From d96ac7c777951b791997f3d111b715fb6d938f0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20=C5=A0tampar?= Date: Fri, 5 Jun 2026 12:49:37 +0200 Subject: [PATCH 1/9] Minor patch --- data/txt/sha256sums.txt | 4 ++-- lib/core/option.py | 4 ++++ lib/core/settings.py | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt index 557e3ab38bb..d1653cd3a91 100644 --- a/data/txt/sha256sums.txt +++ b/data/txt/sha256sums.txt @@ -181,14 +181,14 @@ c03dc585f89642cfd81b087ac2723e3e1bb3bfa8c60e6f5fe58ef3b0113ebfe6 lib/core/data. 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3 lib/core/__init__.py 914a13ee21fd610a6153a37cbe50830fcbd1324c7ebc1e7fc206d5e598b0f7ad lib/core/log.py 67ea32c993cbf23cdbd5170360c020ca33363b7c516ff3f8da4124ef7cb0254d lib/core/optiondict.py -d197388e8e2aabe19f2529bfcac780e18e22a905d01319080d7afe4cb2b1c4c9 lib/core/option.py +83ec82a78c1665ae7516a3bbd239ffb1db8ac2ca20994125ff6023edf3d1e7c1 lib/core/option.py c65ce3cd38ee85c443c6619cfea84920390bad171f2999b95149485c0d1bc4a2 lib/core/patch.py 49c0fa7e3814dfda610d665ee02b12df299b28bc0b6773815b4395514ddf8dec lib/core/profiling.py 03db48f02c3d07a047ddb8fe33a757b6238867352d8ddda2a83e4fec09a98d04 lib/core/readlineng.py 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3 lib/core/replication.py 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6 lib/core/revision.py 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c lib/core/session.py -94ef7db2f47a8888f8ce0cd07f5b8809fc0eb599ccbce33340ed3e2b8dcbc2fc lib/core/settings.py +04f19742baeeb5e50919f8453f2150816fe8b7de47886e30befefac889567e37 lib/core/settings.py cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82 lib/core/shell.py bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725 lib/core/subprocessng.py 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6 lib/core/target.py diff --git a/lib/core/option.py b/lib/core/option.py index 749ecdc946e..0649854d211 100644 --- a/lib/core/option.py +++ b/lib/core/option.py @@ -2639,6 +2639,10 @@ def _basicOptionValidation(): errMsg = "switch '--text-only' is incompatible with switch '--null-connection'" raise SqlmapSyntaxException(errMsg) + if conf.http2 and any((conf.tor, conf.proxy and conf.proxy.lower().startswith("socks"))): + errMsg = "HTTP/2 support is currently incompatible with SOCKS/Tor proxies" + raise SqlmapSyntaxException(errMsg) + if conf.uValues and conf.uChar: errMsg = "option '--union-values' is incompatible with option '--union-char'" raise SqlmapSyntaxException(errMsg) diff --git a/lib/core/settings.py b/lib/core/settings.py index 574d56391dd..22c4ce1f250 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -20,7 +20,7 @@ from thirdparty import six # sqlmap version (...) -VERSION = "1.10.6.41" +VERSION = "1.10.6.42" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) From 57086969ccf6c2824f8a298a632bde7413046c5e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20=C5=A0tampar?= Date: Fri, 5 Jun 2026 12:51:45 +0200 Subject: [PATCH 2/9] Bug fix for cracking of Base64 hashes on DREI --- data/txt/sha256sums.txt | 4 ++-- lib/core/settings.py | 2 +- lib/utils/hash.py | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt index d1653cd3a91..4574b59e65e 100644 --- a/data/txt/sha256sums.txt +++ b/data/txt/sha256sums.txt @@ -188,7 +188,7 @@ c65ce3cd38ee85c443c6619cfea84920390bad171f2999b95149485c0d1bc4a2 lib/core/patch 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3 lib/core/replication.py 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6 