From 220a75b230edf1fbceba662c07f79f2b79b84a9e Mon Sep 17 00:00:00 2001 From: Your Name Date: Tue, 2 Jun 2026 13:07:45 +0200 Subject: [PATCH 01/11] Support colon character in direct DBMS passwords --- data/txt/sha256sums.txt | 4 ++-- lib/core/common.py | 3 +-- lib/core/settings.py | 2 +- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt index 1f91198ab0..faf4e4bedb 100644 --- a/data/txt/sha256sums.txt +++ b/data/txt/sha256sums.txt @@ -167,7 +167,7 @@ d69e84f1648cdb907f5d2dd454f03874a4613752b07867510145d51d84b3c56f lib/controller 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3 lib/controller/__init__.py 9e694e4864d865c5da745aaf9d35da885eff697a9a0f7b37c3e85d47b4378f64 lib/core/agent.py b13462712ec5ac07541dba98631ddcda279d210b838f363d15ac97a1413b67a2 lib/core/bigarray.py -c265eb478d912aba53ebd1d93de2646a7738b7a0e621a2c38a35f0ba897d3db6 lib/core/common.py +248052f78518f5b44421bfbf82ec40b333115a8789cf6de8ceced0fcaf2b17ee lib/core/common.py a6397b10de7ae7c56ed6b0fa3b3c58eb7a9dbede61bf93d786e73258175c981e lib/core/compat.py 461f2666d500f9a91210fec558e6ee68af61c752de5498490bc96c11b32a6b0a lib/core/convert.py c03dc585f89642cfd81b087ac2723e3e1bb3bfa8c60e6f5fe58ef3b0113ebfe6 lib/core/data.py @@ -188,7 +188,7 @@ d197388e8e2aabe19f2529bfcac780e18e22a905d01319080d7afe4cb2b1c4c9 lib/core/optio 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3 lib/core/replication.py 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6 lib/core/revision.py 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c lib/core/session.py -d372fb2cbdd8b54c0696a5927d73d6924c458f03f4db81d856d0338ddfa27fa6 lib/core/settings.py +68d69b0a1d9cf7d656160af56d91223d50cc9ceb953e5808eeddc36278d1df6a lib/core/settings.py cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82 lib/core/shell.py bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725 lib/core/subprocessng.py 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6 lib/core/target.py diff --git a/lib/core/common.py b/lib/core/common.py index a28abcb4f0..c1016e437d 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -107,7 +107,6 @@ from lib.core.optiondict import optDict from lib.core.settings import BANNER from lib.core.settings import BOLD_PATTERNS_REGEX -from lib.core.settings import BOUNDARY_BACKSLASH_MARKER from lib.core.settings import BOUNDED_INJECTION_MARKER from lib.core.settings import BRUTE_DOC_ROOT_PREFIXES from lib.core.settings import BRUTE_DOC_ROOT_SUFFIXES @@ -1630,7 +1629,7 @@ def parseTargetDirect(): conf.dbmsPass = details.group("pass").strip("'\"") else: if conf.dbmsCred: - conf.dbmsUser, conf.dbmsPass = conf.dbmsCred.split(':') + conf.dbmsUser, conf.dbmsPass = conf.dbmsCred.split(':', 1) else: conf.dbmsUser = "" conf.dbmsPass = "" diff --git a/lib/core/settings.py b/lib/core/settings.py index 2887d709ed..d34999a703 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -20,7 +20,7 @@ from thirdparty import six # sqlmap version (...) -VERSION = "1.10.6.0" +VERSION = "1.10.6.1" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) From c07b15666c10d962d87a31af6edcc088418664f8 Mon Sep 17 00:00:00 2001 From: Your Name Date: Tue, 2 Jun 2026 13:36:13 +0200 Subject: [PATCH 02/11] Fix retry-on check on empty response --- data/txt/sha256sums.txt | 4 ++-- lib/core/settings.py | 2 +- lib/request/connect.py | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt index faf4e4bedb..0575078133 100644 --- a/data/txt/sha256sums.txt +++ b/data/txt/sha256sums.txt @@ -188,7 +188,7 @@ d197388e8e2aabe19f2529bfcac780e18e22a905d01319080d7afe4cb2b1c4c9 lib/core/optio 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3 lib/core/replication.py 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6 lib/core/revision.py 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c lib/core/session.py -68d69b0a1d9cf7d656160af56d91223d50cc9ceb953e5808eeddc36278d1df6a lib/core/settings.py +c59462381b8180eb1978d2136ec221caa30633037785a5d8540ea9a782d18fce lib/core/settings.py cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82 