MultiInjector v0.3 - Automatic SQL Injection and Defacement Tool
You might remember a while ago we posted about MultiInjector which claims to the first configurable automatic website defacement tool, it got quite a bit of interest and shortly after that it was updated. Anyway, good or bad I think people deserve to know what is out there.
Features
* Receives a list of URLs as input
* Recognizes the parameterized URLs from the list
* Fuzzes all URL parameters to concatenate the desired payload once an injection is successful
* Automatic defacement - you decide on the defacement content, be it a hidden script, or just pure old “cyber graffiti” fun
* OS command execution - remote enabling of XP_CMDSHELL on SQL server, subsequently running any arbitrary operating system command lines entered by the user
* Configurable parallel connections exponentially speed up the attack process - one payload, multiple targets, simultaneous attacks
* Optional use of an HTTP proxy to mask the origin of the attacks
Changes
* Automatic defacement - Try to concatenate a string to all user-defined text fields in DB
* Run any OS command as if you’re running a command console on the DB machine
* Execute SQL commands of your choice
* Enable OS shell procedure on DB - Revive the good old XP_CMDSHELL where it was turned off
* Add administrative user to DB server with password: T0pSeKret
* Enable remote desktop on DB server
* Fixed nvarchar cast to varchar. Verified against MS-SQL 2000
* Added numeric / string parameter type detection
* Improved defacement content handling by escaping quotation marks
* Improved support for Linux systems
* Fixed the “invalid number of concurrent connections” failure due to non-parameterized URLs
MultiInjector v0.3
Posted by Bijay | 10:35 PM | Database Hacking, Hacking Tools, Web Hacking | 0 comments »
Subscribe to:
Post Comments (Atom)
0 comments
Post a Comment