[pull] master from sqlmapproject:master

extra/cloak/cloak.py

@@ -21,7 +21,7 @@
     xrange = range
     ord = lambda _: _
 
-KEY = b"E6wRbVhD0IBeCiGJ"
+KEY = b"wr36EPIvaR7ZDfb4"
 
 def xor(message, key):
     return b"".join(struct.pack('B', ord(message[i]) ^ ord(key[i % len(key)])) for i in range(len(message)))

extra/shutils/drei.sh

@@ -3,12 +3,7 @@
 # Copyright (c) 2006-2025 sqlmap developers (https://sqlmap.org)
 # See the file 'LICENSE' for copying permission
 
-# Stress test against Python3
+# Stress test against Python3(.14)
 
-export SQLMAP_DREI=1
-#for i in $(find . -iname "*.py" | grep -v __init__); do python3 -c 'import '`echo $i | cut -d '.' -f 2 | cut -d '/' -f 2- | sed 's/\//./g'`''; done
-for i in $(find . -iname "*.py" | grep -v __init__); do PYTHONWARNINGS=all python3 -m compileall $i | sed 's/Compiling/Checking/g'; done
-unset SQLMAP_DREI
+for i in $(find . -iname "*.py" | grep -v __init__); do PYTHONWARNINGS=all python3.14 -m compileall $i | sed 's/Compiling/Checking/g'; done
 source `dirname "$0"`"/junk.sh"
-
-# for i in $(find . -iname "*.py" | grep -v __init__); do timeout 10 pylint --py3k $i; done 2>&1 | grep -v -E 'absolute_import|No config file'

lib/controller/checks.py

@@ -1095,6 +1095,8 @@ def _(page):
             errMsg += "int.TryParse(Request.QueryString[\"%s\"], out %s)" % (parameter, parameter)
         elif platform == WEB_PLATFORM.JSP:
             errMsg += "%s=Integer.parseInt(request.getParameter(\"%s\"))" % (parameter, parameter)
+        elif platform == WEB_PLATFORM.CFM:
+            errMsg += "%s=Val(url.%s)" % (parameter, parameter)
         else:
             errMsg += "$%s=intval($_REQUEST[\"%s\"])" % (parameter, parameter)
 

lib/core/datatype.py

@@ -87,7 +87,7 @@ def __setstate__(self, dict):
         self.__dict__ = dict
 
     def __deepcopy__(self, memo):
-        retVal = self.__class__()
+        retVal = self.__class__(keycheck=self.keycheck)
         memo[id(self)] = retVal
 
         for attr in dir(self):
@@ -102,8 +102,8 @@ def __deepcopy__(self, memo):
         return retVal
 
 class InjectionDict(AttribDict):
-    def __init__(self):
-        AttribDict.__init__(self)
+    def __init__(self, **kwargs):
+        AttribDict.__init__(self, **kwargs)
 
         self.place = None
         self.parameter = None
@@ -157,8 +157,11 @@ def __getitem__(self, key):
             self.cache[key] = value
             return value
 
-    def get(self, key):
-        return self.__getitem__(key)
+    def get(self, key, default=None):
+        try:
+            return self.__getitem__(key)
+        except:
+            return default
 
     def __setitem__(self, key, value):
         with self.__lock:

lib/core/dicts.py

@@ -177,7 +177,7 @@
 PGSQL_PRIVS = {
     1: "createdb",
     2: "super",
-    3: "catupd",
+    3: "replication",
 }
 
