Fixes #5985

The thread-finalization loop used a reversed comparison, causing the
wait loop to be skipped immediately:

this change reverse the comparison so it will wait while there are
active threads and elapsed time is less than the configured
THREAD_FINALIZATION_TIMEOUT:

data/txt/sha256sums.txt

@@ -64,17 +64,17 @@ b427b65cc8b585cd02361f5155ffab2fe52fd5943100382c6b86cd0f52f352d9  data/udf/postg
 c444fd667a09927a22c92e855d206249e761c1fbd4f3630f7ee06265eb2576ee  data/udf/postgresql/windows/32/8.4/lib_postgresqludf_sys.dll_
 c6be099a5dee34f3a7570715428add2e7419f4e73a7ce9913d3fb76eea78d88e  data/udf/postgresql/windows/32/9.0/lib_postgresqludf_sys.dll_
 0a6d5fc399e9958477c8a71f63b7c7884567204253e0d2389a240d83ed83f241  data/udf/README.txt
-4e268596da67fb0b6a10a7cefb38af5de13f67dab760cc0505f8f80484a0fe79  data/xml/banner/generic.xml
+288592bbc7115870516865d5a92c2e1d1d54f11a26a86998f8829c13724e2551  data/xml/banner/generic.xml
 2adcdd08d2c11a5a23777b10c132164ed9e856f2a4eca2f75e5e9b6615d26a97  data/xml/banner/mssql.xml
 14b18da611d4bfad50341df89f893edf47cd09c41c9662e036e817055eaa0cfb  data/xml/banner/mysql.xml
 6d1ab53eeac4fae6d03b67fb4ada71b915e1446a9c1cc4d82eafc032800a68fd  data/xml/banner/oracle.xml
 9f4ca1ff145cfbe3c3a903a21bf35f6b06ab8b484dad6b7c09e95262bf6bfa05  data/xml/banner/postgresql.xml
 86da6e90d9ccf261568eda26a6455da226c19a42cc7cd211e379cab528ec621e  data/xml/banner/server.xml
 146887f28e3e19861516bca551e050ce81a1b8d6bb69fd342cc1f19a25849328  data/xml/banner/servlet-engine.xml
-e87c062bdf05b27db6c1d7e0d41c25f269cbe66b1f9b8e2d9b3db0d567016c76  data/xml/banner/set-cookie.xml
+8af6b979b6e0a01062dc740ae475ba6be90dc10bb3716a45d28ada56e81f9648  data/xml/banner/set-cookie.xml
 a7eb4d1bcbdfd155383dcd35396e2d9dd40c2e89ce9d5a02e63a95a94f0ab4ea  data/xml/banner/sharepoint.xml
 e2febc92f9686eacf17a0054f175917b783cc6638ca570435a5203b03245fc18  data/xml/banner/x-aspnet-version.xml
-75672f8faa8053af0df566a48700f2178075f67c593d916313fcff3474da6f82  data/xml/banner/x-powered-by.xml
+3a440fbbf8adffbe6f570978e96657da2750c76043f8e88a2c269fe9a190778c  data/xml/banner/x-powered-by.xml
 1ac399c49ce3cb8c0812bb246e60c8a6718226efe89ccd1f027f49a18dbeb634  data/xml/boundaries.xml
 47c444f260fcba24bb1f13e3d4819ed846909f8d2b6e715069d6372ea30f026f  data/xml/errors.xml
 cfa1f0557fb71be0631796a4848d17be536e38f94571cf6ef911454fbc6b30d1  data/xml/payloads/boolean_blind.xml
@@ -160,15 +160,15 @@ df768bcb9838dc6c46dab9b4a877056cb4742bd6cfaaf438c4a3712c5cc0d264  extra/shutils/
 4608f21a4333c162ab3c266c903fda4793cc5834de30d06affe9b7566dd09811  extra/vulnserver/__init__.py
 eed1db5da17eca4c65a8f999166e2246eef84397687ae820bbe4984ef65a09df  extra/vulnserver/vulnserver.py
 96a39b4e3a9178e4e8285d5acd00115460cc1098ef430ab7573fc8194368da5c  lib/controller/action.py
-2c8652359d6790755117ec5c68d0ddffacff5f3377ad5004c4fffd29c2446d61  lib/controller/checks.py
+c060567ff0430f2ec915bf8abec8d632a52b5cb8a75a88984e6065a0feedcf44  lib/controller/checks.py
 34e9cf166e21ce991b61ca7695c43c892e8425f7e1228daec8cadd38f786acc6  lib/controller/controller.py
 49bcd74281297c79a6ae5d4b0d1479ddace4476fddaf4383ca682a6977b553e3  lib/controller/handler.py
 4608f21a4333c162ab3c266c903fda4793cc5834de30d06affe9b7566dd09811  lib/controller/__init__.py
 216c9399853b7454d36dcb552baf9f1169ec7942897ddc46504684325cb6ce00  lib/core/agent.py
 fbba89420acafcdb9ba1a95428cf2161b13cfa2d1a7ad7d5e70c14b0e04861f0  lib/core/bigarray.py
-e3b8f8cf9607d12f3de5e6bcd5031f21f50d4b331844b8e921493dfde2efe0f7  lib/core/common.py
+5b21bafe2eb07466d9751f4d80b21f256d5ffb1bb5a9639f91c09a43ec3fec87  lib/core/common.py
 d53a8aecab8af8b8da4dc1c74d868f70a38770d34b1fa50cae4532cae7ce1c87  lib/core/compat.py
-ebe518089733722879f5a13e73020ebe55d46fb7410cacf292ca4ea1d9d1c56a  lib/core/convert.py
+463005de14642fef4251c951c9b24ec8d456f67f0cd98a9f4d6add281ccbb775  lib/core/convert.py
 ae500647c4074681749735a4f3b17b7eca44868dd3f39f9cab0a575888ba04a1  lib/core/data.py
 ffae7cfe9f9afb92e887b9a8dbc1630d0063e865f35984ae417b04a4513e5024  lib/core/datatype.py
 1d70d75a1c1a2a0ad295f727ee9f1d90cea851dfc2f8c9a85ef79c7975007ead  lib/core/decorators.py
@@ -181,21 +181,21 @@ c9d1f64648062d7962caf02c4e2e7d84e8feb2a14451146f627112aae889afcd  lib/core/dump.
 4608f21a4333c162ab3c266c903fda4793cc5834de30d06affe9b7566dd09811  lib/core/__init__.py
 3d308440fb01d04b5d363bfbe0f337756b098532e5bb7a1c91d5213157ec2c35  lib/core/log.py
 2a06dc9b5c17a1efdcdb903545729809399f1ee96f7352cc19b9aaa227394ff3  lib/core/optiondict.py
-d33dbc25635e2ae42c70e5997f28097143966279adfbf98e95b0d09ad4976e88  lib/core/option.py
+c53862358795097a59aa4eacc4d90815afb7e0540899b8885b586e43267be225  lib/core/option.py
 fd449fe2c707ce06c929fc164cbabb3342f3e4e2b86c06f3efc1fc09ac98a25a  lib/core/patch.py
 85f10c6195a3a675892d914328173a6fb6a8393120417a2f10071c6e77bfa47d  lib/core/profiling.py
 c4bfb493a03caf84dd362aec7c248097841de804b7413d0e1ecb8a90c8550bc0  lib/core/readlineng.py
 d1bd70c1a55858495c727fbec91e30af267459c8f64d50fabf9e4ee2c007e920  lib/core/replication.py
 1d0f80b0193ac5204527bfab4bde1a7aee0f693fd008e86b4b29f606d1ef94f3  lib/core/revision.py
 d2eb8e4b05ac93551272b3d4abfaf5b9f2d3ac92499a7704c16ed0b4f200db38  lib/core/session.py
-48068ae9ed07335458e0b7a8bee9a30ec955dbb32a34804899c801435e0a26ce  lib/core/settings.py
+dc95ba3672a8fa3c90635d00a83f7a4044aab29769b3ff41faffe28284f8d2c7  lib/core/settings.py
 1c5eab9494eb969bc9ce118a2ea6954690c6851cbe54c18373c723b99734bf09  lib/core/shell.py
 4eea6dcf023e41e3c64b210cb5c2efc7ca893b727f5e49d9c924f076bb224053  lib/core/subprocessng.py
 cdd352e1331c6b535e780f6edea79465cb55af53aa2114dcea0e8bf382e56d1a  lib/core/target.py
 6cf11d8b00fa761046686437fe90565e708809f793e88a3f02527d0e49c4d2a8  lib/core/testing.py
 2a179b7601026a8da092271b30ad353cdb6decd658e2614fa51983aaf6dd80e7  lib/core/threads.py
 6f61e7946e368ee1450c301aaf5a26381a8ae31fc8bffa28afc9383e8b1fbc3f  lib/core/unescaper.py
-f7245b99c17ef88cd9a626ca09c0882a5e172bb10a38a5dec9d08da6c8e2d076  lib/core/update.py
+8919863be7a86f46d2c41bd30c0114a55a55c5931be48e3cfc66dfa96b7109c8  lib/core/update.py
 cba481f8c79f4a75bd147b9eb5a1e6e61d70422fceadd12494b1dbaa4f1d27f4  lib/core/wordlist.py
 4608f21a4333c162ab3c266c903fda4793cc5834de30d06affe9b7566dd09811  lib/__init__.py
 7d1d3e07a1f088428d155c0e1b28e67ecbf5f62775bdeeeb11b4388369dce0f7  lib/parse/banner.py
@@ -220,7 +220,7 @@ fcab35db1da4ac11d8c5b8291f9c87b8d7bb073c460c438374bc5a71ce5c65a6  lib/request/in
 03490bed87a54bf6c42a33ac1a66f7f8504c2398534a211e7e9306f408cd506a  lib/request/methodrequest.py
 eba8b1638c0c19d497dcbab86c9508b2ce870551b16a40db752a13c697d7d267  lib/request/pkihandler.py
 6336a6aba124905dab3e5ff67f76cf9b735c2a2879cc3bc8951cb06bea125895  lib/request/rangehandler.py
-14b402c3a927b7fb251622c9f4faf507993e033bd3b1cc281fe2873b9a382a51  lib/request/redirecthandler.py
+d6ab6436d7330278081ed21433ab18e5ef74b4d7af7ccb175ae956c245c13ce1  lib/request/redirecthandler.py
 3157d66bb021b71b2e71e355b209578d15f83000f0655bcf0cd7c7eed5d4669b  lib/request/templates.py
 5f5680c5b1db48ed2a13f47ba9de8b816d9d4f7f4c7abd07a48eb7ecbe9cf3ca  lib/takeover/abstraction.py
 250782249ee5afbcf3f398c596edbc3a9a1b35b3e11ac182678f6e22c1449852  lib/takeover/icmpsh.py
@@ -230,7 +230,7 @@ eba8b1638c0c19d497dcbab86c9508b2ce870551b16a40db752a13c697d7d267  lib/request/pk
 479cf4a9c0733ba62bfa764e465a59277d21661647304fa10f6f80bf6ecc518b  lib/takeover/udf.py
 08270a96d51339f628683bce58ee53c209d3c88a64be39444be5e2f9d98c0944  lib/takeover/web.py
 d40d5d1596d975b4ff258a70ad084accfcf445421b08dcf010d36986895e56cb  lib/takeover/xp_cmdshell.py
-9b3ccafc39f24000a148484a005226b8ba5ac142f141a8bd52160dfc56941538  lib/techniques/blind/inference.py
+3a355d277fa558c90fa040b3a02b99690671bf99a7a4ffb20a9a45878b09ab5e  lib/techniques/blind/inference.py
 4608f21a4333c162ab3c266c903fda4793cc5834de30d06affe9b7566dd09811  lib/techniques/blind/__init__.py
 4608f21a4333c162ab3c266c903fda4793cc5834de30d06affe9b7566dd09811  lib/techniques/dns/__init__.py
 d20798551d141b3eb0b1c789ee595f776386469ac3f9aeee612fd7a5607b98cd  lib/techniques/dns/test.py
@@ -477,7 +477,7 @@ f5cad477023c8145c4db7aa530976fc75b098cf59a49905f28d02f6771fd9697  README.md
 535ab6ac8b8441a3758cee86df3e68abec8b43eee54e32777967252057915acc  sqlmapapi.py
 168309215af7dd5b0b71070e1770e72f1cbb29a3d8025143fb8aa0b88cd56b62  sqlmapapi.yaml
 a40607ce164eb2d21865288d24b863edb1c734b56db857e130ac1aef961c80b9  sqlmap.conf
-822b706e791eba9b994b08e7600a3adfc3843d360437edfa0bfd588a1f58a13c  sqlmap.py
+d305f00a68898314242e7cfc19daf367c8f97e5f1da40100390b635b73b80722  sqlmap.py
 82caac95182ac5cae02eb7d8a2dc07e71389aeae6b838d3d3f402c9597eb086a  tamper/0eunion.py
 bc8f5e638578919e4e75a5b01a84b47456bac0fd540e600975a52408a3433460  tamper/apostrophemask.py
 c9c3d71f11de0140906d7b4f24fadb9926dc8eaf5adab864f8106275f05526ce  tamper/apostrophenullencode.py

data/xml/banner/generic.xml

@@ -3,7 +3,7 @@
 <root>
     <!-- Windows -->
 
-    <regexp value="(Microsoft|Windows|Win32)">
+    <regexp value="(Microsoft|Windows|Win32|Win64|WOW64|Cygwin|MinGW)">
         <info type="Windows"/>
     </regexp>
 
@@ -151,6 +151,34 @@
         <info type="Linux" distrib="Ubuntu"/>
     </regexp>
 
+    <regexp value="\bAlpine\b">
+        <info type="Linux" distrib="Alpine"/>
+    </regexp>
+
+    <regexp value="Oracle ?Linux">
+        <info type="Linux" distrib="Oracle"/>
+    </regexp>
+
+    <regexp value="\bRHEL\b">
+        <info type="Linux" distrib="Red Hat"/>
+    </regexp>
+
+    <regexp value="Amazon Linux">
+        <info type="Linux" distrib="Amazon"/>
+    </regexp>
+
+    <regexp value="Raspbian">
+        <info type="Linux" distrib="Raspbian"/>
+    </regexp>
+
+    <regexp value="\bKali\b">
+        <info type="Linux" distrib="Kali"/>
+    </regexp>
+
+    <regexp value="Rocky Linux">
+        <info type="Linux" distrib="Rocky"/>
+    </regexp>
+
     <!-- BSD -->
 
     <regexp value="FreeBSD">
@@ -167,11 +195,22 @@
 
     <!-- Mac OSX -->
 
-    <regexp value="Mac[\-\_\ ]?OSX">
+    <regexp value="Mac[\-\_\ ]?OS ?X|macOS|Darwin">
         <info type="Mac OSX"/>
     </regexp>
 
-    <regexp value="Darwin">
+    <!-- *nix -->
-        <info type="Mac OSX"/>
+
+    <regexp value="SunOS|Solaris">
+        <info type="SunOS"/>
     </regexp>
+
+    <regexp value="\bAIX\b">
+        <info type="AIX"/>
+    </regexp>
+
+    <regexp value="HP-UX|HPUX">
+        <info type="HP-UX"/>
+    </regexp>
+
 </root>

data/xml/banner/set-cookie.xml

@@ -76,7 +76,7 @@
     </regexp>
 
     <regexp value="laravel_session">
-        <info technology="Laravel (PHP)"/>
+        <info technology="Laravel"/>
     </regexp>
 
     <regexp value="SESS[a-f0-9]{32}">

data/xml/banner/x-powered-by.xml

@@ -62,4 +62,8 @@
     <regexp value="Servlet[\-\_\/\ ]?([\d\.]+)">
         <info technology="Servlet" tech_version="1"/>
     </regexp>
+
+    <regexp value="Laravel">
+        <info technology="Laravel"/>
+    </regexp>
 </root>

lib/controller/checks.py

@@ -521,7 +521,7 @@ def checkSqlInjection(place, parameter, value):
 
                                     if ratio == 1.0:
                                         continue
-                                except (MemoryError, OverflowError):
+                                except:
                                     pass
 
                             # Perform the test's True request

lib/core/common.py

@@ -2204,19 +2204,19 @@ def safeStringFormat(format_, params):
             while True:
                 match = re.search(r"(\A|[^A-Za-z0-9])(%s)([^A-Za-z0-9]|\Z)", retVal)
                 if match:
-                    if count >= len(params):
-                        warnMsg = "wrong number of parameters during string formatting. "
-                        warnMsg += "Please report by e-mail content \"%r | %r | %r\" to '%s'" % (format_, params, retVal, DEV_EMAIL_ADDRESS)
-                        raise SqlmapValueException(warnMsg)
-                    else:
                     try:
-                            retVal = re.sub(r"(\A|[^A-Za-z0-9])(%s)([^A-Za-z0-9]|\Z)", r"\g<1>%s\g<3>" % params[count], retVal, 1)
+                        retVal = re.sub(r"(\A|[^A-Za-z0-9])(%s)([^A-Za-z0-9]|\Z)", r"\g<1>%s\g<3>" % params[count % len(params)], retVal, 1)
                     except re.error:
-                            retVal = retVal.replace(match.group(0), match.group(0) % params[count], 1)
+                        retVal = retVal.replace(match.group(0), match.group(0) % params[count % len(params)], 1)
                     count += 1
                 else:
                     break
 
+            if count > len(params) and count % len(params):
+                warnMsg = "wrong number of parameters during string formatting. "
+                warnMsg += "Please report by e-mail content \"%r | %r | %r\" to '%s'" % (format_, params, retVal, DEV_EMAIL_ADDRESS)
+                raise SqlmapValueException(warnMsg)
+
     retVal = getText(retVal).replace(PARAMETER_PERCENTAGE_MARKER, '%')
 
     return retVal

lib/core/convert.py

@@ -154,7 +154,7 @@ def rot13(data):
 
 def decodeHex(value, binary=True):
     """
-    Returns a decoded representation of provided hexadecimal value
+    Returns a decoded representation of the provided hexadecimal value
 
     >>> decodeHex("313233") == b"123"
     True
@@ -182,7 +182,7 @@ def decodeHex(value, binary=True):
 
 def encodeHex(value, binary=True):
     """
-    Returns a encoded representation of provided string value
+    Returns an encoded representation of the provided value
 
     >>> encodeHex(b"123") == b"313233"
     True
@@ -251,7 +251,7 @@ def decodeBase64(value, binary=True, encoding=None):
 
 def encodeBase64(value, binary=True, encoding=None, padding=True, safe=False):
     """
-    Returns a decoded representation of provided Base64 value
+    Returns a Base64 encoded representation of the provided value
 
     >>> encodeBase64(b"123") == b"MTIz"
     True
@@ -316,7 +316,7 @@ def getBytes(value, encoding=None, errors="strict", unsafe=True):
             retVal = value.encode(encoding, errors)
 
             if unsafe:
-                retVal = re.sub(r"%s([0-9a-f]{2})" % SAFE_HEX_MARKER, lambda _: decodeHex(_.group(1)), retVal)
+                retVal = re.sub((r"%s([0-9a-f]{2})" % SAFE_HEX_MARKER).encode(), lambda _: decodeHex(_.group(1)), retVal)
         else:
             try:
                 retVal = value.encode(encoding, errors)

lib/core/option.py

@@ -939,8 +939,8 @@ def _setPreprocessFunctions():
                     handle, filename = tempfile.mkstemp(prefix=MKSTEMP_PREFIX.PREPROCESS, suffix=".py")
                     os.close(handle)
 
-                    openFile(filename, "w+b").write("#!/usr/bin/env\n\ndef preprocess(req):\n    pass\n")
+                    openFile(filename, "w+").write("#!/usr/bin/env\n\ndef preprocess(req):\n    pass\n")
-                    openFile(os.path.join(os.path.dirname(filename), "__init__.py"), "w+b").write("pass")
+                    openFile(os.path.join(os.path.dirname(filename), "__init__.py"), "w+").write("pass")
 
                     errMsg = "function 'preprocess(req)' "
                     errMsg += "in preprocess script '%s' " % script

lib/core/settings.py

@@ -19,7 +19,7 @@ from lib.core.enums import OS
 from thirdparty import six
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.9.10.0"
+VERSION = "1.9.12.0"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
@@ -61,7 +61,7 @@ LOWER_RATIO_BOUND = 0.02
 UPPER_RATIO_BOUND = 0.98
 
 # For filling in case of dumb push updates
-DUMMY_JUNK = "ahy9Ouge"
+DUMMY_JUNK = "Aich8ooT"
 
 # Markers for special cases when parameter values contain html encoded characters
 PARAMETER_AMP_MARKER = "__PARAMETER_AMP__"

lib/core/update.py

@@ -110,7 +110,7 @@ def update():
 
                         filepath = os.path.join(paths.SQLMAP_ROOT_PATH, "lib", "core", "settings.py")
                         if os.path.isfile(filepath):
-                            with openFile(filepath, "rb") as f:
+                            with openFile(filepath, "r") as f:
                                 version = re.search(r"(?m)^VERSION\s*=\s*['\"]([^'\"]+)", f.read()).group(1)
                                 logger.info("updated to the latest version '%s#dev'" % version)
                                 success = True

lib/request/redirecthandler.py

@@ -76,16 +76,10 @@ class SmartRedirectHandler(_urllib.request.HTTPRedirectHandler):
         redurl = self._get_header_redirect(headers) if not conf.ignoreRedirects else None
 
         try:
-            content = fp.read(MAX_CONNECTION_TOTAL_SIZE)
+            content = fp.fp.read(MAX_CONNECTION_TOTAL_SIZE)
+            fp.fp = io.BytesIO(content)
         except:  # e.g. IncompleteRead
             content = b""
-        finally:
-            if content:
-                try:  # try to write it back to the read buffer so we could reuse it in further steps
-                    fp.fp._rbuf.truncate(0)
-                    fp.fp._rbuf.write(content)
-                except:
-                    pass
 
         content = decodePage(content, headers.get(HTTP_HEADER.CONTENT_ENCODING), headers.get(HTTP_HEADER.CONTENT_TYPE))
 
@@ -194,7 +188,7 @@ class SmartRedirectHandler(_urllib.request.HTTPRedirectHandler):
         result.redurl = getUnicode(redurl) if six.PY3 else redurl
         return result
 
-    http_error_301 = http_error_303 = http_error_307 = http_error_302
+    http_error_301 = http_error_303 = http_error_307 = http_error_308 = http_error_302
 
     def _infinite_loop_check(self, req):
         if hasattr(req, 'redirect_dict') and (req.redirect_dict.get(req.get_full_url(), 0) >= MAX_SINGLE_URL_REDIRECTIONS or len(req.redirect_dict) >= MAX_TOTAL_REDIRECTIONS):

lib/techniques/blind/inference.py

@@ -221,7 +221,8 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
                 markingValue = "'%s'" % CHAR_INFERENCE_MARK
                 unescapedCharValue = unescaper.escape("'%s'" % decodeIntToUnicode(posValue))
                 forgedPayload = agent.extractPayload(payload) or ""
-                forgedPayload = safeStringFormat(forgedPayload.replace(INFERENCE_GREATER_CHAR, INFERENCE_EQUALS_CHAR), (expressionUnescaped, idx, posValue)).replace(markingValue, unescapedCharValue)
+                forgedPayload = forgedPayload.replace(markingValue, unescapedCharValue)
+                forgedPayload = safeStringFormat(forgedPayload.replace(INFERENCE_GREATER_CHAR, INFERENCE_EQUALS_CHAR), (expressionUnescaped, idx, posValue))
                 result = Request.queryPage(agent.replacePayload(payload, forgedPayload), timeBasedCompare=timeBasedCompare, raise404=False)
                 incrementCounter(getTechnique())
 
@@ -246,7 +247,8 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
                 # e.g.: ... > '%c' -> ... > ORD(..)
                 markingValue = "'%s'" % CHAR_INFERENCE_MARK
                 unescapedCharValue = unescaper.escape("'%s'" % decodeIntToUnicode(value))
-                forgedPayload = safeStringFormat(validationPayload, (expressionUnescaped, idx)).replace(markingValue, unescapedCharValue)
+                forgedPayload = validationPayload.replace(markingValue, unescapedCharValue)
+                forgedPayload = safeStringFormat(forgedPayload, (expressionUnescaped, idx))
 
             result = not Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
 
@@ -352,7 +354,8 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
                         # e.g.: ... > '%c' -> ... > ORD(..)
                         markingValue = "'%s'" % CHAR_INFERENCE_MARK
                         unescapedCharValue = unescaper.escape("'%s'" % decodeIntToUnicode(posValue))
-                        forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx)).replace(markingValue, unescapedCharValue)
+                        forgedPayload = payload.replace(markingValue, unescapedCharValue)
+                        forgedPayload = safeStringFormat(forgedPayload, (expressionUnescaped, idx))
                         falsePayload = safeStringFormat(payload, (expressionUnescaped, idx)).replace(markingValue, NULL)
 
                     if timeBasedCompare:

sqlmap.py

@@ -347,6 +347,12 @@ def main():
             logger.critical(errMsg)
             raise SystemExit
 
+        elif all(_ in excMsg for _ in ("httpcore", "typing.", "AttributeError")):
+            errMsg = "please update the 'httpcore' package (>= 1.0.8) "
+            errMsg += "(Reference: 'https://github.com/encode/httpcore/discussions/995')"
+            logger.critical(errMsg)
+            raise SystemExit
+
         elif "invalid maximum character passed to PyUnicode_New" in excMsg and re.search(r"\A3\.[34]", sys.version) is not None:
             errMsg = "please upgrade the Python version (>= 3.5) "
             errMsg += "(Reference: 'https://bugs.python.org/issue18183')"
@@ -601,7 +607,7 @@ def main():
 
         # short delay for thread finalization
         _ = time.time()
-        while threading.active_count() > 1 and (time.time() - _) > THREAD_FINALIZATION_TIMEOUT:
+        while threading.active_count() > 1 and (time.time() - _) < THREAD_FINALIZATION_TIMEOUT:
             time.sleep(0.01)
 
         if cmdLineOptions.get("sqlmapShell"):