lib/core/shell.py bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725 lib/core/subprocessng.py 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6 lib/core/target.py @@ -211,7 +211,7 @@ d2e771cdacef25ee3fdc0e0355b92e7cd1b68f5edc2756ffc19f75d183ba2c73 lib/parse/payl 132abf563aeaaf0108b7e3932cfcc9680c8f445e992de4ee71ceed1ddf60bc29 lib/request/basic.py bc61bc944b81a7670884f82231033a6ac703324b34b071c9834886a92e249d0e lib/request/chunkedhandler.py 09c2d8786fb5280f5f14a7b4345ecb2e7c2ca836ee06a6cf9b51770df923d94c lib/request/comparison.py -02bd85b09ab346309c596eb067dd97c3c6be101c7557e79709fe9e405ca05c88 lib/request/connect.py +7e24d2564fa2657d7f2f1fffb1f68985efabbc18adbbd5ce0b946b8887065a0c lib/request/connect.py 8e06682280fce062eef6174351bfebcb6040e19976acff9dc7b3699779783498 lib/request/direct.py cf019248253a5d7edb7bc474aa020b9e8625d73008a463c56ba2b539d7f2d8ec lib/request/dns.py 92c81cc31ff4a396723242058fb2152c9e9745f8412d01ea74480b048a53af6c lib/request/httpshandler.py diff --git a/lib/core/settings.py b/lib/core/settings.py index d34999a703..ae54f61931 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -20,7 +20,7 @@ from thirdparty import six # sqlmap version (...) -VERSION = "1.10.6.1" +VERSION = "1.10.6.2" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) diff --git a/lib/request/connect.py b/lib/request/connect.py index 930d5bb11f..e6dba19774 100644 --- a/lib/request/connect.py +++ b/lib/request/connect.py @@ -994,7 +994,7 @@ def _read(count=None): # Dirty patch for Python3.11.0a7 (e.g. https://github.com/sqlmapproject/sqlmap/issues/5091) if not sys.version.startswith("3.11."): - if conf.retryOn and re.search(conf.retryOn, page, re.I): + if conf.retryOn and re.search(conf.retryOn, page or "", re.I): if threadData.retriesCount < conf.retries: warnMsg = "forced retry of the request because of undesired page content" logger.warning(warnMsg) From 36c55a33fbd38ba577e649e78ef19b15f417cf4c Mon Sep 17 00:00:00 2001 From: Your Name Date: Tue, 2 Jun 2026 13:37:29 +0200 Subject: [PATCH 03/11] Handle unknown WebSocket status codes --- data/txt/sha256sums.txt | 4 ++-- lib/core/settings.py | 2 +- lib/request/connect.py | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt index 0575078133..8091283a57 100644 --- a/data/txt/sha256sums.txt +++ b/data/txt/sha256sums.txt @@ -188,7 +188,7 @@ d197388e8e2aabe19f2529bfcac780e18e22a905d01319080d7afe4cb2b1c4c9 lib/core/optio 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3 lib/core/replication.py 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6 lib/core/revision.py 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c lib/core/session.py -c59462381b8180eb1978d2136ec221caa30633037785a5d8540ea9a782d18fce lib/core/settings.py +552d2c7a35f7797363319c70e5ac56742c5d2dabe44a998ea9bd28bfcc4133b1 lib/core/settings.py cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82 lib/core/shell.py bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725 lib/core/subprocessng.py 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6 lib/core/target.py @@ -211,7 +211,7 @@ d2e771cdacef25ee3fdc0e0355b92e7cd1b68f5edc2756ffc19f75d183ba2c73 lib/parse/payl 132abf563aeaaf0108b7e3932cfcc9680c8f445e992de4ee71ceed1ddf60bc29 lib/request/basic.py bc61bc944b81a7670884f82231033a6ac703324b34b071c9834886a92e249d0e lib/request/chunkedhandler.py 09c2d8786fb5280f5f14a7b4345ecb2e7c2ca836ee06a6cf9b51770df923d94c lib/request/comparison.py -7e24d2564fa2657d7f2f1fffb1f68985efabbc18adbbd5ce0b946b8887065a0c lib/request/connect.py +1ca10e621b32df89da3a6c728b4d64d9ec7ee2f4fdf9d0b8c4783ea503989e0a lib/request/connect.py 8e06682280fce062eef6174351bfebcb6040e19976acff9dc7b3699779783498 lib/request/direct.py cf019248253a5d7edb7bc474aa020b9e8625d73008a463c56ba2b539d7f2d8ec lib/request/dns.py 92c81cc31ff4a396723242058fb2152c9e9745f8412d01ea74480b048a53af6c lib/request/httpshandler.py diff --git a/lib/core/settings.py b/lib/core/settings.py index ae54f61931..e2694f249a 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -20,7 +20,7 @@ from thirdparty