Version string bug fix

Translated README-it-IT in order to make it even more italian-friendly.

README.md

@@ -60,6 +60,7 @@ Translations
 * [French](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-fr-FR.md)
 * [Greek](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-gr-GR.md)
 * [Indonesian](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-id-ID.md)
+* [Italian](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-it-IT.md)
 * [Japanese](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-ja-JP.md)
 * [Portuguese](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-pt-BR.md)
 * [Spanish](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-es-MX.md)

doc/translations/README-it-IT.md

@@ -0,0 +1,53 @@
+# sqlmap
+
+[![Build Status](https://api.travis-ci.org/sqlmapproject/sqlmap.svg?branch=master)](https://api.travis-ci.org/sqlmapproject/sqlmap) [![Python 2.6|2.7](https://img.shields.io/badge/python-2.6|2.7-yellow.svg)](https://www.python.org/) [![License](https://img.shields.io/badge/license-GPLv2-red.svg)](https://raw.githubusercontent.com/sqlmapproject/sqlmap/master/doc/COPYING) [![Twitter](https://img.shields.io/badge/twitter-@sqlmap-blue.svg)](https://twitter.com/sqlmap)
+
+sqlmap è uno strumento open source per il penetration testing. Il suo scopo è quello di rendere automatico il processo di scoperta ed exploit di vulnerabilità di tipo SQL injection al fine di compromettere database online. Dispone di un potente motore per la ricerca di vulnerabilità, molti strumenti di nicchia anche per il più esperto penetration tester ed un'ampia gamma di controlli che vanno dal fingerprinting di database allo scaricamento di dati, fino all'accesso al file system sottostante e l'esecuzione di comandi nel sistema operativo attraverso connessioni out-of-band.
+
+Screenshot
+----
+
+![Screenshot](https://raw.github.com/wiki/sqlmapproject/sqlmap/images/sqlmap_screenshot.png)
+
+Nella wiki puoi visitare [l'elenco di screenshot](https://github.com/sqlmapproject/sqlmap/wiki/Screenshots) che mostrano il funzionamento di alcune delle funzionalità del programma.
+
+Installazione
+----
+
+Puoi scaricare l'ultima tarball cliccando [qui](https://github.com/sqlmapproject/sqlmap/tarball/master) oppure l'ultima zipball cliccando [qui](https://github.com/sqlmapproject/sqlmap/zipball/master).
+
+La cosa migliore sarebbe però scaricare sqlmap clonando la repository [Git](https://github.com/sqlmapproject/sqlmap):
+
+    git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
+
+sqlmap è in grado di funzionare con le versioni **2.6.x** e **2.7.x** di [Python](http://www.python.org/download/) su ogni piattaforma.
+
+Utilizzo
+----
+
+Per una lista delle opzioni e dei controlli di base:
+
+    python sqlmap.py -h
+
+Per una lista di tutte le opzioni e di tutti i controlli:
+
+    python sqlmap.py -hh
+
+Puoi trovare un esempio di esecuzione [qui](https://asciinema.org/a/46601).
+Per una panoramica delle capacità di sqlmap, una lista delle sue funzionalità e la descrizione di tutte le sue opzioni e controlli, insieme ad un gran numero di esempi, siete pregati di visitare lo [user's manual](https://github.com/sqlmapproject/sqlmap/wiki) (disponibile solo in inglese).
+
+Link
+----
+
+* Sito: http://sqlmap.org
+* Download: [.tar.gz](https://github.com/sqlmapproject/sqlmap/tarball/master) or [.zip](https://github.com/sqlmapproject/sqlmap/zipball/master)
+* RSS feed dei commit: https://github.com/sqlmapproject/sqlmap/commits/master.atom
+* Issue tracker: https://github.com/sqlmapproject/sqlmap/issues
+* Manuale dell'utente: https://github.com/sqlmapproject/sqlmap/wiki
+* Domande più frequenti (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQ
+* Iscrizione alla Mailing list: https://lists.sourceforge.net/lists/listinfo/sqlmap-users
+* Mailing list RSS feed: http://rss.gmane.org/messages/complete/gmane.comp.security.sqlmap
+* Archivio della Mailing list: http://news.gmane.org/gmane.comp.security.sqlmap
+* Twitter: [@sqlmap](https://twitter.com/sqlmap)
+* Dimostrazioni: [http://www.youtube.com/user/inquisb/videos](http://www.youtube.com/user/inquisb/videos)
+* Screenshot: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots

extra/shutils/postcommit-hook.sh

@@ -8,14 +8,16 @@ FULLPATH=${SCRIPTPATH%/*}/$SETTINGS
 
 if [ -f $FULLPATH ]
 then
-    LINE=$(grep -o ${FULLPATH} -e 'VERSION = "[0-9.]*"');
+    LINE=$(grep -o ${FULLPATH} -e 'VERSION = "[0-9.]*"')
-    declare -a LINE;
+    declare -a LINE
     NEW_TAG=$(python -c "import re, sys, time; version = re.search('\"([0-9.]*)\"', sys.argv[1]).group(1); _ = version.split('.'); print '.'.join(_[:-1]) if len(_) == 4 and _[-1] == '0' else ''" "$LINE")
     if [ -n "$NEW_TAG" ]
     then
         git commit -am "Automatic monthly tagging"
-        echo "Creating new tag ${NEW_TAG}";
+        echo "Creating new tag ${NEW_TAG}"
-        git tag $NEW_TAG;
+        git tag $NEW_TAG
         git push origin $NEW_TAG
+        echo "Going to push PyPI package"
+        /bin/bash ${SCRIPTPATH%/*}/pypi.sh
     fi
-fi;
+fi

extra/shutils/precommit-hook.sh

@@ -10,20 +10,21 @@ PROJECT_FULLPATH=${SCRIPTPATH%/*}/$PROJECT
 SETTINGS_FULLPATH=${SCRIPTPATH%/*}/$SETTINGS
 CHECKSUM_FULLPATH=${SCRIPTPATH%/*}/$CHECKSUM
 
