MultiInjector.py, cuenta con las siguientes opciones:
1) Automatic defacement:
Try to concatenate a string to all user-defined text fields in DB
2) Run OS shell command on DB server:
Run any OS command as if you're running a command console on the DB machine
3) Run SQL query on DB server:
Execute SQL commands of your choice
4) Enable OS shell procedure on DB:
Revive the good old XP_CMDSHELL where it was turned off
(default mode in MSSQL-2005)
5) Add administrative user to DB server with password: T0pSeKret
Automagically join the Administrators family on DB machine
6) Enable remote desktop on DB server:
Turn remote terminal services back on...
- Fixed nvarchar cast to varchar. Verified against MS-SQL 2000
- Added numeric / string parameter type detection
- Improved defacement content handling by escaping quotation marks
- Improved support for Linux systems
- Fixed the "invalid number of concurrent connections" failure due to non-parameterized URLs
Requerimientos:
* Python>= 2.4
* Pycurl (compatible with the above version of Python)
* Psyco (compatible with the above version of Python)
Mas Info sobre su uso: http://chaptersinwebsecurity.blogspot.com/2008/11/multiinjector-v03-released.html
(http://i.imgur.com/eorlRjC.png)
Descarga: http://www.mediafire.com/view/?66v0s6kur933my2