import six # sqlmap version (...) -VERSION = "1.10.6.2" +VERSION = "1.10.6.3" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) diff --git a/lib/request/connect.py b/lib/request/connect.py index e6dba19774..5ecfa2ed23 100644 --- a/lib/request/connect.py +++ b/lib/request/connect.py @@ -540,7 +540,7 @@ def getPage(**kwargs): ws.close() code = ws.status - status = _http_client.responses[code] + status = _http_client.responses.get(code, "") class _(dict): pass From aa0fb233144f58c56671961625fdf63e061494a7 Mon Sep 17 00:00:00 2001 From: Your Name Date: Tue, 2 Jun 2026 13:40:00 +0200 Subject: [PATCH 04/11] Normalize default WebSocket ports --- data/txt/sha256sums.txt | 4 ++-- lib/core/common.py | 3 ++- lib/core/settings.py | 2 +- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt index 8091283a57..ff8314c442 100644 --- a/data/txt/sha256sums.txt +++ b/data/txt/sha256sums.txt @@ -167,7 +167,7 @@ d69e84f1648cdb907f5d2dd454f03874a4613752b07867510145d51d84b3c56f lib/controller 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3 lib/controller/__init__.py 9e694e4864d865c5da745aaf9d35da885eff697a9a0f7b37c3e85d47b4378f64 lib/core/agent.py b13462712ec5ac07541dba98631ddcda279d210b838f363d15ac97a1413b67a2 lib/core/bigarray.py -248052f78518f5b44421bfbf82ec40b333115a8789cf6de8ceced0fcaf2b17ee lib/core/common.py +12324e3bd3ff3e5cb1705c981698c303ef125fa6ac028f0906708903d1d4e4cb lib/core/common.py a6397b10de7ae7c56ed6b0fa3b3c58eb7a9dbede61bf93d786e73258175c981e lib/core/compat.py 461f2666d500f9a91210fec558e6ee68af61c752de5498490bc96c11b32a6b0a lib/core/convert.py c03dc585f89642cfd81b087ac2723e3e1bb3bfa8c60e6f5fe58ef3b0113ebfe6 lib/core/data.py @@ -188,7 +188,7 @@ d197388e8e2aabe19f2529bfcac780e18e22a905d01319080d7afe4cb2b1c4c9 lib/core/optio 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3 lib/core/replication.py 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6 lib/core/revision.py 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c lib/core/session.py -552d2c7a35f7797363319c70e5ac56742c5d2dabe44a998ea9bd28bfcc4133b1 lib/core/settings.py +8b6075c7d1236ec82270e13f0aa1ab5dc394dc6ba888434e865ecd07df2c6a21 lib/core/settings.py cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82 lib/core/shell.py bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725 lib/core/subprocessng.py 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6 lib/core/target.py diff --git a/lib/core/common.py b/lib/core/common.py index c1016e437d..3f5a6a84a9 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -1793,7 +1793,8 @@ def parseTargetUrl(): errMsg = "invalid target URL port (%d)" % conf.port raise SqlmapSyntaxException(errMsg) - conf.url = getUnicode("%s://%s%s%s" % (conf.scheme, ("[%s]" % conf.hostname) if conf.ipv6 else conf.hostname, (":%d" % conf.port) if not (conf.port == 80 and conf.scheme == "http" or conf.port == 443 and conf.scheme == "https") else "", conf.path)) + defaultPort = conf.port == 80 and conf.scheme in ("http", "ws") or conf.port == 443 and conf.scheme in ("https", "wss") + conf.url = getUnicode("%s://%s%s%s" % (conf.scheme, ("[%s]" % conf.hostname) if conf.ipv6 else conf.hostname, (":%d" % conf.port) if not defaultPort else "", conf.path)) conf.url = conf.url.replace(URI_QUESTION_MARKER, '?') if urlSplit.query: diff --git a/lib/core/settings.py b/lib/core/settings.py index e2694f249a..973ad6195b 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -20,7 +20,7 @@ from thirdparty import six # sqlmap version (...) -VERSION = "1.10.6.3" +VERSION = "1.10.6.4" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) From bc252ef010e3867a2e1f59d8d72765838fee610b Mon Sep 17 00:00:00 2001 From: Your Name Date: Tue, 2 Jun 2026 13:40:50 +0200 Subject: [PATCH 05/11] Handle unicode strings in color stripping --- data/txt/sha256sums.txt | 4 ++-- lib/core/common.py | 2 +- lib/core/settings.py | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt index ff8314c442..0ba3d646ae 100644 --- a/data/txt/sha256sums.txt +++ b/data/txt/sha256sums.txt @@ -167,7 +167,7 @@ d69e84f1648cdb907f5d2dd454f03874a4613752b07867510145d51d84b3c56f lib/controller 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3 lib/controller/__init__.py 9e694e4864d865c5da745aaf9d35da885eff697a9a0f7b37c3e85d47b4378f64 lib/core/agent.py b13462712ec5ac07541dba98631ddcda279d210b838f363d15ac97a1413b67a2 lib/core/bigarray.py -12324e3bd3ff3e5cb1705c981698c303ef125fa6ac028f0906708903d1d4e4cb lib/core/common.py +24799c6fb3f59275c817aba99146198b1e298499000cfd08f89bd33b5c5b761f lib/core/common.py a6397b10de7ae7c56ed6b0fa3b3c58eb7a9dbede61bf93d786e73258175c981e lib/core/compat.py 461f2666d500f9a91210fec558e6ee68af61c752de5498490bc96c11b32a6b0a lib/core/convert.py c03dc585f89642cfd81b087ac2723e3e1bb3bfa8c60e6f5fe58ef3b0113ebfe6 lib/core/data.py @@ -188,7 +188,7 @@ d197388e8e2aabe19f2529bfcac780e18e22a905d01319080d7afe4cb2b1c4c9 lib/core/optio 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3 lib/core/replication.py 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6 lib/core/revision.py 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c lib/core/session.py -8b6075c7d1236ec82270e13f0aa1ab5dc394dc6ba888434e865ecd07df2c6a21 lib/core/settings.py +bd0c8e83c502a419fb12e514652364796ee2484b3e9986fe93ec58476b137869 lib/core/settings.py cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82 lib/core/shell.py bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725 lib/core/subprocessng.py 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6 lib/core/target.py diff --git a/lib/core/common.py b/lib/core/common.py index 3f5a6a84a9..aae2a71b1d 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -1018,7 +1018,7 @@ def clearColors(message): retVal = message - if isinstance(message, str): + if isinstance(message, six.string_types): retVal = re.sub(r"\x1b\[[\d;]+m", "", message) return retVal diff --git a/lib/core/settings.py b/lib/core/settings.py index 973ad6195b..11464d6f71 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -20,7 +20,7 @@ from thirdparty import six # sqlmap version (...) -VERSION = "1.10.6.4" +VERSION = "1.10.6.5" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) From 8258d6d2331152b4dbe18211f772dd1e2dadd5e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20=C5=A0tampar?= Date: Tue, 2 Jun 2026 13:42:24 +0200 Subject: [PATCH 06/11] Strip Brotli from Accept-Encoding header --- data/txt/sha256sums.txt | 4 ++-- lib/core/settings.py | 2 +- lib/request/connect.py | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt index 0ba3d646ae..7a19e61ed0 100644 --- a/data/txt/sha256sums.txt +++ b/data/txt/sha256sums.txt @@ -188,7 +188,7 @@ d197388e8e2aabe19f2529bfcac780e18e22a905d01319080d7afe4cb2b1c4c9 lib/core/optio 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3 lib/core/replication.py 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6 lib/core/revision.py 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c lib/core/session.py -bd0c8e83c502a419fb12e514652364796ee2484b3e9986fe93ec58476b137869 lib/core/settings.py +59e178a266c291d8e0944dd01bf204252ddb7547d47e22fdf82285fa2effa4bc lib/core/settings.py cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82 lib/core/shell.py bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725 lib/core/subprocessng.py 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6 lib/core/target.py @@ -211,7 +211,7 @@ d2e771cdacef25ee3fdc0e0355b92e7cd1b68f5edc2756ffc19f75d183ba2c73 lib/parse/payl 132abf563aeaaf0108b7e3932cfcc9680c8f445e992de4ee71ceed1ddf60bc29 lib/request/basic.py bc61bc944b81a7670884f82231033a6ac703324b34b071c9834886a92e249d0e lib/request/chunkedhandler.py 09c2d8786fb5280f5f14a7b4345ecb2e7c2ca836ee06a6cf9b51770df923d94c lib/request/comparison.py -1ca10e621b32df89da3a6c728b4d64d9ec7ee2f4fdf9d0b8c4783ea503989e0a lib/request/connect.py +2931bda299a3fce5eb80da9199dd708bfdce52b87f141c63e60bcbb072e7054b lib/request/connect.py 8e06682280fce062eef6174351bfebcb6040e19976acff9dc7b3699779783498 lib/request/direct.py cf019248253a5d7edb7bc474aa020b9e8625d73008a463c56ba2b539d7f2d8ec