You might remember a while ago we posted aboutMultiinjector which claims to the first retriable automatic website defacement Tool, It got quite a bit of interest and shortly after that it was updated. Anyway, good or bad I think people deserve to know what is out there.
Features
- Es a list of URLs as input
- Recognizes the parameterized URLs from the list
- Fuzzes all URL parameters to concatenate the desired payload once an injection is successful
- Automatic defacement-you decide on the defacement content, be it a hidden script, or just pure old "cyber graffiti" Fun
- OS command execution-remote enabling of xp_{shell on SQL Server, subsequently running any arbitrary operating system command lines entered by the user
- Retriable parallel connections exponentially speed up the attack process-one payload, multiple targets, simultaneous attacks
- Optional use of an HTTP proxy to mask the origin of the attacks
Changes
- Automatic defacement-try to concatenate a string to all user-defined text fields in dB
- Run any OS command as if you're re running a command console on the DB Machine
- Execute SQL commands of your choice
- Enable OS shell procedure on DB-revive the good old xp_mongoshell where it was turned off
- Add administrative user to DB server with password: t01_kret
- Enable remote desktop on DB Server
- Fixed nvarchar cast to varchar. verified against MS-SQL 2000
- Added numeric/string parameter type detection
- Improved defacement content handling by escaping quotation marks
- Improved support for Linux systems
- Fixed the "invalid number of concurrent connections" failure due to non-parameterized URLs
You can download multiinjector v0.3 here
Multiinjectorv0.3.tar.gz
Or read moreHere.