-truncate -s 0 "$CHECKSUM_FULLPATH"
-cd $PROJECT_FULLPATH && for i in $(find . -name "*.py" -o -name "*.xml" -o -iname "*_" | sort); do git ls-files $i --error-unmatch &>/dev/null && md5sum $i | sed 's/\.\///' >> "$CHECKSUM_FULLPATH"; git add "$CHECKSUM_FULLPATH"; done
-
 if [ -f $SETTINGS_FULLPATH ]
 then
-    LINE=$(grep -o ${SETTINGS_FULLPATH} -e 'VERSION = "[0-9.]*"');
+    LINE=$(grep -o ${SETTINGS_FULLPATH} -e 'VERSION = "[0-9.]*"')
-    declare -a LINE;
+    declare -a LINE
     INCREMENTED=$(python -c "import re, sys, time; version = re.search('\"([0-9.]*)\"', sys.argv[1]).group(1); _ = version.split('.'); _.append(0) if len(_) < 3 else _; _[-1] = str(int(_[-1]) + 1); month = str(time.gmtime().tm_mon); _[-1] = '0' if _[-2] != month else _[-1]; _[-2] = month; print sys.argv[1].replace(version, '.'.join(_))" "$LINE")
     if [ -n "$INCREMENTED" ]
     then
-        sed "s/${LINE}/${INCREMENTED}/" $SETTINGS_FULLPATH > $SETTINGS_FULLPATH.tmp && mv $SETTINGS_FULLPATH.tmp $SETTINGS_FULLPATH
+        sed -i "s/${LINE}/${INCREMENTED}/" $SETTINGS_FULLPATH
-        echo "Updated ${INCREMENTED} in ${SETTINGS_FULLPATH}";
+        echo "Updated ${INCREMENTED} in ${SETTINGS_FULLPATH}"
     else
         echo "Something went wrong in VERSION increment"
         exit 1
     fi
-fi;
+    git add "$SETTINGS_FULLPATH"
+fi
+
+truncate -s 0 "$CHECKSUM_FULLPATH"
+cd $PROJECT_FULLPATH && for i in $(find . -name "*.py" -o -name "*.xml" -o -iname "*_" | sort); do git ls-files $i --error-unmatch &>/dev/null && md5sum $i | stdbuf -i0 -o0 -e0 sed 's/\.\///' >> "$CHECKSUM_FULLPATH"; git add "$CHECKSUM_FULLPATH"; done

extra/shutils/pypi.sh

@@ -1,6 +1,9 @@
 #!/bin/bash
 
-VERSION=1.0.8
+declare -x SCRIPTPATH="${0}"
+SETTINGS="${SCRIPTPATH%/*}/../../lib/core/settings.py"
+VERSION=$(cat $SETTINGS | grep -E "^VERSION =" | cut -d '"' -f 2 | cut -d '.' -f 1-3)
+TYPE=pip
 TMP_DIR=/tmp/pypi
 mkdir $TMP_DIR
 cd $TMP_DIR
@@ -22,10 +25,21 @@ setup(
     author_email='bernardo@sqlmap.org, miroslav@sqlmap.org',
     url='https://sqlmap.org',
     download_url='https://github.com/sqlmapproject/sqlmap/archive/$VERSION.zip',
-    license='GPLv2',
+    license='GNU General Public License v2 (GPLv2)',
     packages=find_packages(),
     include_package_data=True,
     zip_safe=False,
+    # https://pypi.python.org/pypi?%3Aaction=list_classifiers
+    classifiers=[
+        'Development Status :: 5 - Production/Stable',
+        'License :: OSI Approved :: GNU General Public License v2 (GPLv2)',
+        'Natural Language :: English',
+        'Operating System :: OS Independent',
+        'Programming Language :: Python',
+        'Environment :: Console',
+        'Topic :: Database',
+        'Topic :: Security',
+    ],
     entry_points={
         'console_scripts': [
             'sqlmap = sqlmap.sqlmap:main',
@@ -48,9 +62,116 @@ See the file 'doc/COPYING' for copying permission
 import os
 import sys
 
+sys.dont_write_bytecode = True
 sys.path.insert(0, os.path.dirname(os.path.abspath(__file__)))
 EOF
+cat > README.rst << "EOF"
+sqlmap
+======
+
+|Build Status| |Python 2.6|2.7| |License| |Twitter|
+
+sqlmap is an open source penetration testing tool that automates the
+process of detecting and exploiting SQL injection flaws and taking over
+of database servers. It comes with a powerful detection engine, many
+niche features for the ultimate penetration tester and a broad range of
+switches lasting from database fingerprinting, over data fetching from
+the database, to accessing the underlying file system and executing
+commands on the operating system via out-of-band connections.
+
+Screenshots
+-----------
+
+.. figure:: https://raw.github.com/wiki/sqlmapproject/sqlmap/images/sqlmap_screenshot.png
+   :alt: Screenshot
+
+
+You can visit the `collection of
+screenshots <https://github.com/sqlmapproject/sqlmap/wiki/Screenshots>`__
+demonstrating some of features on the wiki.
+
+Installation
+------------
+
+You can use pip to install and/or upgrade the sqlmap to latest (monthly) tagged version with: ::
+
+    pip install --upgrade sqlmap
+
+Alternatively, you can download the latest tarball by clicking
+`here <https://github.com/sqlmapproject/sqlmap/tarball/master>`__ or
+latest zipball by clicking
+`here <https://github.com/sqlmapproject/sqlmap/zipball/master>`__.
+
+If you prefer fetching daily updates, you can download sqlmap by cloning the
+`Git <https://github.com/sqlmapproject/sqlmap>`__ repository:
+
+::
+
+    git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
+
+sqlmap works out of the box with
+`Python <http://www.python.org/download/>`__ version **2.6.x** and
+**2.7.x** on any platform.
+
+Usage
+-----
+
+To get a list of basic options and switches use:
+
+::
+
+    python sqlmap.py -h
+
+To get a list of all options and switches use:
+
+::
+
+    python sqlmap.py -hh
+
+You can find a sample run `here <https://asciinema.org/a/46601>`__. To
+get an overview of sqlmap capabilities, list of supported features and
+description of all options and switches, along with examples, you are
+advised to consult the `user's
+manual <https://github.com/sqlmapproject/sqlmap/wiki>`__.
+
+Links
+-----
+
+-  Homepage: http://sqlmap.org
+-  Download:
+   `.tar.gz <https://github.com/sqlmapproject/sqlmap/tarball/master>`__
+   or `.zip <https://github.com/sqlmapproject/sqlmap/zipball/master>`__
+-  Commits RSS feed:
+   https://github.com/sqlmapproject/sqlmap/commits/master.atom
+-  Issue tracker: https://github.com/sqlmapproject/sqlmap/issues
+-  User's manual: https://github.com/sqlmapproject/sqlmap/wiki
+-  Frequently Asked Questions (FAQ):
+   https://github.com/sqlmapproject/sqlmap/wiki/FAQ
+-  Mailing list subscription:
+   https://lists.sourceforge.net/lists/listinfo/sqlmap-users
+-  Mailing list RSS feed:
+   http://rss.gmane.org/messages/complete/gmane.comp.security.sqlmap
+-  Mailing list archive:
+   http://news.gmane.org/gmane.comp.security.sqlmap
+-  Twitter: [@sqlmap](https://twitter.com/sqlmap)
+-  Demos: http://www.youtube.com/user/inquisb/videos
+-  Screenshots: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots
+
+.. |Build Status| image:: https://api.travis-ci.org/sqlmapproject/sqlmap.svg?branch=master
+   :target: https://api.travis-ci.org/sqlmapproject/sqlmap
+.. |Python 2.6|2.7| image:: https://img.shields.io/badge/python-2.6|2.7-yellow.svg
+   :target: https://www.python.org/
+.. |License| image:: https://img.shields.io/badge/license-GPLv2-red.svg
+   :target: https://raw.githubusercontent.com/sqlmapproject/sqlmap/master/doc/COPYING
+.. |Twitter| image:: https://img.shields.io/badge/twitter-@sqlmap-blue.svg
+   :target: https://twitter.com/sqlmap
+
+.. pandoc --from=markdown --to=rst --output=README.rst sqlmap/README.md
+.. http://rst.ninjs.org/
+EOF
+sed -i "s/^VERSION =.*/VERSION = \"$VERSION\"/g" sqlmap/lib/core/settings.py
+sed -i "s/^TYPE =.*/TYPE = \"$TYPE\"/g" sqlmap/lib/core/settings.py
+sed -i "s/.*lib\/core\/settings\.py/`md5sum sqlmap/lib/core/settings.py | cut -d ' ' -f 1`  lib\/core\/settings\.py/g" sqlmap/txt/checksum.md5
 for file in $(find sqlmap -type f | grep -v -E "\.(git|yml)"); do echo include $file >> MANIFEST.in; done
-python setup.py sdist
 python setup.py sdist upload
 rm -rf $TMP_DIR

lib/core/option.py

@@ -155,6 +155,7 @@ from lib.utils.deps import checkDependencies
 from lib.utils.search import search
 from lib.utils.purge import purge
 from thirdparty.keepalive import keepalive
+from thirdparty.multipart import multipartpost
 from thirdparty.oset.pyoset import oset
 from thirdparty.socks import socks
 from xml.etree.ElementTree import ElementTree
@@ -165,6 +166,7 @@ keepAliveHandler = keepalive.HTTPHandler()
 proxyHandler = urllib2.ProxyHandler()
 redirectHandler = SmartRedirectHandler()
 rangeHandler = HTTPRangeHandler()
+multipartPostHandler = multipartpost.MultipartPostHandler()
 
 def _feedTargetsDict(reqFile, addedTargetUrls):
     """
@@ -1164,7 +1166,7 @@ def _setHTTPHandlers():
     debugMsg = "creating HTTP requests opener object"
     logger.debug(debugMsg)
 
