MultiInjector v0.3 Released - Automatic SQL Injection and Defacement Tool
2009-01-04 10:39
645 查看
You might remember a while ago we posted about MultiInjector which claims to the first configurable automatic website defacement tool, it got quite a bit of interest and shortly after that it was updated. Anyway, good or bad I think people deserve to know what is out there.
Features
Receives a list of URLs as input
Recognizes the parameterized URLs from the list
Fuzzes all URL parameters to concatenate the desired payload once an injection is successful
Automatic defacement - you decide on the defacement content, be it a hidden script, or just pure old “cyber graffiti” fun
OS command execution - remote enabling of XP_CMDSHELL on SQL server, subsequently running any arbitrary operating system command lines entered by the user
Configurable parallel connections exponentially speed up the attack process - one payload, multiple targets, simultaneous attacks
Optional use of an HTTP proxy to mask the origin of the attacks
Changes
Automatic defacement - Try to concatenate a string to all user-defined text fields in DB
Run any OS command as if you’re running a command console on the DB machine
Execute SQL commands of your choice
Enable OS shell procedure on DB - Revive the good old XP_CMDSHELL where it was turned off
Add administrative user to DB server with password: T0pSeKret
Enable remote desktop on DB server
Fixed nvarchar cast to varchar. Verified against MS-SQL 2000
Added numeric / string parameter type detection
Improved defacement content handling by escaping quotation marks
Improved support for Linux systems
Fixed the “invalid number of concurrent connections” failure due to non-parameterized URLs
You can download MultiInjector v0.3 here
MultiInjectorV0.3.tar.gz
Or read more here.
Features
Receives a list of URLs as input
Recognizes the parameterized URLs from the list
Fuzzes all URL parameters to concatenate the desired payload once an injection is successful
Automatic defacement - you decide on the defacement content, be it a hidden script, or just pure old “cyber graffiti” fun
OS command execution - remote enabling of XP_CMDSHELL on SQL server, subsequently running any arbitrary operating system command lines entered by the user
Configurable parallel connections exponentially speed up the attack process - one payload, multiple targets, simultaneous attacks
Optional use of an HTTP proxy to mask the origin of the attacks
Changes
Automatic defacement - Try to concatenate a string to all user-defined text fields in DB
Run any OS command as if you’re running a command console on the DB machine
Execute SQL commands of your choice
Enable OS shell procedure on DB - Revive the good old XP_CMDSHELL where it was turned off
Add administrative user to DB server with password: T0pSeKret
Enable remote desktop on DB server
Fixed nvarchar cast to varchar. Verified against MS-SQL 2000
Added numeric / string parameter type detection
Improved defacement content handling by escaping quotation marks
Improved support for Linux systems
Fixed the “invalid number of concurrent connections” failure due to non-parameterized URLs
You can download MultiInjector v0.3 here
MultiInjectorV0.3.tar.gz
Or read more here.
相关文章推荐
- Nhibernate HQL example - paging and avoid sql injection
- SQL Injection and Oracle, Part One
- [How to][Decompile and Recompile apks easily]{APKMULTITOOL METHOD}
- RDBMS and listener log (xml) from SQL*Plus with V$DIAG_ALERT_EXt view [ADR - Automatic Diagnostic Re
- SQL Injection and Oracle, Part Two
- (转载)Detection of SQL Injection and Cross-site Scripting Attacks
- SQL Injection Attacks and Some Tips on How to Prevent Them
- Detection of SQL Injection and Cross-site Scripting Attacks
- MySql+Mybatis+Druid之SqlException:sql injection violation, multi-statement not allow
- [How to][Decompile and Recompile apks easily]{APKMULTITOOL METHOD}
- MySql+Mybatis+Druid:sql injection violation, multi-statement not allow
- False SQL Injection and Advanced Blind SQL Injection
- False SQL Injection and Advanced Blind SQL Injection
- Automatic and Manual Locking Mechanisms During SQL Operations
- Reality, the original MultiValue SQL-enabled Database and operating environment
- SQL Injection Attacks and Defense
- [Oracle EBS R12]SQL Queries and Multi-Org Architecture in Release 12 (Doc ID 462383.1)
- SQL Queries and Multi-Org Architecture in Release 12
- MySQL and SQL Injection
- [轉]False SQL Injection and Advanced Blind SQL Injection