lib/core/revision.py 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c lib/core/session.py -04f19742baeeb5e50919f8453f2150816fe8b7de47886e30befefac889567e37 lib/core/settings.py +dfb37a8a4342fbe8fa81161e63a6d308e8ab39da44b513a72ca027a806c6dd8b lib/core/settings.py cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82 lib/core/shell.py bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725 lib/core/subprocessng.py 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6 lib/core/target.py @@ -249,7 +249,7 @@ a94958be0ec3e9d28d8171813a6a90655a9ad7e6aa33c661e8d8ebbfcf208dbb lib/utils/deps 853c3595e1d2efc54b8bfb6ab12c55d1efc1603be266978e3a7d96d553d91a52 lib/utils/gui.py 972c5db9c9e30ac0f91c0f8d4df4531d0304e151dac99f1399c37c952ba9f935 lib/utils/har.py e890d2ee4787589b2464d9c561d10a6896546781c349b48bfe4d42dd3954468b lib/utils/hashdb.py -84bf572a9e7915e91dbffea996e1a7b749392725f1ad7f412d0ff48c636a2896 lib/utils/hash.py +e6ec30a42b04e6cbce9922affb3acbdfd0a772bbb4a86d44b57361a8fa4dfad3 lib/utils/hash.py 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3 lib/utils/__init__.py 22ba65391b0a73b1925e5becf8ddab6ba73a196d86e351a2263509aad6676bd7 lib/utils/pivotdumptable.py c1dfc3bed0fed9b181f612d1d747955dd2b506dbe99bc9fd481495602371473a lib/utils/progress.py diff --git a/lib/core/settings.py b/lib/core/settings.py index 22c4ce1f250..3120a62a6cf 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -20,7 +20,7 @@ from thirdparty import six # sqlmap version (...) -VERSION = "1.10.6.42" +VERSION = "1.10.6.43" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) diff --git a/lib/utils/hash.py b/lib/utils/hash.py index 13a978149af..5ba6801fae5 100644 --- a/lib/utils/hash.py +++ b/lib/utils/hash.py @@ -1047,7 +1047,7 @@ def dictionaryAttack(attack_dict): hash_ = hash_.lower() if hash_regex in (HASH.MD5_BASE64, HASH.SHA1_BASE64, HASH.SHA256_BASE64, HASH.SHA512_BASE64): - item = [(user, encodeHex(decodeBase64(hash_, binary=True))), {}] + item = [(user, encodeHex(decodeBase64(hash_, binary=True), binary=False)), {}] elif hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC, HASH.SHA1_GENERIC, HASH.SHA224_GENERIC, HASH.SHA256_GENERIC, HASH.SHA384_GENERIC, HASH.SHA512_GENERIC, HASH.APACHE_SHA1): if hash_.startswith("0x"): # Reference: https://docs.microsoft.com/en-us/sql/t-sql/functions/hashbytes-transact-sql?view=sql-server-2017 hash_ = hash_[2:] From dca0bb648d289b086d8f3e8142146200ec49fdb8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20=C5=A0tampar?= Date: Fri, 5 Jun 2026 13:22:53 +0200 Subject: [PATCH 3/9] Patching some more unsafe unpickling --- data/txt/sha256sums.txt | 4 ++-- lib/core/patch.py | 6 +++++- lib/core/settings.py | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt index 4574b59e65e..012ddba34dc 100644 --- a/data/txt/sha256sums.txt +++ b/data/txt/sha256sums.txt @@ -182,13 +182,13 @@ c03dc585f89642cfd81b087ac2723e3e1bb3bfa8c60e6f5fe58ef3b0113ebfe6 lib/core/data. 914a13ee21fd610a6153a37cbe50830fcbd1324c7ebc1e7fc206d5e598b0f7ad lib/core/log.py 67ea32c993cbf23cdbd5170360c020ca33363b7c516ff3f8da4124ef7cb0254d lib/core/optiondict.py 83ec82a78c1665ae7516a3bbd239ffb1db8ac2ca20994125ff6023edf3d1e7c1 lib/core/option.py -c65ce3cd38ee85c443c6619cfea84920390bad171f2999b95149485c0d1bc4a2 lib/core/patch.py +3371a9c79ad7d2eb578e705cb077098a9f63cabb5472e4e66c4dac094a438bcd lib/core/patch.py 49c0fa7e3814dfda610d665ee02b12df299b28bc0b6773815b4395514ddf8dec lib/core/profiling.py 03db48f02c3d07a047ddb8fe33a757b6238867352d8ddda2a83e4fec09a98d04 lib/core/readlineng.py 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3 lib/core/replication.py 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6 lib/core/revision.py 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c lib/core/session.py -dfb37a8a4342fbe8fa81161e63a6d308e8ab39da44b513a72ca027a806c6dd8b lib/core/settings.py +cee91b682232e472c25a1853f74d6b737243d702bcacf44e59ec755800b1a6b1 lib/core/settings.py cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82 lib/core/shell.py bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725 lib/core/subprocessng.py 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6 lib/core/target.py diff --git a/lib/core/patch.py b/lib/core/patch.py index 35fde349782..b2ca4aee9d8 100644 --- a/lib/core/patch.py +++ b/lib/core/patch.py @@ -185,7 +185,11 @@ class RestrictedUnpickler(pickle.Unpickler): def find_class(self, module, name): # blacklist for OS-level execution modules if module in ("os", "subprocess", "sys", "posix", "nt", "pty", "commands", "shutil"): - raise ValueError("Unpickling of module '%s' is forbidden" % module) + raise ValueError("unpickling of module '%s' is forbidden" % module) + + # partial whitelist for builtins to allow safe data types but block eval/exec/__import__ + if module in ("builtins", "__builtin__") and name not in ("set", "frozenset", "dict", "list", "tuple", "int", "float", "bool", "str", "bytes", "bytearray", "object", "NoneType"): + raise ValueError("unpickling of '%s.%s' is forbidden" % (module, name)) # Python 2/3 method resolution if hasattr(pickle.Unpickler, "find_class"): diff --git a/lib/core/settings.py b/lib/core/settings.py index 3120a62a6cf..83d70fed1b9 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -20,7 +20,7 @@ from thirdparty import six # sqlmap version (...) -VERSION = "1.10.6.43" +VERSION = "1.10.6.44" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) From 0ac9883767c30bdbc03ae0d437491bafb180118c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20=C5=A0tampar?= Date: Fri, 5 Jun 2026 13:27:48 +0200 Subject: [PATCH 4/9] Minor patch --- data/txt/sha256sums.txt | 4 ++-- lib/core/common.py | 3 +-- lib/core/settings.py | 2 +- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt index 012ddba34dc..3218c3771a5 100644 --- a/data/txt/sha256sums.txt +++ b/data/txt/sha256sums.txt @@ -167,7 +167,7 @@ d69e84f1648cdb907f5d2dd454f03874a4613752b07867510145d51d84b3c56f lib/controller 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3 lib/controller/__init__.py b2555d11529689f5d7d02bee0741d3228969e2bf29a2b9140bf1560ff60249e7 lib/core/agent.py b13462712ec5ac07541dba98631ddcda279d210b838f363d15ac97a1413b67a2 lib/core/bigarray.py -1521efe57f554759e2550527970367615b92f3341bcb72831432a2863805a281 lib/core/common.py +abb79fbf4cdd2e57e16d6145ef87e99e9b31a4d04f6c29dcebef4b48cf3f727e lib/core/common.py a6397b10de7ae7c56ed6b0fa3b3c58eb7a9dbede61bf93d786e73258175c981e lib/core/compat.py 461f2666d500f9a91210fec558e6ee68af61c752de5498490bc96c11b32a6b0a lib/core/convert.py c03dc585f89642cfd81b087ac2723e3e1bb3bfa8c60e6f5fe58ef3b0113ebfe6 lib/core/data.py @@ -188,7 +188,7 @@ c03dc585f89642cfd81b087ac2723e3e1bb3bfa8c60e6f5fe58ef3b0113ebfe6 lib/core/data. 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3 lib/core/replication.py 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6 lib/core/revision.py 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c lib/core/session.py -cee91b682232e472c25a1853f74d6b737243d702bcacf44e59ec755800b1a6b1 lib/core/settings.py +ac91726194d43811630cf88ff3e1e72dbedc46b24ad34d478f459b37c3ae6e48 lib/core/settings.py cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82 lib/core/shell.py bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725 lib/core/subprocessng.py 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6 lib/core/target.py diff --git a/lib/core/common.py b/lib/core/common.py index 335e1f27a1c..fa73d5c2809 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -2971,11 +2971,10 @@ def urldecode(value, encoding=None, unsafe="%%?&=;+%s" % CUSTOM_INJECTION_MARK_C result = _urllib.parse.unquote_plus(value) if spaceplus else _urllib.parse.unquote(value) else: result = value - charset = set(string.printable) - set(unsafe) def _(match): char = decodeHex(match.group(1), binary=False) - return char if char in charset else match.group(0) + return char if char not in unsafe else match.group(0) if spaceplus: result = result.replace('+', ' ') # plus sign has a special meaning in URL encoded data (hence the usage of _urllib.parse.unquote_plus in convall case) diff --git a/lib/core/settings.py b/lib/core/settings.py index 83d70fed1b9..81461f3a68f 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -20,7 +20,7 @@ from thirdparty import six # sqlmap version (...) -VERSION = "1.10.6.44" +VERSION = "1.10.6.45" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) From 5a4a8eed622d1ff9fea8a50168da5497b25f2aa1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20=C5=A0tampar?= Date: Fri, 5 Jun 2026 13:35:01 +0200 Subject: [PATCH 5/9] Minor patch --- data/txt/sha256sums.txt | 4 ++-- lib/core/convert.py | 5 ++++- lib/core/settings.py | 2 +- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt index 3218c3771a5..9a0b6dde110 100644 --- a/data/txt/sha256sums.txt +++ b/data/txt/sha256sums.txt @@ -169,7 +169,7 @@ b2555d11529689f5d7d02bee0741d3228969e2bf29a2b9140bf1560ff60249e7 lib/core/agent b13462712ec5ac07541dba98631ddcda279d210b838f363d15ac97a1413b67a2 lib/core/bigarray.py abb79fbf4cdd2e57e16d6145ef87e99e9b31a4d04f6c29dcebef4b48cf3f727e lib/core/common.py a6397b10de7ae7c56ed6b0fa3b3c58eb7a9dbede61bf93d786e73258175c981e lib/core/compat.py -461f2666d500f9a91210fec558e6ee68af61c752de5498490bc96c11b32a6b0a lib/core/convert.py +e37bfd314a46699b14e1c8a5ea851d546d3a36bea8e5f37466ef2921ff78fefd lib/core/convert.py c03dc585f89642cfd81b087ac2723e3e1bb3bfa8c60e6f5fe58ef3b0113ebfe6 lib/core/data.py 6acb645b1f285b21673c70824b03f6209acc5993b50e50da5ed2c713a30626f5 lib/core/datatype.py 70fb2528e580b22564899595b0dff6b1bc257c6a99d2022ce3996a3d04e68e4e lib/core/decorators.py @@ -188,7 +188,7 @@ c03dc585f89642cfd81b087ac2723e3e1bb3bfa8c60e6f5fe58ef3b0113ebfe6 lib/core/data. 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3 lib/core/replication.py 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6 lib/core/revision.py 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c lib/core/session.py -ac91726194d43811630cf88ff3e1e72dbedc46b24ad34d478f459b37c3ae6e48 lib/core/settings.py +f707285b42754718c42d8298663681118f42710371310111f70ce5037356a7cb lib/core/settings.py cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82 lib/core/shell.py bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725 lib/core/subprocessng.py 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6 lib/core/target.py diff --git a/lib/core/convert.py b/lib/core/convert.py index 3d24fb54122..c79628d9a42 100644 --- a/lib/core/convert.py +++ b/lib/core/convert.py @@ -283,6 +283,8 @@ def getBytes(value, encoding=None, errors="strict", unsafe=True): >>> getBytes(u"foo\\\\x01\\\\x83\\\\xffbar") == b"foo\\x01\\x83\\xffbar" True + >>> getBytes(u"C:\\\\\\\\x64\\\\secrets.txt") == b"C:\\\\x64\\\\secrets.txt" + True """ retVal = value @@ -316,7 +318,8 @@ def getBytes(value, encoding=None, errors="strict", unsafe=True): retVal = value.encode(UNICODE_ENCODING, errors="replace") if unsafe: - retVal = re.sub(b"\\\\x([0-9a-f]{2})", lambda _: decodeHex(_.group(1)), retVal) + retVal = re.sub(b"(?...) -VERSION = "1.10.6.45" +VERSION = "1.10.6.46" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) From 8a1996601759b09906960e034b4cbf75384722db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20=C5=A0tampar?= Date: Fri, 5 Jun 2026 13:36:44 +0200 Subject: [PATCH 6/9] Minor patch for parsePasswordHash --- data/txt/sha256sums.txt | 4 ++-- lib/core/common.py | 9 ++++++--- lib/core/settings.py | 2 +- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt index 9a0b6dde110..df016348ed6 100644 --- a/data/txt/sha256sums.txt +++ b/data/txt/sha256sums.txt @@ -167,7 +167,7 @@ d69e84f1648cdb907f5d2dd454f03874a4613752b07867510145d51d84b3c56f lib/controller 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3 lib/controller/__init__.py b2555d11529689f5d7d02bee0741d3228969e2bf29a2b9140bf1560ff60249e7 lib/core/agent.py b13462712ec5ac07541dba98631ddcda279d210b838f363d15ac97a1413b67a2 lib/core/bigarray.py -abb79fbf4cdd2e57e16d6145ef87e99e9b31a4d04f6c29dcebef4b48cf3f727e lib/core/common.py +df59ab7c23d2cf96ea951a9a91f95865b79008ff4131e9178b346e274d920dff lib/core/common.py a6397b10de7ae7c56ed6b0fa3b3c58eb7a9dbede61bf93d786e73258175c981e lib/core/compat.py e37bfd314a46699b14e1c8a5ea851d546d3a36bea8e5f37466ef2921ff78fefd lib/core/convert.py c03dc585f89642cfd81b087ac2723e3e1bb3bfa8c60e6f5fe58ef3b0113ebfe6 lib/core/data.py @@ -188,7 +188,7 @@ c03dc585f89642cfd81b087ac2723e3e1bb3bfa8c60e6f5fe58ef3b0113ebfe6 lib/core/data. 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3 lib/core/replication.py 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6 lib/core/revision.py 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c lib/core/session.py -f707285b42754718c42d8298663681118f42710371310111f70ce5037356a7cb lib/core/settings.py +137217753ef641cf3c1488a9f3b39f4097fa471579263922f6ad4bcdb976ba03 lib/core/settings.py cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82 lib/core/shell.py bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725 lib/core/subprocessng.py 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6 lib/core/target.py diff --git a/lib/core/common.py b/lib/core/common.py index fa73d5c2809..7102ebe706a 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -1464,10 +1464,13 @@ def parsePasswordHash(password): retVal = "%s\n" % password retVal += "%sheader: %s\n" % (blank, password[:6]) retVal += "%ssalt: %s\n" % (blank, password[6:14]) - retVal += "%smixedcase: %s\n" % (blank, password[14:54]) - if password[54:]: - retVal += "%suppercase: %s" % (blank, password[54:]) + if password.startswith("0x0200"): + retVal += "%shash: %s\n" % (blank, password[14:]) + else: + retVal += "%smixedcase: %s\n" % (blank, password[14:54]) + if password[54:]: + retVal += "%suppercase: %s" % (blank, password[54:]) return retVal diff --git a/lib/core/settings.py b/lib/core/settings.py index 52259b9037b..273f8d730d8 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -20,7 +20,7 @@ from thirdparty import six # sqlmap version (...) -VERSION = "1.10.6.46" +VERSION = "1.10.6.47" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) From 899447fbae7da4420550fd68d715df2f4667ca18 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20=C5=A0tampar?= Date: Fri, 5 Jun 2026 13:46:14 +0200 Subject: [PATCH 7/9] Improvement of compat/LooseVersion --- data/txt/sha256sums.txt | 4 ++-- lib/core/compat.py | 26 +++++--------------------- lib/core/settings.py | 2 +- 3 files changed, 8 insertions(+), 24 deletions(-) diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt index df016348ed6..74d072716ec 100644 --- a/data/txt/sha256sums.txt +++ b/data/txt/sha256sums.txt @@ -168,7 +168,7 @@ d69e84f1648cdb907f5d2dd454f03874a4613752b07867510145d51d84b3c56f lib/controller b2555d11529689f5d7d02bee0741d3228969e2bf29a2b9140bf1560ff60249e7 lib/core/agent.py b13462712ec5ac07541dba98631ddcda279d210b838f363d15ac97a1413b67a2 lib/core/bigarray.py df59ab7c23d2cf96ea951a9a91f95865b79008ff4131e9178b346e274d920dff lib/core/common.py -a6397b10de7ae7c56ed6b0fa3b3c58eb7a9dbede61bf93d786e73258175c981e lib/core/compat.py +f30b4eccdb574731fa7e6ef48e71ea82d4bc99be70a2e27bff230943e9039313 lib/core/compat.py e37bfd314a46699b14e1c8a5ea851d546d3a36bea8e5f37466ef2921ff78fefd lib/core/convert.py c03dc585f89642cfd81b087ac2723e3e1bb3bfa8c60e6f5fe58ef3b0113ebfe6 lib/core/data.py 6acb645b1f285b21673c70824b03f6209acc5993b50e50da5ed2c713a30626f5 lib/core/datatype.py @@ -188,7 +188,7 @@ c03dc585f89642cfd81b087ac2723e3e1bb3bfa8c60e6f5fe58ef3b0113ebfe6 lib/core/data. 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3 lib/core/replication.py 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6 lib/core/revision.py 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c lib/core/session.py -137217753ef641cf3c1488a9f3b39f4097fa471579263922f6ad4bcdb976ba03 lib/core/settings.py +e6c3dfc0f97da5075c618e81d2737f2069d6b9cc21e77c2c63c120d2e11c1b43 lib/core/settings.py cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82 lib/core/shell.py bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725 lib/core/subprocessng.py 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6 lib/core/target.py diff --git a/lib/core/compat.py b/lib/core/compat.py index 7020863da46..6816703320e 100644 --- a/lib/core/compat.py +++ b/lib/core/compat.py @@ -286,34 +286,18 @@ def LooseVersion(version): True >>> LooseVersion("1.0.1") > LooseVersion("1.0") True - >>> LooseVersion("1.0.1-") == LooseVersion("1.0.1") - True >>> LooseVersion("1.0.11") < LooseVersion("1.0.111") True - >>> LooseVersion("foobar") > LooseVersion("1.0") - False - >>> LooseVersion("1.0") > LooseVersion("foobar") - False - >>> LooseVersion("3.22-mysql") == LooseVersion("3.22-mysql-ubuntu0.3") + >>> LooseVersion("8.0.22") > LooseVersion("8.0.2") True - >>> LooseVersion("8.0.22-0ubuntu0.20.04.2") - 8.000022 + >>> LooseVersion("1.0alpha-beta-gama") + (1, 0) """ - match = re.search(r"\A(\d[\d.]*)", version or "") - if match: - result = 0 - value = match.group(1) - weight = 1.0 - for part in value.strip('.').split('.'): - if part.isdigit(): - result += int(part) * weight - weight *= 1e-3 + return tuple(int(part) for part in match.group(1).strip('.').split('.') if part.isdigit()) else: - result = float("NaN") - - return result + return () # NOTE: codecs.open re-implementation (deprecated in Python 3.14) diff --git a/lib/core/settings.py b/lib/core/settings.py index 273f8d730d8..a580d3e069e 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -20,7 +20,7 @@ from thirdparty import six # sqlmap version (...) -VERSION = "1.10.6.47" +VERSION = "1.10.6.48" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) From 430399c72a8af6bb2ae2b30c10ff82dd872f713e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20=C5=A0tampar?= Date: Fri, 5 Jun 2026 13:52:10 +0200 Subject: [PATCH 8/9] Minor improvement of BigArray/pop() --- data/txt/sha256sums.txt | 4 ++-- lib/core/bigarray.py | 24 +++++++++++++++++------- lib/core/settings.py | 2 +- 3 files changed, 20 insertions(+), 10 deletions(-) diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt index 74d072716ec..c985192df52 100644 --- a/data/txt/sha256sums.txt +++ b/data/txt/sha256sums.txt @@ -166,7 +166,7 @@ c1881685bef8504ded32c51abed00ab51849008c84b74e8a66117e5f5041b3df lib/controller d69e84f1648cdb907f5d2dd454f03874a4613752b07867510145d51d84b3c56f lib/controller/handler.py 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3 lib/controller/__init__.py b2555d11529689f5d7d02bee0741d3228969e2bf29a2b9140bf1560ff60249e7 lib/core/agent.py -b13462712ec5ac07541dba98631ddcda279d210b838f363d15ac97a1413b67a2 lib/core/bigarray.py +aeed026c6717af3b410fb6182e48f1193e87aec1b3e3412979c09c3c257e8363 lib/core/bigarray.py df59ab7c23d2cf96ea951a9a91f95865b79008ff4131e9178b346e274d920dff lib/core/common.py f30b4eccdb574731fa7e6ef48e71ea82d4bc99be70a2e27bff230943e9039313 lib/core/compat.py e37bfd314a46699b14e1c8a5ea851d546d3a36bea8e5f37466ef2921ff78fefd lib/core/convert.py @@ -188,7 +188,7 @@ c03dc585f89642cfd81b087ac2723e3e1bb3bfa8c60e6f5fe58ef3b0113ebfe6 lib/core/data. 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3 lib/core/replication.py 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6 lib/core/revision.py 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c lib/core/session.py -e6c3dfc0f97da5075c618e81d2737f2069d6b9cc21e77c2c63c120d2e11c1b43 lib/core/settings.py +cb5636c13b3718468a10b085a37b4d6f78c626d968884031c80a44aee7f7453e lib/core/settings.py cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82 lib/core/shell.py bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725 lib/core/subprocessng.py 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6 lib/core/target.py diff --git a/lib/core/bigarray.py b/lib/core/bigarray.py index 7e33524b8d4..5cbb9ae298b 100644 --- a/lib/core/bigarray.py +++ b/lib/core/bigarray.py @@ -151,16 +151,26 @@ def pop(self): with self._lock: if not self.chunks[-1] and len(self.chunks) > 1: self.chunks.pop() + filename = self.chunks[-1] + idx = len(self.chunks) - 1 + + if self.cache and self.cache.index == idx and self.cache.dirty: + self.chunks[-1] = self.cache.data + self.cache.dirty = False + else: + try: + with open(filename, "rb") as f: + self.chunks[-1] = pickle.loads(zlib.decompress(f.read())) + except IOError as ex: + errMsg = "exception occurred while retrieving data " + errMsg += "from a temporary file ('%s')" % ex + raise SqlmapSystemException(errMsg) + try: - filename = self.chunks[-1] - with open(filename, "rb") as f: - self.chunks[-1] = pickle.loads(zlib.decompress(f.read())) self._os_remove(filename) self.filenames.discard(filename) - except IOError as ex: - errMsg = "exception occurred while retrieving data " - errMsg += "from a temporary file ('%s')" % ex - raise SqlmapSystemException(errMsg) + except OSError: + pass return self.chunks[-1].pop() diff --git a/lib/core/settings.py b/lib/core/settings.py index a580d3e069e..13823d35b5e 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -20,7 +20,7 @@ from thirdparty import six # sqlmap version (...) -VERSION = "1.10.6.48" +VERSION = "1.10.6.49" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) From e48cce3fa3afa16d80534bcaa1b00723c615d699 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20=C5=A0tampar?= Date: Fri, 5 Jun 2026 14:02:07 +0200 Subject: [PATCH 9/9] Minor just in case patch for BigArray --- data/txt/sha256sums.txt | 4 ++-- lib/core/bigarray.py | 20 +++++++++++++++----- lib/core/settings.py | 2 +- 3 files changed, 18 insertions(+), 8 deletions(-) diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt index c985192df52..ad78327cf20 100644 --- a/data/txt/sha256sums.txt +++ b/data/txt/sha256sums.txt @@ -166,7 +166,7 @@ c1881685bef8504ded32c51abed00ab51849008c84b74e8a66117e5f5041b3df lib/controller d69e84f1648cdb907f5d2dd454f03874a4613752b07867510145d51d84b3c56f lib/controller/handler.py 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3 lib/controller/__init__.py b2555d11529689f5d7d02bee0741d3228969e2bf29a2b9140bf1560ff60249e7 lib/core/agent.py -aeed026c6717af3b410fb6182e48f1193e87aec1b3e3412979c09c3c257e8363 lib/core/bigarray.py +ca3e5ce56cb1cae0a8e815425ab6810068004bffe8861d1037c7c87c0ae02477 lib/core/bigarray.py df59ab7c23d2cf96ea951a9a91f95865b79008ff4131e9178b346e274d920dff lib/core/common.py f30b4eccdb574731fa7e6ef48e71ea82d4bc99be70a2e27bff230943e9039313 lib/core/compat.py e37bfd314a46699b14e1c8a5ea851d546d3a36bea8e5f37466ef2921ff78fefd lib/core/convert.py @@ -188,7 +188,7 @@ c03dc585f89642cfd81b087ac2723e3e1bb3bfa8c60e6f5fe58ef3b0113ebfe6 lib/core/data. 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3 lib/core/replication.py 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6 lib/core/revision.py 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c lib/core/session.py -cb5636c13b3718468a10b085a37b4d6f78c626d968884031c80a44aee7f7453e lib/core/settings.py +03c22d641e9f45aaaa0006bcbbaeb9987c21d1ecf78337dbe889ccfa1b8848ea lib/core/settings.py cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82 lib/core/shell.py bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725 lib/core/subprocessng.py 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6 lib/core/target.py diff --git a/lib/core/bigarray.py b/lib/core/bigarray.py index 5cbb9ae298b..7b8bb595bce 100644 --- a/lib/core/bigarray.py +++ b/lib/core/bigarray.py @@ -233,12 +233,22 @@ def _checkcache(self, index): raise SqlmapSystemException(errMsg) def __getstate__(self): - if self.cache and self.cache.dirty: - filename = self._dump(self.cache.data) - self.chunks[self.cache.index] = filename - self.cache.dirty = False + with self._lock: + if self.cache and self.cache.dirty: + old_filename = self.chunks[self.cache.index] + filename = self._dump(self.cache.data) + self.chunks[self.cache.index] = filename + + if isinstance(old_filename, STRING_TYPES): + try: + self._os_remove(old_filename) + self.filenames.discard(old_filename) + except OSError: + pass + + self.cache.dirty = False - return self.chunks, self.filenames, self.chunk_length + return self.chunks, self.filenames, self.chunk_length def __setstate__(self, state): self.__init__() diff --git a/lib/core/settings.py b/lib/core/settings.py index 13823d35b5e..4736479b7ec 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -20,7 +20,7 @@ from thirdparty import six # sqlmap version (...) -VERSION = "1.10.6.49" +VERSION = "1.10.6.50" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)