Adding support for sha256sum of source files

The spelling and grammar errors have been corrected.

doc/translations/README-pl-PL.md

@@ -2,9 +2,9 @@
 
 [![.github/workflows/tests.yml](https://github.com/sqlmapproject/sqlmap/actions/workflows/tests.yml/badge.svg)](https://github.com/sqlmapproject/sqlmap/actions/workflows/tests.yml) [![Python 2.6|2.7|3.x](https://img.shields.io/badge/python-2.6|2.7|3.x-yellow.svg)](https://www.python.org/) [![License](https://img.shields.io/badge/license-GPLv2-red.svg)](https://raw.githubusercontent.com/sqlmapproject/sqlmap/master/LICENSE) [![Twitter](https://img.shields.io/badge/twitter-@sqlmap-blue.svg)](https://twitter.com/sqlmap)
 
-sqlmap to open sourceowe narzędzie do testów penetracyjnych, które automatyzuje procesy detekcji, przejmowania i testowania odporności serwerów SQL na podatność na iniekcję niechcianego kodu. Zawiera potężny mechanizm detekcji, wiele niszowych funkcji dla zaawansowanych testów penetracyjnych oraz szeroki wachlarz opcji począwszy od identyfikacji bazy danych, poprzez wydobywanie z nich danych, a nawet pozwalających na dostęp do systemu plików o uruchamianie poleceń w systemie operacyjnym serwera poprzez niestandardowe połączenia.
+sqlmap to open sourceowe narzędzie do testów penetracyjnych, które automatyzuje procesy detekcji, przejmowania i testowania odporności serwerów SQL na podatność na iniekcję niechcianego kodu. Zawiera potężny mechanizm detekcji, wiele niszowych funkcji dla zaawansowanych testów penetracyjnych oraz szeroki wachlarz opcji począwszy od identyfikacji bazy danych, poprzez wydobywanie z niej danych, a nawet pozwalających na dostęp do systemu plików oraz wykonywanie poleceń w systemie operacyjnym serwera poprzez niestandardowe połączenia.
 
-Zrzuty ekranowe
+Zrzuty ekranu
 ----
 
 ![Screenshot](https://raw.github.com/wiki/sqlmapproject/sqlmap/images/sqlmap_screenshot.png)
@@ -33,18 +33,18 @@ Aby uzyskać listę wszystkich funkcji i parametrów użyj polecenia:
 
     python sqlmap.py -hh
 
-Przykładowy wynik działania dostępny jest [tutaj](https://asciinema.org/a/46601).
+Przykładowy wynik działania można znaleźć [tutaj](https://asciinema.org/a/46601).
-Aby uzyskać listę wszystkich dostępnych funkcji, parametrów i opisów ich działania wraz z przykładami użycia sqlmap proponujemy odwiedzić [instrukcję użytkowania](https://github.com/sqlmapproject/sqlmap/wiki/Usage).
+Aby uzyskać listę wszystkich dostępnych funkcji, parametrów oraz opisów ich działania wraz z przykładami użycia sqlmap zalecamy odwiedzić [instrukcję użytkowania](https://github.com/sqlmapproject/sqlmap/wiki/Usage).
 
 Odnośniki
 ----
 
 * Strona projektu: https://sqlmap.org
-* Pobieranie: [.tar.gz](https://github.com/sqlmapproject/sqlmap/tarball/master) or [.zip](https://github.com/sqlmapproject/sqlmap/zipball/master)
+* Pobieranie: [.tar.gz](https://github.com/sqlmapproject/sqlmap/tarball/master) lub [.zip](https://github.com/sqlmapproject/sqlmap/zipball/master)
 * RSS feed: https://github.com/sqlmapproject/sqlmap/commits/master.atom
-* Raportowanie błędów: https://github.com/sqlmapproject/sqlmap/issues
+* Zgłaszanie błędów: https://github.com/sqlmapproject/sqlmap/issues
 * Instrukcja użytkowania: https://github.com/sqlmapproject/sqlmap/wiki
 * Często zadawane pytania (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQ
 * Twitter: [@sqlmap](https://twitter.com/sqlmap)
 * Dema: [https://www.youtube.com/user/inquisb/videos](https://www.youtube.com/user/inquisb/videos)
-* Zrzuty ekranowe: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots
+* Zrzuty ekranu: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots

extra/shutils/precommit-hook.sh

@@ -12,11 +12,13 @@ chmod +x .git/hooks/pre-commit
 
 PROJECT="../../"
 SETTINGS="../../lib/core/settings.py"
+DIGEST="../../sha256sums.txt"
 
 declare -x SCRIPTPATH="${0}"
 
 PROJECT_FULLPATH=${SCRIPTPATH%/*}/$PROJECT
 SETTINGS_FULLPATH=${SCRIPTPATH%/*}/$SETTINGS
+DIGEST_FULLPATH=${SCRIPTPATH%/*}/$DIGEST
 
 git diff $SETTINGS_FULLPATH | grep "VERSION =" > /dev/null && exit 0
 
@@ -35,3 +37,5 @@ then
     fi
     git add "$SETTINGS_FULLPATH"
 fi
+
+cd $PROJECT_FULLPATH && git ls-files | sort | uniq | grep -v sha256 | xargs sha256sum > $DIGEST_FULLPATH

lib/core/common.py

@@ -880,7 +880,7 @@ def getManualDirectories():
 def getAutoDirectories():
     """
     >>> pushValue(kb.absFilePaths)
-    >>> kb.absFilePaths = ["C:\\inetpub\\wwwroot\\index.asp", "/var/www/html"]
+    >>> kb.absFilePaths = [r"C:\\inetpub\\wwwroot\\index.asp", "/var/www/html"]
     >>> getAutoDirectories()
     ['C:/inetpub/wwwroot', '/var/www/html']
     >>> kb.absFilePaths = popValue()
@@ -2308,7 +2308,7 @@ def ntToPosixSlashes(filepath):
     Replaces all occurrences of NT backslashes in provided
     filepath with Posix slashes
 
-    >>> ntToPosixSlashes('C:\\Windows')
+    >>> ntToPosixSlashes(r'C:\\Windows')
     'C:/Windows'
     """
 
@@ -4273,6 +4273,9 @@ def safeSQLIdentificatorNaming(name, isTable=False):
 
     retVal = name
 
+    if conf.unsafeNaming:
+        return retVal
+
     if isinstance(name, six.string_types):
         retVal = getUnicode(name)
         _ = isTable and Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE)

lib/core/datatype.py

@@ -6,6 +6,7 @@ See the file 'LICENSE' for copying permission
 """
 
 import copy
+import threading
 import types
 
 from thirdparty.odict import OrderedDict
@@ -142,6 +143,7 @@ class LRUDict(object):
     def __init__(self, capacity):
         self.capacity = capacity
         self.cache = OrderedDict()
+        self.__lock = threading.Lock()
 
     def __len__(self):
         return len(self.cache)
@@ -158,11 +160,12 @@ class LRUDict(object):
         return self.__getitem__(key)
 
     def __setitem__(self, key, value):
-        try:
+        with self.__lock:
-            self.cache.pop(key)
+            try:
-        except KeyError:
+                self.cache.pop(key)
-            if len(self.cache) >= self.capacity:
+            except KeyError:
-                self.cache.popitem(last=False)
+                if len(self.cache) >= self.capacity:
+                    self.cache.popitem(last=False)
         self.cache[key] = value
 
     def set(self, key, value):

lib/core/optiondict.py

@@ -240,6 +240,7 @@ optDict = {
         "testFilter": "string",
         "testSkip": "string",
         "timeLimit": "float",
+        "unsafeNaming": "boolean",
         "webRoot": "string",
     },
 

lib/core/settings.py

@@ -20,7 +20,7 @@ from thirdparty import six
 from thirdparty.six import unichr as _unichr
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.7.1.0"
+VERSION = "1.8.3.0"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
@@ -333,7 +333,7 @@ REFERER_ALIASES = ("ref", "referer", "referrer")
 HOST_ALIASES = ("host",)
 
 # DBMSes with upper case identifiers
-UPPER_CASE_DBMSES = set((DBMS.ORACLE, DBMS.DB2, DBMS.FIREBIRD, DBMS.MAXDB, DBMS.H2, DBMS.DERBY, DBMS.ALTIBASE))
+UPPER_CASE_DBMSES = set((DBMS.ORACLE, DBMS.DB2, DBMS.FIREBIRD, DBMS.MAXDB, DBMS.H2, DBMS.HSQLDB, DBMS.DERBY, DBMS.ALTIBASE))
 