lib/request/dns.py 92c81cc31ff4a396723242058fb2152c9e9745f8412d01ea74480b048a53af6c lib/request/httpshandler.py diff --git a/lib/core/settings.py b/lib/core/settings.py index 11464d6f71..6563387abf 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -20,7 +20,7 @@ from thirdparty import six # sqlmap version (...) -VERSION = "1.10.6.5" +VERSION = "1.10.6.7" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) diff --git a/lib/request/connect.py b/lib/request/connect.py index 5ecfa2ed23..e06b53c274 100644 --- a/lib/request/connect.py +++ b/lib/request/connect.py @@ -505,7 +505,7 @@ def getPage(**kwargs): for key, value in list(headers.items()): if key.upper() == HTTP_HEADER.ACCEPT_ENCODING.upper(): - value = re.sub(r"(?i)(,)br(,)?", lambda match: ',' if match.group(1) and match.group(2) else "", value) or "identity" + value = ','.join(_ for _ in re.split(r"\s*,\s*", value) if _.split(';', 1)[0].lower() != "br") or "identity" del headers[key] if isinstance(value, six.string_types): From fadf5bb75380ab6a33c76f9fec21ac13bd5f6074 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20=C5=A0tampar?= Date: Tue, 2 Jun 2026 13:44:54 +0200 Subject: [PATCH 07/11] Honor injected Host header value --- data/txt/sha256sums.txt | 4 ++-- lib/core/settings.py | 2 +- lib/request/connect.py | 3 ++- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt index 7a19e61ed0..8f7c99b8dd 100644 --- a/data/txt/sha256sums.txt +++ b/data/txt/sha256sums.txt @@ -188,7 +188,7 @@ d197388e8e2aabe19f2529bfcac780e18e22a905d01319080d7afe4cb2b1c4c9 lib/core/optio 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3 lib/core/replication.py 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6 lib/core/revision.py 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c lib/core/session.py -59e178a266c291d8e0944dd01bf204252ddb7547d47e22fdf82285fa2effa4bc lib/core/settings.py +2553871f69974705cb5872171100df26f922e4e8773f5fa9c4ce09ea77f9c141 lib/core/settings.py cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82 lib/core/shell.py bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725 lib/core/subprocessng.py 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6 lib/core/target.py @@ -211,7 +211,7 @@ d2e771cdacef25ee3fdc0e0355b92e7cd1b68f5edc2756ffc19f75d183ba2c73 lib/parse/payl 132abf563aeaaf0108b7e3932cfcc9680c8f445e992de4ee71ceed1ddf60bc29 lib/request/basic.py bc61bc944b81a7670884f82231033a6ac703324b34b071c9834886a92e249d0e lib/request/chunkedhandler.py 09c2d8786fb5280f5f14a7b4345ecb2e7c2ca836ee06a6cf9b51770df923d94c lib/request/comparison.py -2931bda299a3fce5eb80da9199dd708bfdce52b87f141c63e60bcbb072e7054b lib/request/connect.py +391bd674470f4a9e0c75f0b3b898085a629bc6dddea6ca66eebcdd7415f926ba lib/request/connect.py 8e06682280fce062eef6174351bfebcb6040e19976acff9dc7b3699779783498 lib/request/direct.py cf019248253a5d7edb7bc474aa020b9e8625d73008a463c56ba2b539d7f2d8ec lib/request/dns.py 92c81cc31ff4a396723242058fb2152c9e9745f8412d01ea74480b048a53af6c lib/request/httpshandler.py diff --git a/lib/core/settings.py b/lib/core/settings.py index 6563387abf..dc057785e2 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -20,7 +20,7 @@ from thirdparty import six # sqlmap version (...) -VERSION = "1.10.6.7" +VERSION = "1.10.6.8" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) diff --git a/lib/request/connect.py b/lib/request/connect.py index e06b53c274..ae0bf562ab 100644 --- a/lib/request/connect.py +++ b/lib/request/connect.py @@ -287,6 +287,7 @@ def getPage(**kwargs): cookie = kwargs.get("cookie", None) ua = kwargs.get("ua", None) or conf.agent referer = kwargs.get("referer", None) or conf.referer + host = kwargs.get("host", None) direct_ = kwargs.get("direct", False) multipart = kwargs.get("multipart", None) silent = kwargs.get("silent", False) @@ -447,7 +448,7 @@ def getPage(**kwargs): requestMsg += " %s" % _http_client.HTTPConnection._http_vsn_str # Prepare HTTP headers - headers = forgeHeaders({HTTP_HEADER.COOKIE: cookie, HTTP_HEADER.USER_AGENT: ua, HTTP_HEADER.REFERER: referer, HTTP_HEADER.HOST: getHeader(dict(conf.httpHeaders), HTTP_HEADER.HOST) or getHostHeader(url)}, base=None if target else {}) + headers = forgeHeaders({HTTP_HEADER.COOKIE: cookie, HTTP_HEADER.USER_AGENT: ua, HTTP_HEADER.REFERER: referer, HTTP_HEADER.HOST: host or getHeader(dict(conf.httpHeaders), HTTP_HEADER.HOST) or getHostHeader(url)}, base=None if target else {}) if HTTP_HEADER.COOKIE in headers: cookie = headers[HTTP_HEADER.COOKIE] From bfe39d010fbddfa4718eedc782e50d68536b712b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20=C5=A0tampar?= Date: Tue, 2 Jun 2026 13:54:48 +0200 Subject: [PATCH 08/11] Fix WebSocket request header formatting --- data/txt/sha256sums.txt | 4 ++-- lib/core/settings.py | 2 +- lib/request/connect.py | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt index 8f7c99b8dd..054db42a16 100644 --- a/data/txt/sha256sums.txt +++ b/data/txt/sha256sums.txt @@ -188,7 +188,7 @@ d197388e8e2aabe19f2529bfcac780e18e22a905d01319080d7afe4cb2b1c4c9 lib/core/optio 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3 lib/core/replication.py 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6 lib/core/revision.py 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c lib/core/session.py -2553871f69974705cb5872171100df26f922e4e8773f5fa9c4ce09ea77f9c141 lib/core/settings.py +0de64ae665cab207866a17ee74902a70acb582012e95913daef28694ac894b35 lib/core/settings.py cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82 lib/core/shell.py bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725 lib/core/subprocessng.py 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6 lib/core/target.py @@ -211,7 +211,7 @@ d2e771cdacef25ee3fdc0e0355b92e7cd1b68f5edc2756ffc19f75d183ba2c73 lib/parse/payl 132abf563aeaaf0108b7e3932cfcc9680c8f445e992de4ee71ceed1ddf60bc29 lib/request/basic.py bc61bc944b81a7670884f82231033a6ac703324b34b071c9834886a92e249d0e lib/request/chunkedhandler.py 09c2d8786fb5280f5f14a7b4345ecb2e7c2ca836ee06a6cf9b51770df923d94c lib/request/comparison.py -391bd674470f4a9e0c75f0b3b898085a629bc6dddea6ca66eebcdd7415f926ba lib/request/connect.py +ba03fdfe50e7f52692ec11777bc597dbc401835920e75ad86053ef22f6c8d02e lib/request/connect.py 8e06682280fce062eef6174351bfebcb6040e19976acff9dc7b3699779783498 lib/request/direct.py cf019248253a5d7edb7bc474aa020b9e8625d73008a463c56ba2b539d7f2d8ec lib/request/dns.py 92c81cc31ff4a396723242058fb2152c9e9745f8412d01ea74480b048a53af6c lib/request/httpshandler.py diff --git a/lib/core/settings.py b/lib/core/settings.py index dc057785e2..2256a1be5d 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -20,7 +20,7 @@ from thirdparty import six # sqlmap version (...) -VERSION = "1.10.6.8" +VERSION = "1.10.6.9" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) diff --git a/lib/request/connect.py b/lib/request/connect.py index ae0bf562ab..277bc5399b 100644 --- a/lib/request/connect.py +++ b/lib/request/connect.py @@ -520,7 +520,7 @@ def getPage(**kwargs): if webSocket: ws = websocket.WebSocket() ws.settimeout(WEBSOCKET_INITIAL_TIMEOUT if kb.webSocketRecvCount is None else timeout) - wsHeaders = tuple("%s: %s" % _ for _ in headers.items() if _[0] not in ("Host",)) + wsHeaders = tuple("%s: %s" % (getUnicode(key), getUnicode(value)) for key, value in headers.items() if getUnicode(key).upper() != HTTP_HEADER.HOST.upper()) ws.connect(url, header=wsHeaders, cookie=cookie) # WebSocket will add Host field of headers automatically ws.send(urldecode(post or "")) From 8cac5fdab6734737ac54b272a961803dccfe1e47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20=C5=A0tampar?