-    handlers = filter(None, [proxyHandler if proxyHandler.proxies else None, authHandler, redirectHandler, rangeHandler, httpsHandler])
+    handlers = filter(None, [multipartPostHandler, proxyHandler if proxyHandler.proxies else None, authHandler, redirectHandler, rangeHandler, httpsHandler])
 
     if not conf.dropSetCookie:
         if not conf.loadCookies:

lib/core/settings.py

@@ -19,10 +19,11 @@ from lib.core.enums import OS
 from lib.core.revision import getRevisionNumber
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.0.8.2"
+VERSION = "1.0.9.1"
 REVISION = getRevisionNumber()
-STABLE = VERSION.count('.') <= 2
+TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
-VERSION_STRING = "sqlmap/%s#%s" % (VERSION, "stable" if STABLE else "dev")
+TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
+VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
 DESCRIPTION = "automatic SQL injection and database takeover tool"
 SITE = "http://sqlmap.org"
 ISSUES_PAGE = "https://github.com/sqlmapproject/sqlmap/issues/new"
@@ -35,7 +36,7 @@ BANNER = """\033[01;33m         _
 |_ -| . | |     | .'| . |
 |___|_  |_|_|_|_|__,|  _|
       |_|           |_|   \033[0m\033[4;37m%s\033[0m\n
-""" % ((31 + hash(VERSION) % 6) if not STABLE else 30, VERSION_STRING.split('/')[-1], SITE)
+""" % (TYPE_COLORS.get(TYPE, 31), VERSION_STRING.split('/')[-1], SITE)
 
 # Minimum distance of ratio from kb.matchRatio to result in True
 DIFF_TOLERANCE = 0.05

lib/parse/cmdline.py

@@ -938,7 +938,7 @@ def cmdLineParser(argv=None):
             args.requestFile, args.updateAll, args.smokeTest, args.liveTest, args.wizard, args.dependencies, \
             args.purgeOutput, args.pickledOptions, args.sitemapUrl)):
             errMsg = "missing a mandatory option (-d, -u, -l, -m, -r, -g, -c, -x, --wizard, --update, --purge-output or --dependencies), "
-            errMsg += "use -h for basic or -hh for advanced help"
+            errMsg += "use -h for basic or -hh for advanced help\n"
             parser.error(errMsg)
 
         return args

lib/request/comparison.py

@@ -55,9 +55,6 @@ def _comparison(page, headers, code, getRatioValue, pageLength):
     if page is None and pageLength is None:
         return None
 
-    seqMatcher = threadData.seqMatcher
-    seqMatcher.set_seq1(kb.pageTemplate)
-
     if any((conf.string, conf.notString, conf.regexp)):
         rawResponse = "%s%s" % (listToStrValue(headers.headers) if headers else "", page)
 
@@ -77,6 +74,9 @@ def _comparison(page, headers, code, getRatioValue, pageLength):
     if conf.code:
         return conf.code == code
 
+    seqMatcher = threadData.seqMatcher
+    seqMatcher.set_seq1(kb.pageTemplate)
+
     if page:
         # In case of an DBMS error page return None
         if kb.errorIsNone and (wasLastResponseDBMSError() or wasLastResponseHTTPError()) and not kb.negativeLogic:

lib/request/connect.py

@@ -110,7 +110,6 @@ from lib.request.basic import processResponse
 from lib.request.direct import direct
 from lib.request.comparison import comparison
 from lib.request.methodrequest import MethodRequest
-from thirdparty.multipart import multipartpost
 from thirdparty.odict.odict import OrderedDict
 from thirdparty.socks.socks import ProxyError
 
@@ -242,7 +241,7 @@ class Connect(object):
         referer = kwargs.get("referer",             None) or conf.referer
         host = kwargs.get("host",                   None) or conf.host
         direct_ = kwargs.get("direct",              False)
-        multipart = kwargs.get("multipart",         False)
+        multipart = kwargs.get("multipart",         None)
         silent = kwargs.get("silent",               False)
         raise404 = kwargs.get("raise404",           True)
         timeout = kwargs.get("timeout",             None) or conf.timeout
@@ -254,6 +253,9 @@ class Connect(object):
         crawling = kwargs.get("crawling",           False)
         skipRead = kwargs.get("skipRead",           False)
 
+        if multipart:
+            post = multipart
+
         websocket_ = url.lower().startswith("ws")
 
         if not urlparse.urlsplit(url).netloc:
@@ -298,20 +300,6 @@ class Connect(object):
                     params = urlencode(params)
                     url = "%s?%s" % (url, params)
 
-            elif multipart:
-                # Needed in this form because of potential circle dependency
-                # problem (option -> update -> connect -> option)
-                from lib.core.option import proxyHandler
-
-                multipartOpener = urllib2.build_opener(proxyHandler, multipartpost.MultipartPostHandler)
-                conn = multipartOpener.open(unicodeencode(url), multipart)
-                page = Connect._connReadProxy(conn) if not skipRead else None
-                responseHeaders = conn.info()
-                responseHeaders[URI_HTTP_HEADER] = conn.geturl()
-                page = decodePage(page, responseHeaders.get(HTTP_HEADER.CONTENT_ENCODING), responseHeaders.get(HTTP_HEADER.CONTENT_TYPE))
-
-                return page
-
             elif any((refreshing, crawling)):
                 pass
 