 # Default schemas to use (when unable to enumerate)
 H2_DEFAULT_SCHEMA = HSQLDB_DEFAULT_SCHEMA = "PUBLIC"

lib/core/target.py

@@ -226,7 +226,8 @@ def _setRequestParams():
                 if not (kb.processUserMarks and kb.customInjectionMark in conf.data):
                     conf.data = getattr(conf.data, UNENCODED_ORIGINAL_VALUE, conf.data)
                     conf.data = conf.data.replace(kb.customInjectionMark, ASTERISK_MARKER)
-                    conf.data = re.sub(r"(?si)((Content-Disposition[^\n]+?name\s*=\s*[\"']?(?P<name>[^\"'\r\n]+)[\"']?).+?)((%s)+--)" % ("\r\n" if "\r\n" in conf.data else '\n'), functools.partial(process, repl=r"\g<1>%s\g<4>" % kb.customInjectionMark), conf.data)
+                    conf.data = re.sub(r"(?si)(Content-Disposition:[^\n]+\s+name=\"(?P<name>[^\"]+)\"(?:[^f|^b]|f(?!ilename=)|b(?!oundary=))*?)((%s)--)" % ("\r\n" if "\r\n" in conf.data else '\n'),
+                                        functools.partial(process, repl=r"\g<1>%s\g<3>" % kb.customInjectionMark), conf.data)
 
         if not kb.postHint:
             if kb.customInjectionMark in conf.data:  # later processed

lib/parse/cmdline.py

@@ -739,6 +739,9 @@ def cmdLineParser(argv=None):
         general.add_argument("--time-limit", dest="timeLimit", type=float,
             help="Run with a time limit in seconds (e.g. 3600)")
 
+        general.add_argument("--unsafe-naming", dest="unsafeNaming", action="store_true",
+            help="Disable escaping of DBMS identifiers (e.g. \"user\")")
+
         general.add_argument("--web-root", dest="webRoot",
             help="Web server document root directory (e.g. \"/var/www\")")
 

lib/utils/api.py

@@ -680,7 +680,7 @@ def version(token=None):
     logger.debug("Fetched version (%s)" % ("admin" if is_admin(token) else request.remote_addr))
     return jsonize({"success": True, "version": VERSION_STRING.split('/')[-1]})
 
-def server(host=RESTAPI_DEFAULT_ADDRESS, port=RESTAPI_DEFAULT_PORT, adapter=RESTAPI_DEFAULT_ADAPTER, username=None, password=None):
+def server(host=RESTAPI_DEFAULT_ADDRESS, port=RESTAPI_DEFAULT_PORT, adapter=RESTAPI_DEFAULT_ADAPTER, username=None, password=None, database=None):
     """
     REST-JSON API server
     """
@@ -689,8 +689,11 @@ def server(host=RESTAPI_DEFAULT_ADDRESS, port=RESTAPI_DEFAULT_PORT, adapter=REST
     DataStore.username = username
     DataStore.password = password
 
-    _, Database.filepath = tempfile.mkstemp(prefix=MKSTEMP_PREFIX.IPC, text=False)
+    if not database:
-    os.close(_)
+        _, Database.filepath = tempfile.mkstemp(prefix=MKSTEMP_PREFIX.IPC, text=False)
+        os.close(_)
+    else:
+        Database.filepath = database
 
     if port == 0:  # random
         with contextlib.closing(socket.socket(socket.AF_INET, socket.SOCK_STREAM)) as s:

plugins/generic/custom.py

@@ -98,6 +98,10 @@ class Custom(object):
                 query = _input("sql-shell> ")
                 query = getUnicode(query, encoding=sys.stdin.encoding)
                 query = query.strip("; ")
+            except UnicodeDecodeError:
+                print()
+                errMsg = "invalid user input"
+                logger.error(errMsg)
             except KeyboardInterrupt:
                 print()
                 errMsg = "user aborted"

sqlmap.conf

@@ -829,6 +829,9 @@ testSkip =
 # Run with a time limit in seconds (e.g. 3600).
 timeLimit =
 
+# Disable escaping of DBMS identifiers (e.g. "user").
+unsafeNaming = False
+
 # Web server document root directory (e.g. "/var/www").
 webRoot =
 

sqlmapapi.py

@@ -12,13 +12,55 @@ sys.dont_write_bytecode = True
 __import__("lib.utils.versioncheck")  # this has to be the first non-standard import
 
 import logging
-import optparse
 import os
 import warnings
 
 warnings.filterwarnings(action="ignore", category=UserWarning)
 warnings.filterwarnings(action="ignore", category=DeprecationWarning)
 