 # Reference(s): http://stackoverflow.com/a/17672504
@@ -269,11 +269,11 @@
 HEURISTIC_NULL_EVAL = {
     DBMS.ACCESS: "CVAR(NULL)",
     DBMS.MAXDB: "ALPHA(NULL)",
-    DBMS.MSSQL: "IIF(1=1,DIFFERENCE(NULL,NULL),0)",
+    DBMS.MSSQL: "PARSENAME(NULL,NULL)",
     DBMS.MYSQL: "IFNULL(QUARTER(NULL),NULL XOR NULL)",  # NOTE: previous form (i.e., QUARTER(NULL XOR NULL)) was bad as some optimization engines wrongly evaluate QUARTER(NULL XOR NULL) to 0
     DBMS.ORACLE: "INSTR2(NULL,NULL)",
     DBMS.PGSQL: "QUOTE_IDENT(NULL)",
-    DBMS.SQLITE: "UNLIKELY(NULL)",
+    DBMS.SQLITE: "JULIANDAY(NULL)",
     DBMS.H2: "STRINGTOUTF8(NULL)",
     DBMS.MONETDB: "CODE(NULL)",
     DBMS.DERBY: "NULLIF(USER,SESSION_USER)",
@@ -286,7 +286,7 @@
     DBMS.CUBRID: "(NULL SETEQ NULL)",
     DBMS.CACHE: "%SQLUPPER NULL",
     DBMS.EXTREMEDB: "NULLIFZERO(hashcode(NULL))",
-    DBMS.RAIMA: "IF(ROWNUMBER()>0,CONVERT(NULL,TINYINT),NULL))",
+    DBMS.RAIMA: "IF(ROWNUMBER()>0,CONVERT(NULL,TINYINT),NULL)",
     DBMS.VIRTUOSO: "__MAX_NOTNULL(NULL)",
     DBMS.CLICKHOUSE: "halfMD5(NULL) IS NULL",
 }
@@ -324,6 +324,7 @@
         "update ",
         "delete ",
         "merge ",
+        "copy ",
         "load ",
     ),
 
@@ -380,13 +381,24 @@
 }
 
 DUMP_DATA_PREPROCESS = {
-    DBMS.ORACLE: {"XMLTYPE": "(%s).getStringVal()"},  # Reference: https://www.tibcommunity.com/docs/DOC-3643
-    DBMS.MSSQL: {"IMAGE": "CONVERT(VARBINARY(MAX),%s)"},
+    DBMS.ORACLE: {"XMLTYPE": "(%s).getStringVal()"},
+    DBMS.MSSQL: {
+        "IMAGE": "CONVERT(VARBINARY(MAX),%s)",
+        "GEOMETRY": "(%s).STAsText()",
+        "GEOGRAPHY": "(%s).STAsText()"
+    },
+    DBMS.PGSQL: {
+        "GEOMETRY": "ST_AsText(%s)",
+        "GEOGRAPHY": "ST_AsText(%s)"
+    },
+    DBMS.MYSQL: {
+        "GEOMETRY": "ST_AsText(%s)"
+    }
 }
 
 DEFAULT_DOC_ROOTS = {
     OS.WINDOWS: ("C:/xampp/htdocs/", "C:/wamp/www/", "C:/Inetpub/wwwroot/"),
-    OS.LINUX: ("/var/www/", "/var/www/html", "/var/www/htdocs", "/usr/local/apache2/htdocs", "/usr/local/www/data", "/var/apache2/htdocs", "/var/www/nginx-default", "/srv/www/htdocs", "/usr/local/var/www")  # Reference: https://wiki.apache.org/httpd/DistrosDefaultLayout
+    OS.LINUX: ("/var/www/", "/var/www/html", "/var/www/htdocs", "/usr/local/apache2/htdocs", "/usr/local/www/data", "/var/apache2/htdocs", "/var/www/nginx-default", "/srv/www/htdocs", "/usr/local/var/www", "/usr/share/nginx/html")
 }
 
 PART_RUN_CONTENT_TYPES = {

lib/core/enums.py

@@ -372,6 +372,7 @@ class WEB_PLATFORM(object):
     ASP = "asp"
     ASPX = "aspx"
     JSP = "jsp"
+    CFM = "cfm"
 
 class CONTENT_TYPE(object):
     TARGET = 0

lib/core/settings.py

@@ -19,7 +19,7 @@
 from thirdparty import six
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.9.12.37"
+VERSION = "1.9.12.50"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
@@ -139,7 +139,7 @@
 BING_REGEX = r'<h2><a href="([^"]+)" h='
 
 # Dummy user agent for search (if default one returns different results)
-DUMMY_SEARCH_USER_AGENT = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0"
+DUMMY_SEARCH_USER_AGENT = "Mozilla/5.0 (X11; Linux x86_64; rv:141.0) Gecko/20100101 Firefox/141.0"
 
 # Regular expression used for extracting content from "textual" tags
 TEXT_TAG_REGEX = r"(?si)<(abbr|acronym|b|blockquote|br|center|cite|code|dt|em|font|h[1-6]|i|li|p|pre|q|strong|sub|sup|td|th|title|tt|u)(?!\w).*?>(?P<result>[^<]+)"
@@ -887,7 +887,7 @@
 MIN_ENCODED_LEN_CHECK = 5
 
 # Timeout in seconds in which Metasploit remote session has to be initialized
-METASPLOIT_SESSION_TIMEOUT = 120
+METASPLOIT_SESSION_TIMEOUT = 180
 
 # Reference: http://www.postgresql.org/docs/9.0/static/catalog-pg-largeobject.html
 LOBLKSIZE = 2048
@@ -906,7 +906,7 @@
 
 # Prefixes used in brute force search for web server document root
 BRUTE_DOC_ROOT_PREFIXES = {
-    OS.LINUX: ("/var/www", "/usr/local/apache", "/usr/local/apache2", "/usr/local/www/apache22", "/usr/local/www/apache24", "/usr/local/httpd", "/var/www/nginx-default", "/srv/www", "/var/www/%TARGET%", "/var/www/vhosts/%TARGET%", "/var/www/virtual/%TARGET%", "/var/www/clients/vhosts/%TARGET%", "/var/www/clients/virtual/%TARGET%"),
+    OS.LINUX: ("/var/www", "/usr/local/apache", "/usr/local/apache2", "/usr/local/www/apache22", "/usr/local/www/apache24", "/usr/local/httpd", "/var/www/nginx-default", "/srv/www", "/var/www/%TARGET%", "/var/www/vhosts/%TARGET%", "/var/www/virtual/%TARGET%", "/var/www/clients/vhosts/%TARGET%", "/var/www/clients/virtual/%TARGET%", "/Library/WebServer/Documents", "/opt/homebrew/var/www"),
     OS.WINDOWS: ("/xampp", "/Program Files/xampp", "/wamp", "/Program Files/wampp", "/Apache/Apache", "/apache", "/Program Files/Apache Group/Apache", "/Program Files/Apache Group/Apache2", "/Program Files/Apache Group/Apache2.2", "/Program Files/Apache Group/Apache2.4", "/Inetpub/wwwroot", "/Inetpub/wwwroot/%TARGET%", "/Inetpub/vhosts/%TARGET%")
 }
 

lib/core/testing.py

@@ -80,6 +80,7 @@ def vulnTest():
 
     retVal = True
     count = 0
+    cleanups = []
 
     while True:
         address, port = "127.0.0.1", random.randint(10000, 65535)
@@ -130,22 +131,27 @@ def _thread():
 
     handle, config = tempfile.mkstemp(suffix=".conf")
     os.close(handle)
+    cleanups.append(config)
 
     handle, database = tempfile.mkstemp(suffix=".sqlite")
     os.close(handle)
+    cleanups.append(database)
 
     with sqlite3.connect(database) as conn:
         c = conn.cursor()
         c.executescript(vulnserver.SCHEMA)
 
     handle, request = tempfile.mkstemp(suffix=".req")
     os.close(handle)
+    cleanups.append(request)
 
     handle, log = tempfile.mkstemp(suffix=".log")
     os.close(handle)
+    cleanups.append(log)
 
     handle, multiple = tempfile.mkstemp(suffix=".lst")
     os.close(handle)
+    cleanups.append(multiple)
 
     content = "POST / HTTP/1.0\nUser-Agent: foobar\nHost: %s:%s\n\nid=1\n" % (address, port)
     with open(request, "w+") as f:
@@ -207,6 +213,12 @@ def _thread():
     else:
         logger.error("vuln test final result: FAILED")
 