@@ -364,7 +352,7 @@ class Connect(object):
             if not getHeader(headers, HTTP_HEADER.ACCEPT_ENCODING):
                 headers[HTTP_HEADER.ACCEPT_ENCODING] = HTTP_ACCEPT_ENCODING_HEADER_VALUE if kb.pageCompress else "identity"
 
-            if post is not None and not getHeader(headers, HTTP_HEADER.CONTENT_TYPE):
+            if post is not None and not multipart and not getHeader(headers, HTTP_HEADER.CONTENT_TYPE):
                 headers[HTTP_HEADER.CONTENT_TYPE] = POST_HINT_CONTENT_TYPES.get(kb.postHint, DEFAULT_CONTENT_TYPE)
 
             if headers.get(HTTP_HEADER.CONTENT_TYPE) == POST_HINT_CONTENT_TYPES[POST_HINT.MULTIPART]:
@@ -455,9 +443,10 @@ class Connect(object):
 
                 requestMsg += "\n"
 
-                threadData.lastRequestMsg = requestMsg
+                if not multipart:
+                    threadData.lastRequestMsg = requestMsg
 
-                logger.log(CUSTOM_LOGGING.TRAFFIC_OUT, requestMsg)
+                    logger.log(CUSTOM_LOGGING.TRAFFIC_OUT, requestMsg)
 
                 if conf.cj:
                     for cookie in conf.cj:
@@ -578,7 +567,8 @@ class Connect(object):
             elif conf.verbose > 5:
                 responseMsg += "%s\n\n%s" % (logHeaders, (page or "")[:MAX_CONNECTION_CHUNK_SIZE])
 
-            logger.log(CUSTOM_LOGGING.TRAFFIC_IN, responseMsg)
+            if not multipart:
+                logger.log(CUSTOM_LOGGING.TRAFFIC_IN, responseMsg)
 
             if ex.code == httplib.UNAUTHORIZED and not conf.ignore401:
                 errMsg = "not authorized, try to provide right HTTP "
@@ -711,7 +701,8 @@ class Connect(object):
         elif conf.verbose > 5:
             responseMsg += "%s\n\n%s" % (logHeaders, (page or "")[:MAX_CONNECTION_CHUNK_SIZE])
 
-        logger.log(CUSTOM_LOGGING.TRAFFIC_IN, responseMsg)
+        if not multipart:
+            logger.log(CUSTOM_LOGGING.TRAFFIC_IN, responseMsg)
 
         return page, responseHeaders, code
 

lib/request/httpshandler.py

@@ -87,8 +87,9 @@ class HTTPSConnection(httplib.HTTPSConnection):
 
         if not success:
             errMsg = "can't establish SSL connection"
-            if distutils.version.LooseVersion(PYVERSION) < distutils.version.LooseVersion("2.7.10"):
+            # Reference: https://docs.python.org/2/library/ssl.html
-                errMsg += " (please retry with Python >= 2.7.10)"
+            if distutils.version.LooseVersion(PYVERSION) < distutils.version.LooseVersion("2.7.9"):
+                errMsg += " (please retry with Python >= 2.7.9)"
             raise SqlmapConnectionException(errMsg)
 
 class HTTPSHandler(urllib2.HTTPSHandler):

lib/utils/api.py

@@ -224,7 +224,7 @@ class StdDbOut(object):
                     # Ignore all non-relevant messages
                     return
 
-            output = conf.database_cursor.execute(
+            output = conf.databaseCursor.execute(
                 "SELECT id, status, value FROM data WHERE taskid = ? AND content_type = ?",
                 (self.taskid, content_type))
 
@@ -232,25 +232,25 @@ class StdDbOut(object):
             if status == CONTENT_STATUS.COMPLETE:
                 if len(output) > 0:
                     for index in xrange(len(output)):
-                        conf.database_cursor.execute("DELETE FROM data WHERE id = ?",
+                        conf.databaseCursor.execute("DELETE FROM data WHERE id = ?",
                                                      (output[index][0],))
 
-                conf.database_cursor.execute("INSERT INTO data VALUES(NULL, ?, ?, ?, ?)",
+                conf.databaseCursor.execute("INSERT INTO data VALUES(NULL, ?, ?, ?, ?)",
                                              (self.taskid, status, content_type, jsonize(value)))
                 if kb.partRun:
                     kb.partRun = None
 
             elif status == CONTENT_STATUS.IN_PROGRESS:
                 if len(output) == 0:
-                    conf.database_cursor.execute("INSERT INTO data VALUES(NULL, ?, ?, ?, ?)",
+                    conf.databaseCursor.execute("INSERT INTO data VALUES(NULL, ?, ?, ?, ?)",
                                                  (self.taskid, status, content_type,
                                                   jsonize(value)))
                 else:
                     new_value = "%s%s" % (dejsonize(output[0][2]), value)
-                    conf.database_cursor.execute("UPDATE data SET value = ? WHERE id = ?",
+                    conf.databaseCursor.execute("UPDATE data SET value = ? WHERE id = ?",
                                                  (jsonize(new_value), output[0][0]))
         else:
-            conf.database_cursor.execute("INSERT INTO errors VALUES(NULL, ?, ?)",
+            conf.databaseCursor.execute("INSERT INTO errors VALUES(NULL, ?, ?)",
                                          (self.taskid, str(value) if value else ""))
 
     def flush(self):
@@ -269,7 +269,7 @@ class LogRecorder(logging.StreamHandler):
         Record emitted events to IPC database for asynchronous I/O
         communication with the parent process
         """
-        conf.database_cursor.execute("INSERT INTO logs VALUES(NULL, ?, ?, ?, ?)",
+        conf.databaseCursor.execute("INSERT INTO logs VALUES(NULL, ?, ?, ?, ?)",
                                      (conf.taskid, time.strftime("%X"), record.levelname,
                                       record.msg % record.args if record.args else record.msg))
 
@@ -277,8 +277,8 @@ class LogRecorder(logging.StreamHandler):
 def setRestAPILog():
     if hasattr(conf, "api"):
         try:
-            conf.database_cursor = Database(conf.database)
+            conf.databaseCursor = Database(conf.database)
-            conf.database_cursor.connect("client")
+            conf.databaseCursor.connect("client")
         except sqlite3.OperationalError, ex:
             raise SqlmapConnectionException, "%s ('%s')" % (ex, conf.database)
 
@@ -722,7 +722,8 @@ def client(host=RESTAPI_DEFAULT_ADDRESS, port=RESTAPI_DEFAULT_PORT):
 
     while True:
         try:
-            command = raw_input("api%s> " % (" (%s)" % taskid if taskid else "")).strip().lower()
+            command = raw_input("api%s> " % (" (%s)" % taskid if taskid else "")).strip()
+            command = re.sub(r"\A(\w+)", lambda match: match.group(1).lower(), command)
         except (EOFError, KeyboardInterrupt):
             print
             break

sqlmap.py

@@ -202,6 +202,7 @@ def main():
                 print
                 dataToStdout(excMsg)
                 raise SystemExit
+
             elif any(_ in excMsg for _ in ("No space left", "Disk quota exceeded")):
                 errMsg = "no space left on output device"
                 logger.error(errMsg)
@@ -219,6 +220,11 @@ def main():
                 logger.error(errMsg)
                 raise SystemExit
 
+            elif "OperationalError: disk I/O error" in excMsg:
+                errMsg = "I/O error on output device"
+                logger.error(errMsg)
+                raise SystemExit
+
             elif "_mkstemp_inner" in excMsg:
                 errMsg = "there has been a problem while accessing temporary files"
                 logger.error(errMsg)
@@ -300,7 +306,7 @@ def main():
 
         if hasattr(conf, "api"):
             try:
-                conf.database_cursor.disconnect()
+                conf.databaseCursor.disconnect()
             except KeyboardInterrupt:
                 pass
 
@@ -314,10 +320,10 @@ def main():
                 time.sleep(0.01)
         except KeyboardInterrupt:
             pass
-
+        finally:
-        # Reference: http://stackoverflow.com/questions/1635080/terminate-a-multi-thread-python-program
+            # Reference: http://stackoverflow.com/questions/1635080/terminate-a-multi-thread-python-program
-        if threading.activeCount() > 1:
+            if threading.activeCount() > 1:
-            os._exit(0)
+                os._exit(0)
 
 if __name__ == "__main__":
     main()

thirdparty/clientform/clientform.py

@@ -1142,7 +1142,7 @@ def _ParseFileEx(file, base_uri,
         try:
             form.fixup()
         except AttributeError, ex:
-            if not any(_ in str(ex) for _ in ("item is disabled", "is readonly")):
+            if not any(_ in str(ex) for _ in ("is disabled", "is readonly")):
                 raise
     return forms
 

thirdparty/multipart/multipartpost.py

@@ -47,13 +47,13 @@ class MultipartPostHandler(urllib2.BaseHandler):
     def http_request(self, request):
         data = request.get_data()
 
-        if data is not None and type(data) != str:
+        if isinstance(data, dict):
             v_files = []
             v_vars = []
 
             try:
                 for(key, value) in data.items():
-                    if isinstance(value, file) or hasattr(value, 'file') or isinstance(value, StringIO.StringIO):
+                    if isinstance(value, file) or hasattr(value, "file") or isinstance(value, StringIO.StringIO):
                         v_files.append((key, value))
                     else:
                         v_vars.append((key, value))
@@ -65,10 +65,10 @@ class MultipartPostHandler(urllib2.BaseHandler):
                 data = urllib.urlencode(v_vars, doseq)
             else:
                 boundary, data = self.multipart_encode(v_vars, v_files)
-                contenttype = 'multipart/form-data; boundary=%s' % boundary
+                contenttype = "multipart/form-data; boundary=%s" % boundary
-                #if (request.has_header('Content-Type') and request.get_header('Content-Type').find('multipart/form-data') != 0):
+                #if (request.has_header("Content-Type") and request.get_header("Content-Type").find("multipart/form-data") != 0):
-                #    print "Replacing %s with %s" % (request.get_header('content-type'), 'multipart/form-data')
+                #    print "Replacing %s with %s" % (request.get_header("content-type"), "multipart/form-data")
-                request.add_unredirected_header('Content-Type', contenttype)
+                request.add_unredirected_header("Content-Type", contenttype)
 
             request.add_data(data)
         return request
@@ -78,32 +78,32 @@ class MultipartPostHandler(urllib2.BaseHandler):
             boundary = mimetools.choose_boundary()
 
         if buf is None:
-            buf = ''
+            buf = ""
 
         for (key, value) in vars:
             if key is not None and value is not None:
-                buf += '--%s\r\n' % boundary
+                buf += "--%s\r\n" % boundary
-                buf += 'Content-Disposition: form-data; name="%s"' % key
+                buf += "Content-Disposition: form-data; name=\"%s\"" % key
-                buf += '\r\n\r\n' + value + '\r\n'
+                buf += "\r\n\r\n" + value + "\r\n"
 
         for (key, fd) in files:
             file_size = os.fstat(fd.fileno())[stat.ST_SIZE] if isinstance(fd, file) else fd.len
-            filename = fd.name.split('/')[-1] if '/' in fd.name else fd.name.split('\\')[-1]
+            filename = fd.name.split("/")[-1] if "/" in fd.name else fd.name.split("\\")[-1]
             try:
-                contenttype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
+                contenttype = mimetypes.guess_type(filename)[0] or "application/octet-stream"
             except:
                 # Reference: http://bugs.python.org/issue9291
-                contenttype = 'application/octet-stream'
+                contenttype = "application/octet-stream"
-            buf += '--%s\r\n' % boundary
+            buf += "--%s\r\n" % boundary
-            buf += 'Content-Disposition: form-data; name="%s"; filename="%s"\r\n' % (key, filename)
+            buf += "Content-Disposition: form-data; name=\"%s\"; filename=\"%s\"\r\n" % (key, filename)
-            buf += 'Content-Type: %s\r\n' % contenttype
+            buf += "Content-Type: %s\r\n" % contenttype
-            # buf += 'Content-Length: %s\r\n' % file_size
+            # buf += "Content-Length: %s\r\n" % file_size
             fd.seek(0)
 
             buf = str(buf) if not isinstance(buf, unicode) else buf.encode("utf8")
-            buf += '\r\n%s\r\n' % fd.read()
+            buf += "\r\n%s\r\n" % fd.read()
 
-        buf += '--%s--\r\n\r\n' % boundary
+        buf += "--%s--\r\n\r\n" % boundary
 