= Date: Tue, 2 Jun 2026 13:56:32 +0200 Subject: [PATCH 09/11] Fix forced SSL port rewrite --- data/txt/sha256sums.txt | 4 ++-- lib/core/settings.py | 2 +- lib/request/connect.py | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt index 054db42a16..5b10a29321 100644 --- a/data/txt/sha256sums.txt +++ b/data/txt/sha256sums.txt @@ -188,7 +188,7 @@ d197388e8e2aabe19f2529bfcac780e18e22a905d01319080d7afe4cb2b1c4c9 lib/core/optio 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3 lib/core/replication.py 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6 lib/core/revision.py 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c lib/core/session.py -0de64ae665cab207866a17ee74902a70acb582012e95913daef28694ac894b35 lib/core/settings.py +98df37046d09b74470dbb375d361b6d3a36daaadcba808b4bcb7b1cfca08506a lib/core/settings.py cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82 lib/core/shell.py bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725 lib/core/subprocessng.py 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6 lib/core/target.py @@ -211,7 +211,7 @@ d2e771cdacef25ee3fdc0e0355b92e7cd1b68f5edc2756ffc19f75d183ba2c73 lib/parse/payl 132abf563aeaaf0108b7e3932cfcc9680c8f445e992de4ee71ceed1ddf60bc29 lib/request/basic.py bc61bc944b81a7670884f82231033a6ac703324b34b071c9834886a92e249d0e lib/request/chunkedhandler.py 09c2d8786fb5280f5f14a7b4345ecb2e7c2ca836ee06a6cf9b51770df923d94c lib/request/comparison.py -ba03fdfe50e7f52692ec11777bc597dbc401835920e75ad86053ef22f6c8d02e lib/request/connect.py +37e496f12be152f2dcaf841b72836b006fafe0d8fe87cfdc99059ac557bc8e51 lib/request/connect.py 8e06682280fce062eef6174351bfebcb6040e19976acff9dc7b3699779783498 lib/request/direct.py cf019248253a5d7edb7bc474aa020b9e8625d73008a463c56ba2b539d7f2d8ec lib/request/dns.py 92c81cc31ff4a396723242058fb2152c9e9745f8412d01ea74480b048a53af6c lib/request/httpshandler.py diff --git a/lib/core/settings.py b/lib/core/settings.py index 2256a1be5d..50f449d790 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -20,7 +20,7 @@ from thirdparty import six # sqlmap version (...) -VERSION = "1.10.6.9" +VERSION = "1.10.6.10" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) diff --git a/lib/request/connect.py b/lib/request/connect.py index 277bc5399b..e4815409fc 100644 --- a/lib/request/connect.py +++ b/lib/request/connect.py @@ -422,7 +422,7 @@ def getPage(**kwargs): elif target: if conf.forceSSL: url = re.sub(r"(?i)\A(http|ws):", r"\g<1>s:", url) - url = re.sub(r"(?i):80/", ":443/", url) + url = re.sub(r"(?i):80(?=[/?#]|\Z)", ":443", url) if PLACE.GET in conf.parameters and not get: get = conf.parameters[PLACE.GET] From 4caeff9cf4a0f7b2202f5279869d15d42d3053c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20=C5=A0tampar?= Date: Tue, 2 Jun 2026 13:58:19 +0200 Subject: [PATCH 10/11] Preserve equals signs in answer values --- data/txt/sha256sums.txt | 4 ++-- lib/core/common.py | 7 +++++-- lib/core/settings.py | 2 +- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt index 5b10a29321..c5bdc3c011 100644 --- a/data/txt/sha256sums.txt +++ b/data/txt/sha256sums.txt @@ -167,7 +167,7 @@ d69e84f1648cdb907f5d2dd454f03874a4613752b07867510145d51d84b3c56f lib/controller 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3 lib/controller/__init__.py 9e694e4864d865c5da745aaf9d35da885eff697a9a0f7b37c3e85d47b4378f64 lib/core/agent.py b13462712ec5ac07541dba98631ddcda279d210b838f363d15ac97a1413b67a2 lib/core/bigarray.py -24799c6fb3f59275c817aba99146198b1e298499000cfd08f89bd33b5c5b761f lib/core/common.py +9abf4df5ef34cfaf188249483a3e95a486212fd4504eb322dcb07a17b2fff16b lib/core/common.py a6397b10de7ae7c56ed6b0fa3b3c58eb7a9dbede61bf93d786e73258175c981e lib/core/compat.py 461f2666d500f9a91210fec558e6ee68af61c752de5498490bc96c11b32a6b0a lib/core/convert.py c03dc585f89642cfd81b087ac2723e3e1bb3bfa8c60e6f5fe58ef3b0113ebfe6 lib/core/data.py @@ -188,7 +188,7 @@ d197388e8e2aabe19f2529bfcac780e18e22a905d01319080d7afe4cb2b1c4c9 lib/core/optio 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3 lib/core/replication.py 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6 lib/core/revision.py 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c lib/core/session.py -98df37046d09b74470dbb375d361b6d3a36daaadcba808b4bcb7b1cfca08506a lib/core/settings.py +8463d020e8a7b4d7a47bd5a0a1fa5c1506d7cd61c429c3f092fb66248f72d889 lib/core/settings.py cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82 lib/core/shell.py bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725 