+    for filename in cleanups:
+        try:
+            os.remove(filename)
+        except:
+            pass
+
     return retVal
 
 def smokeTest():

lib/request/redirecthandler.py

@@ -33,6 +33,7 @@
 from lib.request.basic import decodePage
 from lib.request.basic import parseResponse
 from thirdparty import six
+from thirdparty.six.moves import http_client as _http_client
 from thirdparty.six.moves import urllib as _urllib
 
 class SmartRedirectHandler(_urllib.request.HTTPRedirectHandler):
@@ -67,7 +68,12 @@ def _ask_redirect_choice(self, redcode, redurl, method):
                 self.redirect_request = self._redirect_request
 
     def _redirect_request(self, req, fp, code, msg, headers, newurl):
-        return _urllib.request.Request(newurl.replace(' ', '%20'), data=req.data, headers=req.headers, origin_req_host=req.get_origin_req_host() if hasattr(req, "get_origin_req_host") else req.origin_req_host)
+        retVal = _urllib.request.Request(newurl.replace(' ', '%20'), data=req.data, headers=req.headers, origin_req_host=req.get_origin_req_host() if hasattr(req, "get_origin_req_host") else req.origin_req_host)
+
+        if hasattr(req, "redirect_dict"):
+            retVal.redirect_dict = req.redirect_dict
+
+        return retVal
 
     def http_error_302(self, req, fp, code, msg, headers):
         start = time.time()
@@ -78,7 +84,10 @@ def http_error_302(self, req, fp, code, msg, headers):
         try:
             content = fp.fp.read(MAX_CONNECTION_TOTAL_SIZE)
             fp.fp = io.BytesIO(content)
-        except:  # e.g. IncompleteRead
+        except _http_client.IncompleteRead as ex:
+            content = ex.partial
+            fp.fp = io.BytesIO(content)
+        except:
             content = b""
 
         content = decodePage(content, headers.get(HTTP_HEADER.CONTENT_ENCODING), headers.get(HTTP_HEADER.CONTENT_TYPE))

lib/techniques/blind/inference.py

@@ -239,6 +239,8 @@ def validateChar(idx, value):
             Used in inference - in time-based SQLi if original and retrieved value are not equal there will be a deliberate delay
             """
 
+            threadData = getCurrentThreadData()
+
             validationPayload = re.sub(r"(%s.*?)%s(.*?%s)" % (PAYLOAD_DELIMITER, INFERENCE_GREATER_CHAR, PAYLOAD_DELIMITER), r"\g<1>%s\g<2>" % INFERENCE_NOT_EQUALS_CHAR, payload)
 
             if "'%s'" % CHAR_INFERENCE_MARK not in payload:
@@ -268,6 +270,8 @@ def getChar(idx, charTbl=None, continuousOrder=True, expand=charsetType is None,
             numerical values is exactly 1
             """
 
+            threadData = getCurrentThreadData()
+
             result = tryHint(idx)
 
             if result:
@@ -287,6 +291,8 @@ def getChar(idx, charTbl=None, continuousOrder=True, expand=charsetType is None,
             if "'%s'" % CHAR_INFERENCE_MARK in payload:
                 for char in ('\n', '\r'):
                     if ord(char) in charTbl:
+                        if not isinstance(charTbl, list):
+                            charTbl = list(charTbl)
                         charTbl.remove(ord(char))
 
             if not charTbl: