Adding new tamper script plus2concat (thank you Luka Pusic)

extra/shutils/pylint.py

@@ -20,8 +20,8 @@ def check(module):
         print "CHECKING ", module
         pout = os.popen("pylint --rcfile=/dev/null %s" % module, 'r')
         for line in pout:
-            if  re.match("E....:.", line):
-                print line
+            if  re.match("\AE:", line):
+                print line.strip()
             if __RATING__ and "Your code has been rated at" in line:
                 print line
                 score = re.findall("\d.\d\d", line)[0]

lib/core/common.py

@@ -141,6 +141,7 @@ from lib.core.settings import REFLECTED_REPLACEMENT_REGEX
 from lib.core.settings import REFLECTED_VALUE_MARKER
 from lib.core.settings import REFLECTIVE_MISS_THRESHOLD
 from lib.core.settings import SENSITIVE_DATA_REGEX
+from lib.core.settings import SENSITIVE_OPTIONS
 from lib.core.settings import SUPPORTED_DBMS
 from lib.core.settings import TEXT_TAG_REGEX
 from lib.core.settings import TIME_STDEV_COEFF
@@ -3242,7 +3243,7 @@ def maskSensitiveData(msg):
 
     retVal = getUnicode(msg)
 
-    for item in filter(None, map(lambda x: conf.get(x), ("hostname", "data", "dnsDomain", "googleDork", "authCred", "proxyCred", "tbl", "db", "col", "user", "cookie", "proxy", "rFile", "wFile", "dFile"))):
+    for item in filter(None, map(lambda x: conf.get(x), SENSITIVE_OPTIONS)):
         regex = SENSITIVE_DATA_REGEX % re.sub("(\W)", r"\\\1", getUnicode(item))
         while extractRegexResult(regex, retVal):
             value = extractRegexResult(regex, retVal)
@@ -3706,7 +3707,7 @@ def asciifyUrl(url, forceQuote=False):
 
 def isAdminFromPrivileges(privileges):
     """
-    Inspects privileges to see if those are comming from an admin user
+    Inspects privileges to see if those are coming from an admin user
     """
 
     # In PostgreSQL the usesuper privilege means that the
@@ -3785,6 +3786,11 @@ def findPageForms(content, url, raise_=False, addToTargets=False):
                                     item.selected = True
                                 break
 
+                if conf.crawlExclude and re.search(conf.crawlExclude, form.action or ""):
+                    dbgMsg = "skipping '%s'" % form.action
+                    logger.debug(dbgMsg)
+                    continue
+
                 request = form.click()
             except (ValueError, TypeError), ex:
                 errMsg = "there has been a problem while "

lib/core/convert.py

@@ -87,7 +87,7 @@ def base64unpickle(value, unsafe=False):
         f = StringIO.StringIO(str)
         if unsafe:
             unpickler = picklePy.Unpickler(f)
-            unpickler.dispatch[pickle.REDUCE] = _
+            unpickler.dispatch[picklePy.REDUCE] = _
         else:
             unpickler = pickle.Unpickler(f)
         return unpickler.load()

lib/core/option.py

@@ -5,6 +5,7 @@ Copyright (c) 2006-2016 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
+import binascii
 import cookielib
 import glob
 import inspect
@@ -218,7 +219,10 @@ def _feedTargetsDict(reqFile, addedTargetUrls):
                 reqResList = []
                 for match in re.finditer(BURP_XML_HISTORY_REGEX, content, re.I | re.S):
                     port, request = match.groups()
-                    request = request.decode("base64")
+                    try:
+                        request = request.decode("base64")
+                    except binascii.Error:
+                        continue
                     _ = re.search(r"%s:.+" % re.escape(HTTP_HEADER.HOST), request)
                     if _:
                         host = _.group(0).strip()
@@ -2228,7 +2232,7 @@ def _mergeOptions(inputOptions, overrideOptions):
             _normalizeOptions(inputOptions)
         except Exception, ex:
             errMsg = "provided invalid value '%s' for option '--pickled-options'" % inputOptions.pickledOptions
-            errMsg += " ('%s')" % ex if ex.message else ""
+            errMsg += " (%s)" % repr(ex)
             raise SqlmapSyntaxException(errMsg)
 
     if inputOptions.configFile:

lib/core/optiondict.py

@@ -40,6 +40,7 @@ optDict = {
                                "authFile":          "string",
                                "ignore401":         "boolean",
                                "ignoreProxy":       "boolean",
+                               "ignoreRedirects":   "boolean",
                                "ignoreTimeouts":    "boolean",
                                "proxy":             "string",
                                "proxyCred":         "string",

lib/core/replication.py

@@ -10,6 +10,7 @@ import sqlite3
 from extra.safe2bin.safe2bin import safechardecode
 from lib.core.common import getSafeExString
 from lib.core.common import unsafeSQLIdentificatorNaming
+from lib.core.exception import SqlmapConnectionException
 from lib.core.exception import SqlmapGenericException
 from lib.core.exception import SqlmapValueException
 from lib.core.settings import UNICODE_ENCODING
@@ -21,10 +22,15 @@ class Replication(object):
     """
 
     def __init__(self, dbpath):
-        self.dbpath = dbpath
-        self.connection = sqlite3.connect(dbpath)
-        self.connection.isolation_level = None
-        self.cursor = self.connection.cursor()
+        try:
+            self.dbpath = dbpath
+            self.connection = sqlite3.connect(dbpath)
+            self.connection.isolation_level = None
+            self.cursor = self.connection.cursor()
+        except sqlite3.OperationalError, ex:
+            errMsg = "error occurred while opening a replication "
+            errMsg += "file '%s' ('%s')" % (self.filepath, getSafeExString(ex))
+            raise SqlmapConnectionException(errMsg)
 
     class DataType:
         """

lib/core/settings.py

@@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME
 from lib.core.enums import OS
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.0.11.0"
+VERSION = "1.0.12.0"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
@@ -343,6 +343,9 @@ URI_INJECTABLE_REGEX = r"//[^/]*/([^\.*?]+)\Z"
 # Regex used for masking sensitive data
 SENSITIVE_DATA_REGEX = "(\s|=)(?P<result>[^\s=]*%s[^\s]*)\s"
 
+# Options to explicitly mask in anonymous (unhandled exception) reports (along with anything carrying the <hostname> inside)
+SENSITIVE_OPTIONS = ("hostname", "data", "dnsDomain", "googleDork", "authCred", "proxyCred", "tbl", "db", "col", "user", "cookie", "proxy", "rFile", "wFile", "dFile", "testParameter", "authCred")
+
 # Maximum number of threads (avoiding connection issues and/or DoS)
 MAX_NUMBER_OF_THREADS = 10
 

lib/parse/cmdline.py

@@ -155,6 +155,9 @@ def cmdLineParser(argv=None):
         request.add_option("--ignore-proxy", dest="ignoreProxy", action="store_true",
                            help="Ignore system default proxy settings")
 
+        request.add_option("--ignore-redirects", dest="ignoreRedirects", action="store_true",
+                          help="Ignore redirection attempts")
+
         request.add_option("--ignore-timeouts", dest="ignoreTimeouts", action="store_true",
                           help="Ignore connection timeouts")
 
@@ -891,7 +894,7 @@ def cmdLineParser(argv=None):
         for i in xrange(len(argv)):
             if argv[i] == "-hh":
                 argv[i] = "-h"
-            elif len(argv[i]) > 1 and all(ord(_) in xrange(0x2018, 0x2020) for _ in (argv[i][0], argv[i][-1])):
+            elif len(argv[i]) > 1 and all(ord(_) in xrange(0x2018, 0x2020) for _ in ((argv[i].split('=', 1)[-1].strip() or ' ')[0], argv[i][-1])):
                 dataToStdout("[!] copy-pasting illegal (non-console) quote characters from Internet is, well, illegal (%s)\n" % argv[i])
                 raise SystemExit
             elif re.search(r"\A-\w=.+", argv[i]):

lib/request/httpshandler.py

@@ -7,6 +7,7 @@ See the file 'doc/COPYING' for copying permission
 
 import distutils.version
 import httplib
+import re
 import socket
 import urllib2
 
@@ -47,7 +48,7 @@ class HTTPSConnection(httplib.HTTPSConnection):
 
         # Reference(s): https://docs.python.org/2/library/ssl.html#ssl.SSLContext
         #               https://www.mnot.net/blog/2014/12/27/python_2_and_tls_sni
-        if kb.tlsSNI.get(self.host) != False and hasattr(ssl, "SSLContext"):
+        if re.search(r"\A[\d.]+\Z", self.host) is None and kb.tlsSNI.get(self.host) != False and hasattr(ssl, "SSLContext"):
             for protocol in filter(lambda _: _ >= ssl.PROTOCOL_TLSv1, _protocols):
                 try:
                     sock = create_sock()

lib/request/redirecthandler.py

@@ -71,7 +71,7 @@ class SmartRedirectHandler(urllib2.HTTPRedirectHandler):
 
     def http_error_302(self, req, fp, code, msg, headers):
         content = None
-        redurl = self._get_header_redirect(headers)
+        redurl = self._get_header_redirect(headers) if not conf.ignoreRedirects else None
 
         try:
             content = fp.read(MAX_CONNECTION_TOTAL_SIZE)

lib/techniques/blind/inference.py

@@ -94,8 +94,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
             return 0, retVal
 
     try:
-        # Set kb.partRun in case "common prediction" feature (a.k.a. "good
-        # samaritan") is used or the engine is called from the API
+        # Set kb.partRun in case "common prediction" feature (a.k.a. "good samaritan") is used or the engine is called from the API
         if conf.predictOutput:
             kb.partRun = getPartRun()
         elif hasattr(conf, "api"):
@@ -107,8 +106,10 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
             firstChar = len(partialValue)
         elif "LENGTH(" in expression.upper() or "LEN(" in expression.upper():
             firstChar = 0
-        elif dump and conf.firstChar is not None and (isinstance(conf.firstChar, int) or (isinstance(conf.firstChar, basestring) and conf.firstChar.isdigit())):
+        elif (kb.fileReadMode or dump) and conf.firstChar is not None and (isinstance(conf.firstChar, int) or (isinstance(conf.firstChar, basestring) and conf.firstChar.isdigit())):
             firstChar = int(conf.firstChar) - 1
+            if kb.fileReadMode:
+                firstChar *= 2
         elif isinstance(firstChar, basestring) and firstChar.isdigit() or isinstance(firstChar, int):
             firstChar = int(firstChar) - 1
         else:

lib/utils/hashdb.py

@@ -17,7 +17,7 @@ from lib.core.common import serializeObject
 from lib.core.common import singleTimeWarnMessage
 from lib.core.common import unserializeObject
 from lib.core.data import logger
-from lib.core.exception import SqlmapDataException
+from lib.core.exception import SqlmapConnectionException
 from lib.core.settings import HASHDB_END_TRANSACTION_RETRIES
 from lib.core.settings import HASHDB_FLUSH_RETRIES
 from lib.core.settings import HASHDB_FLUSH_THRESHOLD
@@ -44,7 +44,7 @@ class HashDB(object):
             except Exception, ex:
                 errMsg = "error occurred while opening a session "
                 errMsg += "file '%s' ('%s')" % (self.filepath, getSafeExString(ex))
-                raise SqlmapDataException(errMsg)
+                raise SqlmapConnectionException(errMsg)
 
         return threadData.hashDBCursor
 
@@ -92,7 +92,7 @@ class HashDB(object):
                     except sqlite3.DatabaseError, ex:
                         errMsg = "error occurred while accessing session file '%s' ('%s'). " % (self.filepath, getSafeExString(ex))
                         errMsg += "If the problem persists please rerun with `--flush-session`"
-                        raise SqlmapDataException, errMsg
+                        raise SqlmapConnectionException, errMsg
                     else:
                         break
 

sqlmap.conf

@@ -106,6 +106,10 @@ ignore401 = False
 # Valid: True or False
 ignoreProxy = False
 
+# Ignore redirection attempts.
+# Valid: True or False
+ignoreRedirects = False
+
 # Ignore connection timeouts.
 # Valid: True or False
 ignoreTimeouts = False

sqlmap.py

@@ -214,7 +214,7 @@ def main():
                 dataToStdout(excMsg)
                 raise SystemExit
 
-            elif "/tamper/" in excMsg:
+            elif "tamper/" in excMsg:
                 logger.critical(errMsg)
                 print
                 dataToStdout(excMsg)

sqlmapapi.py

@@ -37,9 +37,9 @@ def main():
     apiparser = optparse.OptionParser()
     apiparser.add_option("-s", "--server", help="Act as a REST-JSON API server", default=RESTAPI_DEFAULT_PORT, action="store_true")
     apiparser.add_option("-c", "--client", help="Act as a REST-JSON API client", default=RESTAPI_DEFAULT_PORT, action="store_true")
-    apiparser.add_option("-H", "--host", help="Host of the REST-JSON API server", default=RESTAPI_DEFAULT_ADDRESS, action="store")
-    apiparser.add_option("-p", "--port", help="Port of the the REST-JSON API server", default=RESTAPI_DEFAULT_PORT, type="int", action="store")
-    apiparser.add_option("--adapter", help="Server (bottle) adapter to use (default %s)" % RESTAPI_DEFAULT_ADAPTER, default=RESTAPI_DEFAULT_ADAPTER, action="store")
+    apiparser.add_option("-H", "--host", help="Host of the REST-JSON API server (default \"%s\")" % RESTAPI_DEFAULT_ADDRESS, default=RESTAPI_DEFAULT_ADDRESS, action="store")
+    apiparser.add_option("-p", "--port", help="Port of the the REST-JSON API server (default %d)" % RESTAPI_DEFAULT_PORT, default=RESTAPI_DEFAULT_PORT, type="int", action="store")
+    apiparser.add_option("--adapter", help="Server (bottle) adapter to use (default \"%s\")" % RESTAPI_DEFAULT_ADAPTER, default=RESTAPI_DEFAULT_ADAPTER, action="store")
     (args, _) = apiparser.parse_args()
 
     # Start the client or the server

tamper/plus2concat.py

@@ -0,0 +1,57 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2016 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+from lib.core.common import zeroDepthSearch
+from lib.core.enums import PRIORITY
+
+__priority__ = PRIORITY.HIGHEST
+
+def dependencies():
+    pass
+
+def tamper(payload, **kwargs):
+    """
+    Replaces plus ('+') character with function CONCAT()
+
+    Tested against:
+        * Microsoft SQL Server 2012
+
+    Requirements:
+        * Microsoft SQL Server 2012+
+
+    Notes:
+        * Useful in case ('+') character is filtered
+
+    >>> tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL')
+    'SELECT CONCAT(CHAR(113),CHAR(114),CHAR(115)) FROM DUAL'
+    """
+
+    retVal = payload
+
+    if payload:
+        while True:
+            indexes = zeroDepthSearch(retVal, '+')
+            if indexes:
+                first, last = 0, 0
+                for i in xrange(1, len(indexes)):
+                    if ' ' in retVal[indexes[0]:indexes[i]]:
+                        break
+                    else:
+                        last = i
+
+                start = retVal[:indexes[first]].rfind(' ') + 1
+                end = (retVal[indexes[last] + 1:].find(' ') + indexes[last] + 1) if ' ' in retVal[indexes[last] + 1:] else len(retVal) - 1
+
+                chars = [char for char in retVal]
+                for index in indexes[first:last + 1]:
+                    chars[index] = ','
+
+                retVal = "%sCONCAT(%s)%s" % (retVal[:start], ''.join(chars)[start:end], retVal[end:])
+            else:
+                break
+
+    return retVal

txt/checksum.md5

@@ -15,7 +15,7 @@ d229479d02d21b29f209143cb0547780  extra/shellcodeexec/linux/shellcodeexec.x32_
 2fe2f94eebc62f7614f0391a8a90104f  extra/shellcodeexec/linux/shellcodeexec.x64_
 c55b400b72acc43e0e59c87dd8bb8d75  extra/shellcodeexec/windows/shellcodeexec.x32.exe_
 b46521e29ea3d813bab5aeb16cac6498  extra/shutils/duplicates.py
-4bf52b3fd5e906b9bbe104dda769f5c5  extra/shutils/pylint.py
+8cd064eea3506e5dd913e03171bc418f  extra/shutils/pylint.py
 a8dd1f5799ed863a80b94c36b5428528  extra/shutils/regressiontest.py
 cc9c82cfffd8ee9b25ba3af6284f057e  extra/sqlharvest/__init__.py
 4f2f817596540d82f9fcc0c5b2228beb  extra/sqlharvest/sqlharvest.py
@@ -26,8 +26,8 @@ ec007a1424da78cfdae90da6ae49ed9b  lib/controller/handler.py
 cc9c82cfffd8ee9b25ba3af6284f057e  lib/controller/__init__.py
 04f16204c899438dc7599a9a8426bfee  lib/core/agent.py
 eb0bd28b0bd9fbf67dcc3119116df377  lib/core/bigarray.py
-136246c879e7a15309ed892ea4c1c3eb  lib/core/common.py
-7a23d2365f7de1a7d20d065a31c04d49  lib/core/convert.py
+aef64655185ac789696de9ba73d65ec9  lib/core/common.py
+ab5ef8fe4e4beaef4016d458d0fdefe3  lib/core/convert.py
 e77cca1cb063016f71f6e6bdebf4ec73  lib/core/data.py
 1d042f0bc0557d3fd564ea5a46deb77e  lib/core/datatype.py
 e4ca0fd47f20cf7ba6a5f5cbf980073c  lib/core/decorators.py
@@ -38,14 +38,14 @@ b218e03ef7426fb0414881b05add1092  lib/core/enums.py
 e4aec2b11c1ad6039d0c3dbbfbc5eb1a  lib/core/exception.py
 cc9c82cfffd8ee9b25ba3af6284f057e  lib/core/__init__.py
 91c514013daa796e2cdd940389354eac  lib/core/log.py
-d027df65e7cbb99758daf77aaa6ab61c  lib/core/optiondict.py
-6a67d7d1e09c0630df77e55d78cbff13  lib/core/option.py
+86c86d2ee9e0eb74b13c16797b7dfc51  lib/core/optiondict.py
+eb5e96b4baef52ad172e0359c1783d83  lib/core/option.py
 7af487340c138f7b5dbd443161cbb428  lib/core/profiling.py
 e60456db5380840a586654344003d4e6  lib/core/readlineng.py
-5ef56abb8671c2ca6ceecb208258e360  lib/core/replication.py
+b3a62d41a5af6cd7fa733b6227febb0c  lib/core/replication.py
 99a2b496b9d5b546b335653ca801153f  lib/core/revision.py
 7c15dd2777af4dac2c89cab6df17462e  lib/core/session.py
-c956b2508dd6a0b390b5ed3467f8009f  lib/core/settings.py
+079c062fb2fa5b45e2dbbf25323bc48a  lib/core/settings.py
 7af83e4f18cab6dff5e67840eb65be80  lib/core/shell.py
 23657cd7d924e3c6d225719865855827  lib/core/subprocessng.py
 c3ace7874a536d801f308cf1fd03df99  lib/core/target.py
@@ -56,7 +56,7 @@ d43f059747ffd48952922c94152e2a07  lib/core/testing.py
 8485a3cd94c0a5af2718bad60c5f1ae5  lib/core/wordlist.py
 cc9c82cfffd8ee9b25ba3af6284f057e  lib/__init__.py
 c1288bc4ce5651dbdd82d4a9435fdc03  lib/parse/banner.py
-81c02216ed37b40bb98eb78fe038344c  lib/parse/cmdline.py
+ba4c9a57e87f54c647ca29a14fa82f9c  lib/parse/cmdline.py
 8ec4d4f02634834701f8258726f2e511  lib/parse/configfile.py
 fe4e2152292587928edb94c9a4d311ff  lib/parse/handler.py
 8e6bfb13e5a34b2610f3ff23467a34cf  lib/parse/headers.py
@@ -70,13 +70,13 @@ c48285682a61d49982cb508351013cb4  lib/request/comparison.py
 9bff6fe291805380c6a74d0cda6684a5  lib/request/connect.py
 d4d52c1073c75a6eecd2ebb98b670b96  lib/request/direct.py
 4ae7f4570fb859045f0487cc0b055a8e  lib/request/dns.py
-70ceefe39980611494d4f99afb96f652  lib/request/httpshandler.py
+58f63132eb56ad41ae6af4fe61933a2d  lib/request/httpshandler.py
 cc9c82cfffd8ee9b25ba3af6284f057e  lib/request/__init__.py
 62aff2a7bdd43f6e4d33385f57ec3e4c  lib/request/inject.py
 3fc323d525beddd14cd4d4dca4934fa8  lib/request/methodrequest.py
 585a6705cfac79f795b835affb80c901  lib/request/pkihandler.py
 b2ffd261947994f4a4af555d468b4970  lib/request/rangehandler.py
-53eede2efbfabc7315ea99756a03f49d  lib/request/redirecthandler.py
+30eda640dc427585c3dbf4762a30bd38  lib/request/redirecthandler.py
 4d838b086f128a94a91aa293ca1e0719  lib/request/templates.py
 937b7e276f25ccac5a2ac0bf9b1ef434  lib/takeover/abstraction.py
 3ecf028d8d93025d2a12c6f6fc13adb2  lib/takeover/icmpsh.py
@@ -86,7 +86,7 @@ cc9c82cfffd8ee9b25ba3af6284f057e  lib/takeover/__init__.py
 7d6cd7bdfc8f4bc4e8aed60c84cdf87f  lib/takeover/udf.py
 d9bdcc17091374c53ad2eea7fd72a909  lib/takeover/web.py
 9af83a62de360184f1c14e69b8a95cfe  lib/takeover/xp_cmdshell.py
-c066bd01bd02135841e4f6875644ebd2  lib/techniques/blind/inference.py
+0ad6fbd71649f736083c00e58de750b9  lib/techniques/blind/inference.py
 cc9c82cfffd8ee9b25ba3af6284f057e  lib/techniques/blind/__init__.py
 cc9c82cfffd8ee9b25ba3af6284f057e  lib/techniques/brute/__init__.py
 d36effffe64e63ef9b3be490f850e2cc  lib/techniques/brute/use.py
@@ -103,7 +103,7 @@ f5d6884cdeed28281187c111d3e49e3b  lib/techniques/union/test.py
 8cdc8c1e663c3b92a756fb7b02cc3c02  lib/utils/crawler.py
 84604ae4cf0f31602b412036b51f5dae  lib/utils/deps.py
 4dfd3a95e73e806f62372d63bc82511f  lib/utils/getch.py
-b3f589e6e634b1d57f6bc6f1709c8ab1  lib/utils/hashdb.py
+f71a7b0aec145ba77edd3c4543621fb9  lib/utils/hashdb.py
 0330607242d4f704ae6d7bba5f52ccae  lib/utils/hash.py
 a3e885f7d4c6ff05db1156244bb84158  lib/utils/htmlentities.py
 cc9c82cfffd8ee9b25ba3af6284f057e  lib/utils/__init__.py
@@ -223,8 +223,8 @@ ff90cb0366f7cefbdd6e573e27e6238c  shell/runcmd.exe_
 c3cc8b7727161e64ab59f312c33b541a  shell/stager.aspx_
 1f7f125f30e0e800beb21e2ebbab18e1  shell/stager.jsp_
 01e3505e796edf19aad6a996101c81c9  shell/stager.php_
-56702e95555adee718b6a11ee7098fd4  sqlmapapi.py
-42480adeb9e5500bb3304d6a1572e2b4  sqlmap.py
+c3ee3d5e5eab01436d4d5e1dab0f32db  sqlmapapi.py
+c6c088ca8df6e60c63ef64767472bbcb  sqlmap.py
 1316deb997418507e76221c84ec99946  tamper/apostrophemask.py
 a6efe8f914c769c52afec703bd73609f  tamper/apostrophenullencode.py
 b1c56983919b69f4f6f0e7929c881e7a  tamper/appendnullbyte.py
@@ -252,6 +252,7 @@ c16c3ed0ce302034d99ee0b8f34fbd0b  tamper/modsecurityzeroversioned.py
 e65ff0680df2fc89444ec5953bb2f161  tamper/nonrecursivereplacement.py
 6780d738236ac200d230c4cb497bd1a2  tamper/overlongutf8.py
 3f05d5218b22280adcd91fe53830bcb4  tamper/percentage.py
+9741ad2359382dc8673189224995a5f7  tamper/plus2concat.py
 7a93f510f231278897650da1c7d13b23  tamper/randomcase.py
 34c255f3bca6d5fee2dfb18ed86d406f  tamper/randomcomments.py
 f5e9eb84d4c5e9a19fe7154a8aebe13d  tamper/securesphere.py
@@ -456,4 +457,4 @@ a279656ea3fcb85c727249b02f828383  xml/livetests.xml
 3194e2688a7576e1f877d5b137f7c260  xml/payloads/stacked_queries.xml
 c2d8dd03db5a663e79eabb4495dd0723  xml/payloads/time_blind.xml
 ac649aff0e7db413e4937e446e398736  xml/payloads/union_query.xml
-1587a02322a96ac48973e782d6fedf73  xml/queries.xml
+5bd467d86d7cb55fbe5f66e4ff9a6bec  xml/queries.xml

xml/queries.xml

@@ -463,6 +463,10 @@
         <length query="LENGTH(%s)"/>
         <isnull query="VALUE(%s,' ')" query2="IFNULL(%s,' ')"/>
         <delimiter query=","/>
+        <limit query="LIMIT %d,%d"/>
+        <limitregexp query="\s+LIMIT\s+([\d]+)\s*\,\s*([\d]+)"/>
+        <limitgroupstart query="1"/>
+        <limitgroupstop query="2"/>
         <!-- No real cast on SAP MaxDB -->
         <cast query="REPLACE(CHR(%s),' ','_')"/>
         <order query="ORDER BY %s ASC"/>
@@ -647,6 +651,7 @@
         </search_column>
     </dbms>
 
+    <!-- Hyper SQL Database -->
     <dbms value="HSQLDB">
         <cast query="CAST(%s AS LONGVARCHAR)"/>
         <length query="CHAR_LENGTH(%s)"/>