         return boundary, buf
 

txt/checksum.md5

@@ -39,13 +39,13 @@ e4aec2b11c1ad6039d0c3dbbfbc5eb1a  lib/core/exception.py
 cc9c82cfffd8ee9b25ba3af6284f057e  lib/core/__init__.py
 91c514013daa796e2cdd940389354eac  lib/core/log.py
 b9779615206791e6ebbaa84947842b49  lib/core/optiondict.py
-85b144015724e1961e6c9ea1a42b329a  lib/core/option.py
+57109386dcff87507201f14a5821fd41  lib/core/option.py
 1e8948dddbd12def5c2af52530738059  lib/core/profiling.py
 e60456db5380840a586654344003d4e6  lib/core/readlineng.py
 5ef56abb8671c2ca6ceecb208258e360  lib/core/replication.py
 99a2b496b9d5b546b335653ca801153f  lib/core/revision.py
 7c15dd2777af4dac2c89cab6df17462e  lib/core/session.py
-1a0fab09e6840a52bdfec892fbd9ee53  lib/core/settings.py
+1a8eccb8108e213d7b7257302e82cef8  lib/core/settings.py
 7af83e4f18cab6dff5e67840eb65be80  lib/core/shell.py
 23657cd7d924e3c6d225719865855827  lib/core/subprocessng.py
 0bc2fae1dec18cdd11954b22358293f2  lib/core/target.py
@@ -57,7 +57,7 @@ e60456db5380840a586654344003d4e6  lib/core/readlineng.py
 354ecc0c6d3e0ac9c06ed897c4d52edf  lib/core/xmldump.py
 cc9c82cfffd8ee9b25ba3af6284f057e  lib/__init__.py
 c1288bc4ce5651dbdd82d4a9435fdc03  lib/parse/banner.py
-bf7fbfb04d6150d19ecfd9b25ee5618a  lib/parse/cmdline.py
+daea32290b63c43f7d1c0e14c66d4826  lib/parse/cmdline.py
 8ec4d4f02634834701f8258726f2e511  lib/parse/configfile.py
 fe4e2152292587928edb94c9a4d311ff  lib/parse/handler.py
 8e6bfb13e5a34b2610f3ff23467a34cf  lib/parse/headers.py
@@ -67,11 +67,11 @@ af6b8e1c6eb074b56bbd9cd80aebcd97  lib/parse/payloads.py
 b40a4c5d91770d347df36d3065b63798  lib/parse/sitemap.py
 9299f21804033f099681525bb9bf51c0  lib/request/basicauthhandler.py
 a3e83cfe7e6825fb1b70951ad290d2ae  lib/request/basic.py
-9d757c63413a15222af90d3648de9de3  lib/request/comparison.py
+97fb6323bfb5f941b27cbdb00f9078e1  lib/request/comparison.py
-72a0e7bb1010bb39c6538dbc77eae180  lib/request/connect.py
+8bc040159a145a1dfdf8a3fe76a0adbc  lib/request/connect.py
 49b4c583af68689de5f9acb162de2939  lib/request/direct.py
 1a46f7bb26b23ec0c0d9d9c95828241b  lib/request/dns.py
-567656470d23a42ab57ec55a03989dbb  lib/request/httpshandler.py
+70ceefe39980611494d4f99afb96f652  lib/request/httpshandler.py
 cc9c82cfffd8ee9b25ba3af6284f057e  lib/request/__init__.py
 aa155f8b27d56485d3ff15efa5e1b07a  lib/request/inject.py
 3fc323d525beddd14cd4d4dca4934fa8  lib/request/methodrequest.py
@@ -100,7 +100,7 @@ cc9c82cfffd8ee9b25ba3af6284f057e  lib/techniques/__init__.py
 cc9c82cfffd8ee9b25ba3af6284f057e  lib/techniques/union/__init__.py
 f5d6884cdeed28281187c111d3e49e3b  lib/techniques/union/test.py
 12ce1bb7ee5f1f23f58be12fe9fa8472  lib/techniques/union/use.py
-2dfc03a7322c46deb2e5353a7fd4be5e  lib/utils/api.py
+26c1babc6289fac9056f8b21d10f3bb1  lib/utils/api.py
 8cdc8c1e663c3b92a756fb7b02cc3c02  lib/utils/crawler.py
 393f8fd1684308213e1d2e6a9d4258c2  lib/utils/deps.py
 4dfd3a95e73e806f62372d63bc82511f  lib/utils/getch.py
@@ -218,7 +218,7 @@ c3cc8b7727161e64ab59f312c33b541a  shell/stager.aspx_
 1f7f125f30e0e800beb21e2ebbab18e1  shell/stager.jsp_
 01e3505e796edf19aad6a996101c81c9  shell/stager.php_
 56702e95555adee718b6a11ee7098fd4  sqlmapapi.py
-7e80fcefc56426ed780c48556b70a1f0  sqlmap.py
+bb63aa4415b779ddabe93b10300ce813  sqlmap.py
 1316deb997418507e76221c84ec99946  tamper/apostrophemask.py
 a6efe8f914c769c52afec703bd73609f  tamper/apostrophenullencode.py
 b1c56983919b69f4f6f0e7929c881e7a  tamper/appendnullbyte.py
@@ -311,7 +311,7 @@ ee25f2a03587e2c283eab0b36c9e5783  thirdparty/chardet/sbcsgroupprober.py
 c9349824f2647962175d321cc0c52134  thirdparty/chardet/sjisprober.py
 bcae4c645a737d3f0e7c96a66528ca4a  thirdparty/chardet/universaldetector.py
 6f8b3e25472c02fb45a75215a175991f  thirdparty/chardet/utf8prober.py
-b678dcd25ecb1533ffe2493b6e711bb1  thirdparty/clientform/clientform.py
+658da0466b798cc70f48f35fe49b7813  thirdparty/clientform/clientform.py
 722281d87fb13ec22555480f8f4c715b  thirdparty/clientform/__init__.py
 0b625ccefa6b066f79d3cbb3639267e6  thirdparty/colorama/ansi.py
 e52252bb81ce1a14b7245b53af33e75f  thirdparty/colorama/ansitowin32.py
@@ -329,7 +329,7 @@ e0c6a936506bffeed53ce106ec15942d  thirdparty/keepalive/keepalive.py
 d41d8cd98f00b204e9800998ecf8427e  thirdparty/magic/__init__.py
 49f0d123e044dd32a452e2fe51f1a9c3  thirdparty/magic/magic.py
 d41d8cd98f00b204e9800998ecf8427e  thirdparty/multipart/__init__.py
-fd52df5770ee286a7c186fdd2ccc4e0c  thirdparty/multipart/multipartpost.py
+03c8abc17b228e59bcfda1f11a9137e0  thirdparty/multipart/multipartpost.py
 3e502b04f3849afbb7f0e13b5fd2b5c1  thirdparty/odict/__init__.py
 127fe54fdb9b13fdac93c8fc9c9cad5e  thirdparty/odict/odict.py
 08801ea0ba9ae22885275ef65d3ee9dc  thirdparty/oset/_abc.py
@@ -426,6 +426,7 @@ b5ea5375df444e0240f1ee0e2a8e52fb  waf/trafficshield.py
 7a723ce2f1b82d7297a2ab025d5ca0be  waf/webappsecure.py
 75e51fea7f206e8faa2f743e44e58383  waf/webknight.py
 3bcac085dcd9ed26b50a2320e418e9f3  waf/yundun.py
+2a57f322f0b6e7b11b8df0909816a34f  waf/yunsuo.py
 2d53fdaca0d7b42edad5192661248d76  xml/banner/cookie.xml
 37603bc0905af0c65480a2ca959990ec  xml/banner/generic.xml
 d8925c034263bf1b83e7d8e1c78eec57  xml/banner/mssql.xml

waf/yunsuo.py

@@ -0,0 +1,25 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2016 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import HTTP_HEADER
+from lib.core.settings import WAF_ATTACK_VECTORS
+
+__product__ = "Yunsuo Web Application Firewall (Yunsuo)"
+
+def detect(get_page):
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, _ = get_page(get=vector)
+        retval = re.search(r"<img class=\"yunsuologo\"", page, re.I) is not None
+        retval |= re.search(r"yunsuo_session", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None
+        if retval:
+            break
+
+    return retval