+try:
+    from optparse import OptionGroup
+    from optparse import OptionParser as ArgumentParser
+
+    ArgumentParser.add_argument = ArgumentParser.add_option
+
+    def _add_argument(self, *args, **kwargs):
+        return self.add_option(*args, **kwargs)
+
+    OptionGroup.add_argument = _add_argument
+
+except ImportError:
+    from argparse import ArgumentParser
+
+finally:
+    def get_actions(instance):
+        for attr in ("option_list", "_group_actions", "_actions"):
+            if hasattr(instance, attr):
+                return getattr(instance, attr)
+
+    def get_groups(parser):
+        return getattr(parser, "option_groups", None) or getattr(parser, "_action_groups")
+
+    def get_all_options(parser):
+        retVal = set()
+
+        for option in get_actions(parser):
+            if hasattr(option, "option_strings"):
+                retVal.update(option.option_strings)
+            else:
+                retVal.update(option._long_opts)
+                retVal.update(option._short_opts)
+
+        for group in get_groups(parser):
+            for option in get_actions(group):
+                if hasattr(option, "option_strings"):
+                    retVal.update(option.option_strings)
+                else:
+                    retVal.update(option._long_opts)
+                    retVal.update(option._short_opts)
+
+        return retVal
+
 from lib.core.common import getUnicode
 from lib.core.common import setPaths
 from lib.core.data import logger
@@ -52,19 +94,21 @@ def main():
     setPaths(modulePath())
 
     # Parse command line options
-    apiparser = optparse.OptionParser()
+    apiparser = ArgumentParser()
-    apiparser.add_option("-s", "--server", help="Run as a REST-JSON API server", action="store_true")
+    apiparser.add_argument("-s", "--server", help="Run as a REST-JSON API server", action="store_true")
-    apiparser.add_option("-c", "--client", help="Run as a REST-JSON API client", action="store_true")
+    apiparser.add_argument("-c", "--client", help="Run as a REST-JSON API client", action="store_true")
-    apiparser.add_option("-H", "--host", help="Host of the REST-JSON API server (default \"%s\")" % RESTAPI_DEFAULT_ADDRESS, default=RESTAPI_DEFAULT_ADDRESS, action="store")
+    apiparser.add_argument("-H", "--host", help="Host of the REST-JSON API server (default \"%s\")" % RESTAPI_DEFAULT_ADDRESS, default=RESTAPI_DEFAULT_ADDRESS)
-    apiparser.add_option("-p", "--port", help="Port of the the REST-JSON API server (default %d)" % RESTAPI_DEFAULT_PORT, default=RESTAPI_DEFAULT_PORT, type="int", action="store")
+    apiparser.add_argument("-p", "--port", help="Port of the the REST-JSON API server (default %d)" % RESTAPI_DEFAULT_PORT, default=RESTAPI_DEFAULT_PORT, type=int)
-    apiparser.add_option("--adapter", help="Server (bottle) adapter to use (default \"%s\")" % RESTAPI_DEFAULT_ADAPTER, default=RESTAPI_DEFAULT_ADAPTER, action="store")
+    apiparser.add_argument("--adapter", help="Server (bottle) adapter to use (default \"%s\")" % RESTAPI_DEFAULT_ADAPTER, default=RESTAPI_DEFAULT_ADAPTER)
-    apiparser.add_option("--username", help="Basic authentication username (optional)", action="store")
+    apiparser.add_argument("--database", help="Set IPC database filepath (optional)")
-    apiparser.add_option("--password", help="Basic authentication password (optional)", action="store")
+    apiparser.add_argument("--username", help="Basic authentication username (optional)")
-    (args, _) = apiparser.parse_args()
+    apiparser.add_argument("--password", help="Basic authentication password (optional)")
+    (args, _) = apiparser.parse_known_args() if hasattr(apiparser, "parse_known_args") else apiparser.parse_args()
+
 
     # Start the client or the server
     if args.server:
-        server(args.host, args.port, adapter=args.adapter, username=args.username, password=args.password)
+        server(args.host, args.port, adapter=args.adapter, username=args.username, password=args.password, database=args.database)
     elif args.client:
         client(args.host, args.port, username=args.username, password=args.password)
     else: