiInjectorV0.3.tar.gz

Or read more here.

Posted in: Database Hacking, Hacking Tools, Web Hacking

, , , , ,


Latest Posts:


Intercepter-NG - Android App For Hacking Intercepter-NG – Android App For Hacking
Intercepter-NG is a multi functional network toolkit including an Android app for hacking, the main purpose is to recover interesting data from the network stream and perform different kinds of MiTM attacks.
dcipher - Online Hash Cracking Using Rainbow & Lookup Tables dcipher – Online Hash Cracking Using Rainbow & Lookup Tables
dcipher is a JavaScript-based online hash cracking tool to decipher hashes using online rainbow & lookup table attack services.
HTTP Security Considerations - An Introduction To HTTP Basics HTTP Security Considerations – An Introduction To HTTP Basics
HTTP is ubiquitous now with pretty much everything being powered by an API, a web application or some kind of cloud-based HTTP driven infrastructure. With that HTTP Security becomes paramount and to secure HTTP you have to understand it.
Cangibrina - Admin Dashboard Finder Tool Cangibrina – Admin Dashboard Finder Tool
Cangibrina is a Python-based multi platform admin dashboard finder tool which aims to obtain the location of website dashboards by using brute-force, wordlists etc.
Enumall - Subdomain Discovery Using Recon-ng & AltDNS Enumall – Subdomain Discovery Using Recon-ng & AltDNS
Enumall is a Python-based tool that helps you do subdomain discovery using only one command by combining the abilities of Recon-ng and AltDNS.
RidRelay - SMB Relay Attack For Username Enumeration RidRelay – SMB Relay Attack For Username Enumeration
RidRelay is a Python-based tool to enumerate usernames on a domain where you have no credentials by using a SMB Relay Attack with low privileges.


Comments are closed.