lib/core/subprocessng.py 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6 lib/core/target.py diff --git a/lib/core/common.py b/lib/core/common.py index aae2a71b1d..4baadd4da9 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -1147,8 +1147,11 @@ def readInput(message, default=None, checkBatch=True, boolean=False): return conf.answers for item in conf.answers.split(','): - question = item.split('=')[0].strip() - answer = item.split('=')[1] if len(item.split('=')) > 1 else None + if '=' in item: + question, answer = item.split('=', 1) + question = question.strip() + else: + question, answer = item.strip(), None if answer and question.lower() in message.lower(): retVal = getUnicode(answer, UNICODE_ENCODING) elif answer is None and retVal: diff --git a/lib/core/settings.py b/lib/core/settings.py index 50f449d790..3451551922 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -20,7 +20,7 @@ from thirdparty import six # sqlmap version (...) -VERSION = "1.10.6.10" +VERSION = "1.10.6.11" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) From b30c169b8a5dad686763d6ef27d30283c5049055 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20=C5=A0tampar?= Date: Tue, 2 Jun 2026 14:00:09 +0200 Subject: [PATCH 11/11] Avoid eval processing crash on JSON arrays --- data/txt/sha256sums.txt | 4 ++-- lib/core/settings.py | 2 +- lib/request/connect.py | 3 ++- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt index c5bdc3c011..9204a51a7e 100644 --- a/data/txt/sha256sums.txt +++ b/data/txt/sha256sums.txt @@ -188,7 +188,7 @@ d197388e8e2aabe19f2529bfcac780e18e22a905d01319080d7afe4cb2b1c4c9 lib/core/optio 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3 lib/core/replication.py 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6 lib/core/revision.py 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c lib/core/session.py -8463d020e8a7b4d7a47bd5a0a1fa5c1506d7cd61c429c3f092fb66248f72d889 lib/core/settings.py +3fea7262bc40f5a7cf31ae81c1f2d1a12361d7b7e1d45411d6617475bd691608 lib/core/settings.py cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82 lib/core/shell.py bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725 lib/core/subprocessng.py 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6 lib/core/target.py @@ -211,7 +211,7 @@ d2e771cdacef25ee3fdc0e0355b92e7cd1b68f5edc2756ffc19f75d183ba2c73 lib/parse/payl 132abf563aeaaf0108b7e3932cfcc9680c8f445e992de4ee71ceed1ddf60bc29 lib/request/basic.py bc61bc944b81a7670884f82231033a6ac703324b34b071c9834886a92e249d0e lib/request/chunkedhandler.py 09c2d8786fb5280f5f14a7b4345ecb2e7c2ca836ee06a6cf9b51770df923d94c lib/request/comparison.py -37e496f12be152f2dcaf841b72836b006fafe0d8fe87cfdc99059ac557bc8e51 lib/request/connect.py +5a93943509a0de21322fab8df15ea56df9d5ee12363aadc1dd171622eafc8fcd lib/request/connect.py 8e06682280fce062eef6174351bfebcb6040e19976acff9dc7b3699779783498 lib/request/direct.py cf019248253a5d7edb7bc474aa020b9e8625d73008a463c56ba2b539d7f2d8ec lib/request/dns.py 92c81cc31ff4a396723242058fb2152c9e9745f8412d01ea74480b048a53af6c lib/request/httpshandler.py diff --git a/lib/core/settings.py b/lib/core/settings.py index 3451551922..62b7a4d680 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -20,7 +20,7 @@ from thirdparty import six # sqlmap version (...) -VERSION = "1.10.6.11" +VERSION = "1.10.6.12" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) diff --git a/lib/request/connect.py b/lib/request/connect.py index e4815409fc..f293b97059 100644 --- a/lib/request/connect.py +++ b/lib/request/connect.py @@ -1371,7 +1371,8 @@ def _randomizeParameter(paramString, randomParameter): variables[name] = value if post and kb.postHint in (POST_HINT.JSON, POST_HINT.JSON_LIKE): - for name, value in (parseJson(post) or {}).items(): + json_ = parseJson(post) + for name, value in (json_ if isinstance(json_, dict) else {}).items(): if safeVariableNaming(name) != name: conf.evalCode = re.sub(r"\b%s\b" % re.escape(name), safeVariableNaming(name), conf.evalCode) name = safeVariableNaming(name)