diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt index 1fd2fa5c733..557e3ab38bb 100644 --- a/data/txt/sha256sums.txt +++ b/data/txt/sha256sums.txt @@ -167,7 +167,7 @@ d69e84f1648cdb907f5d2dd454f03874a4613752b07867510145d51d84b3c56f lib/controller 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3 lib/controller/__init__.py b2555d11529689f5d7d02bee0741d3228969e2bf29a2b9140bf1560ff60249e7 lib/core/agent.py b13462712ec5ac07541dba98631ddcda279d210b838f363d15ac97a1413b67a2 lib/core/bigarray.py -2a9d87359d4b7d4fa8a818e4ee8f7a6fd3d3cf46feae17d21e7a3370c5cee5d2 lib/core/common.py +1521efe57f554759e2550527970367615b92f3341bcb72831432a2863805a281 lib/core/common.py a6397b10de7ae7c56ed6b0fa3b3c58eb7a9dbede61bf93d786e73258175c981e lib/core/compat.py 461f2666d500f9a91210fec558e6ee68af61c752de5498490bc96c11b32a6b0a lib/core/convert.py c03dc585f89642cfd81b087ac2723e3e1bb3bfa8c60e6f5fe58ef3b0113ebfe6 lib/core/data.py @@ -175,7 +175,7 @@ c03dc585f89642cfd81b087ac2723e3e1bb3bfa8c60e6f5fe58ef3b0113ebfe6 lib/core/data. 70fb2528e580b22564899595b0dff6b1bc257c6a99d2022ce3996a3d04e68e4e lib/core/decorators.py 147823c37596bd6a56d677697781f34b8d1d1671d5a2518fbc9468d623c6d07d lib/core/defaults.py 2f44a1bfe6f18aafe64147b99e69aa93cf438c0e7befe59f4e2aee9065c8b7b6 lib/core/dicts.py -b37d3b745f82fe93eb3608683e87305b767e04f7cbf93dbb13ff33452c67d90a lib/core/dump.py +3e00b5c4ca385886f57608f7e0695bb70c696ef3454c181bbdfeea746efba96a lib/core/dump.py 23e33f0b457e2a7114c9171ba9b42e1751b71ee3f384bba7fad39e4490adb803 lib/core/enums.py 5387168e5dfedd94ae22af7bb255f27d6baaca50b24179c6b98f4f325f5cc7b4 lib/core/exception.py 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3 lib/core/__init__.py @@ -188,14 +188,14 @@ c65ce3cd38ee85c443c6619cfea84920390bad171f2999b95149485c0d1bc4a2 lib/core/patch 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3 lib/core/replication.py 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6 lib/core/revision.py 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c lib/core/session.py -a94bd355c8c2a9e60009c536b03de1d86f085121de60b36d22073e3620588e47 lib/core/settings.py +94ef7db2f47a8888f8ce0cd07f5b8809fc0eb599ccbce33340ed3e2b8dcbc2fc lib/core/settings.py cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82 lib/core/shell.py bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725 lib/core/subprocessng.py 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6 lib/core/target.py 7f7d1c57917f6ccc98e2ef093e2fa4cb6424d904c772b61003d5a5a3482a848f lib/core/testing.py -b5b65f018d6ef4b1ceeebbc50d372e07d4733267c9f3f4b13062efd065e847b6 lib/core/threads.py +e3e653364d08d04d7492aa40a2bd29c6a28f4d78fecdd6c10f21f6cb28b98b4c lib/core/threads.py b9aacb840310173202f79c2ba125b0243003ee6b44c92eca50424f2bdfc83c02 lib/core/unescaper.py -10719f5ca450610ad28242017b2d8a77354ca357ffa26948c5f62d20cac29a8b lib/core/update.py +53e396902cb2546eaa09e77073fcba8be8827ee9ce055cfc899e81b0e6ad4d6d lib/core/update.py ec11fd5a3f4efd10a1cae288157ac6eb6fb75da4666d76d19f6adf74ac338b5a lib/core/wordlist.py 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3 lib/__init__.py 54bfd31ebded3ffa5848df1c644f196eb704116517c7a3d860b5d081e984d821 lib/parse/banner.py @@ -211,7 +211,7 @@ d2e771cdacef25ee3fdc0e0355b92e7cd1b68f5edc2756ffc19f75d183ba2c73 lib/parse/payl 132abf563aeaaf0108b7e3932cfcc9680c8f445e992de4ee71ceed1ddf60bc29 lib/request/basic.py bc61bc944b81a7670884f82231033a6ac703324b34b071c9834886a92e249d0e lib/request/chunkedhandler.py 09c2d8786fb5280f5f14a7b4345ecb2e7c2ca836ee06a6cf9b51770df923d94c lib/request/comparison.py -5a93943509a0de21322fab8df15ea56df9d5ee12363aadc1dd171622eafc8fcd lib/request/connect.py +9236db2abad1b1d368a3c5a5beb655055fd2445faba57a4172db264b06105bd4 lib/request/connect.py 8e06682280fce062eef6174351bfebcb6040e19976acff9dc7b3699779783498 lib/request/direct.py cf019248253a5d7edb7bc474aa020b9e8625d73008a463c56ba2b539d7f2d8ec lib/request/dns.py 92c81cc31ff4a396723242058fb2152c9e9745f8412d01ea74480b048a53af6c lib/request/httpshandler.py @@ -229,7 +229,7 @@ d3c93562d78ebdaf9e22c0ea2e4a62adb12f0ce9e9d9631c1ea000b1a07d04ab lib/takeover/i f522436fbd14bdab090a1d305fcac0361800cb8e36c8cbcb47933298376a71e0 lib/takeover/registry.py f6e5d6e2ff368fa39943b2302982f33c47eb9a12d01419bef50fcf934b2bce34 lib/takeover/udf.py 23d73af417604dab460b74cdc230896153f018a6c00d144019491053640a172f lib/takeover/web.py -14179e5273378ec8d63660a87c5cb07a42b61a6fceb7f3bb494a7b5ce10ce2cb lib/takeover/xp_cmdshell.py +8cc1e226d4150fe8aa1a056e5d32d858ed6444d3d4e2af7fb4bc08f0bbe9d527 lib/takeover/xp_cmdshell.py 69928272eed889033e106527f88454dc844bfbb375fcf7c22d5f76ee30c62c9b lib/techniques/blind/inference.py 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3 lib/techniques/blind/__init__.py 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3 lib/techniques/dns/__init__.py @@ -241,7 +241,7 @@ f552b6140d4069be6a44792a08f295da8adabc1c4bb6a5e100f222f87144ca9d lib/techniques 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3 lib/techniques/union/__init__.py 30cae858e2a5a75b40854399f65ad074e6bb808d56d5ee66b94d4002dc6e101b lib/techniques/union/test.py a8a795f29ec6fd66482926f04b054ed492a033982c3b7837c5d2ea32368acec0 lib/techniques/union/use.py -9ff41fda2d5738c7cc3ab794ab25e7d6b28dd17f7d9b096da9ba9ee395445f30 lib/utils/api.py +3a418628622cf1f09346ecea12ae13a22341c8211815e01c839c9c1ab01fb12a lib/utils/api.py 442555ab85277aff7c9e0cf465ea5b0d28395c326f68363449b2d3941f4b6de2 lib/utils/brute.py da5bcbcda3f667582adf5db8c1b5d511b469ac61b55d387cec66de35720ed718 lib/utils/crawler.py a94958be0ec3e9d28d8171813a6a90655a9ad7e6aa33c661e8d8ebbfcf208dbb lib/utils/deps.py @@ -492,7 +492,7 @@ cedf45d33461bd7e5400d06611a63c8a4ffae1a4510030c5696b9d46ed6a9883 plugins/generi c6ad39bfd1810413402dedfc275fc805fa13f85fc490e236c1e725bde4e5100b sqlmapapi.py 4e993cfe2889bf0f86ad0abafd9a6a25849580284ea279b2115e99707e14bb97 sqlmapapi.yaml 627d90f1194335b800cbc9cc78db6697cf9e02e193a83598e0d4d0abb55b63b8 sqlmap.conf -4cec2aae8d65d67cd6db60f00217aa05ab449345ed3a38e04697b85b53d755f1 sqlmap.py +65159b82795604069a2d14ccbd1f66e888a26b05db0401a1ddadb40c665c93dc sqlmap.py eb37a88357522fd7ad00d90cdc5da6b57442b4fec49366aadb2944c4fbf8b804 tamper/0eunion.py a9785a4c111d6fee2e6d26466ba5efb3b229c00520b26e8024b041553b53efba tamper/apostrophemask.py cf26bc8006519bd25ce06d347f72770cd75b61575cf65e5812274e8ab9392eb4 tamper/apostrophenullencode.py diff --git a/lib/core/common.py b/lib/core/common.py index 798de5a216f..335e1f27a1c 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -2223,7 +2223,8 @@ def safeStringFormat(format_, params): match = re.search(r"(\A|[^A-Za-z0-9])(%s)([^A-Za-z0-9]|\Z)", retVal) if match: try: - retVal = re.sub(r"(\A|[^A-Za-z0-9])(%s)([^A-Za-z0-9]|\Z)", r"\g<1>%s\g<3>" % params[count % len(params)], retVal, 1) + _ = getUnicode(params[count % len(params)]) + retVal = re.sub(r"(\A|[^A-Za-z0-9])(%s)([^A-Za-z0-9]|\Z)", r"\g<1>%s\g<3>" % _.replace('\\', r'\\'), retVal, 1) except re.error: retVal = retVal.replace(match.group(0), match.group(0) % params[count % len(params)], 1) count += 1 diff --git a/lib/core/dump.py b/lib/core/dump.py index 1172526f300..7cf44c5b9c0 100644 --- a/lib/core/dump.py +++ b/lib/core/dump.py @@ -605,10 +605,7 @@ def dbTableValues(self, tableValues): if column != "__infos__": info = tableValues[column] - if len(info["values"]) <= i: - continue - - if info["values"][i] is None: + if len(info["values"]) <= i or info["values"][i] is None: value = u'' else: value = getUnicode(info["values"][i]) diff --git a/lib/core/settings.py b/lib/core/settings.py index 0422327d1cb..574d56391dd 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -20,7 +20,7 @@ from thirdparty import six # sqlmap version (...) -VERSION = "1.10.6.34" +VERSION = "1.10.6.41" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) diff --git a/lib/core/threads.py b/lib/core/threads.py index 7334560036a..8d2528ce2cc 100644 --- a/lib/core/threads.py +++ b/lib/core/threads.py @@ -213,7 +213,14 @@ def _threadFunction(): if numThreads > 1: logger.info("waiting for threads to finish%s" % (" (Ctrl+C was pressed)" if isinstance(ex, KeyboardInterrupt) else "")) try: - while threading.active_count() > 1: + while True: + alive = False + for thread in threads: + if thread.is_alive(): + alive = True + break + if not alive: + break time.sleep(0.1) except KeyboardInterrupt: diff --git a/lib/core/update.py b/lib/core/update.py index 78635ff39d8..245c9edc01f 100644 --- a/lib/core/update.py +++ b/lib/core/update.py @@ -18,7 +18,6 @@ from lib.core.common import getLatestRevision from lib.core.common import getSafeExString from lib.core.common import openFile -from lib.core.common import pollProcess from lib.core.common import readInput from lib.core.convert import getText from lib.core.data import conf @@ -51,7 +50,6 @@ def update(): output = "" try: process = subprocess.Popen("pip install -U sqlmap", shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, cwd=paths.SQLMAP_ROOT_PATH) - pollProcess(process, True) output, _ = process.communicate() success = not process.returncode except Exception as ex: @@ -138,7 +136,6 @@ def update(): output = "" try: process = subprocess.Popen("git checkout . && git pull %s HEAD" % GIT_REPOSITORY, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, cwd=paths.SQLMAP_ROOT_PATH) - pollProcess(process, True) output, _ = process.communicate() success = not process.returncode except Exception as ex: diff --git a/lib/request/connect.py b/lib/request/connect.py index f293b970592..fe5ebb3959f 100644 --- a/lib/request/connect.py +++ b/lib/request/connect.py @@ -7,6 +7,7 @@ import binascii import inspect +import io import logging import os import random @@ -530,6 +531,10 @@ def getPage(**kwargs): while True: try: _page.append(ws.recv()) + if sum(len(_) for _ in _page) > MAX_CONNECTION_TOTAL_SIZE: + warnMsg = "too large websocket response detected. Automatically trimming it" + singleTimeWarnMessage(warnMsg) + break except websocket.WebSocketTimeoutException: kb.webSocketRecvCount = len(_page) break @@ -639,6 +644,9 @@ class _(dict): except (httpx.HTTPError, httpx.InvalidURL, httpx.CookieConflict, httpx.StreamError) as ex: raise _http_client.HTTPException(getSafeExString(ex)) else: + if conn.status_code >= 400: + raise _urllib.error.HTTPError(url, conn.status_code, conn.reason_phrase, conn.headers, io.BytesIO(conn.read())) + conn.code = conn.status_code conn.msg = conn.reason_phrase conn.info = lambda c=conn: c.headers diff --git a/lib/takeover/xp_cmdshell.py b/lib/takeover/xp_cmdshell.py index abefda27ba1..3fd3fb6f902 100644 --- a/lib/takeover/xp_cmdshell.py +++ b/lib/takeover/xp_cmdshell.py @@ -226,8 +226,8 @@ def xpCmdshellEvalCmd(self, cmd, first=None, last=None): if isNumPosStrValue(count): for index in getLimitRange(count): - query = agent.limitQuery(index, query, self.tblField) - output.append(inject.getValue(query, union=False, error=False, resumeValue=False)) + limitedQuery = agent.limitQuery(index, query, self.tblField) + output.append(inject.getValue(limitedQuery, union=False, error=False, resumeValue=False)) inject.goStacked("DELETE FROM %s" % self.cmdTblName) diff --git a/lib/utils/api.py b/lib/utils/api.py index d576c7ba1e3..5dbf3a0e370 100644 --- a/lib/utils/api.py +++ b/lib/utils/api.py @@ -119,8 +119,8 @@ def execute(self, statement, arguments=None): else: break - if statement.lstrip().upper().startswith("SELECT"): - return self.cursor.fetchall() + if statement.lstrip().upper().startswith("SELECT"): + return self.cursor.fetchall() def init(self): self.execute("CREATE TABLE IF NOT EXISTS logs(id INTEGER PRIMARY KEY AUTOINCREMENT, taskid INTEGER, time TEXT, level TEXT, message TEXT)") @@ -392,6 +392,7 @@ def task_delete(taskid): Delete an existing task """ if taskid in DataStore.tasks: + DataStore.tasks[taskid].engine_kill() DataStore.tasks.pop(taskid) logger.debug("(%s) Deleted task" % taskid) diff --git a/sqlmap.py b/sqlmap.py index 5e93ef2c83d..7ed61e529c6 100755 --- a/sqlmap.py +++ b/sqlmap.py @@ -384,7 +384,7 @@ def main(): logger.critical(errMsg) raise SystemExit - elif "AttributeError:" in excMsg and re.search(r"3\.11\.\d+a", sys.version): + elif any(_ in excMsg for _ in ("AttributeError:", "TypeError:")) and re.search(r"3\.11\.\d+a", sys.version): errMsg = "there is a known issue when sqlmap is run with ALPHA versions of Python 3.11. " errMsg += "Please download a stable Python version" logger.critical(errMsg)