Minor patch

Fixes #5885
Fix related to #5881
2025-12-06 20:51:31 +00:00 · 2025-04-01 10:29:33 +02:00 · 2025-04-01 10:26:19 +02:00 · 2025-03-28 10:11:43 +01:00 · 2025-03-28 10:09:42 +01:00 · 2025-03-19 10:16:49 +01:00
7 changed files with 67 additions and 11 deletions
--- a/data/txt/sha256sums.txt
+++ b/data/txt/sha256sums.txt
@@ -149,7 +149,7 @@ f3d8033f8c451ae28ca4b8f65cf2ceb77fadba21f11f19229f08398cbf523bc6  extra/shutils/
 8779e1a56165327e49bbfd6cb2a461ab18cd8a83e9bfc139c9bdfc8e44f2a23f  extra/shutils/modernize.sh
 74fe683e94702bef6b8ea8eebb7fc47040e3ef5a03dec756e3cf4504a00c7839  extra/shutils/newlines.py
 fed05c468af662ba6ca6885baf8bf85fec1e58f438b3208f3819ad730a75a803  extra/shutils/postcommit-hook.sh
-dc35b51f5c9347eda8130106ee46bb051474fc0c5ed101f84abf3e546f729ceb  extra/shutils/precommit-hook.sh
+ca86d61d3349ed2d94a6b164d4648cff9701199b5e32378c3f40fca0f517b128  extra/shutils/precommit-hook.sh
 1909f0d510d0968fb1a6574eec17212b59081b2d7eb97399a80ba0dc0e77ddd1  extra/shutils/pycodestyle.sh
 026af5ba1055e85601dcdcb55bc9de41a6ee2b5f9265e750c878811c74dee2b0  extra/shutils/pydiatra.sh
 2ce9ac90e7d37a38b9d8dcc908632575a5bafc4c75d6d14611112d0eea418369  extra/shutils/pyflakes.sh
@@ -188,7 +188,7 @@ c6a182f6b7d3b0ad6f0888ea2a4de4148f0770549038d7de8bc3267b4c6635f7  lib/core/readl
 63ae69713c6ea9abfa10e71dfab8f2dcf42432177a38d2c1e98785bf1468674c  lib/core/replication.py
 5bad5bc7115051cef7b84efa73fbafbf5e1db46eef32a445056b56cda750b66f  lib/core/revision.py
 0dcb52c9c76a4b0acf2e9038f7d8f08c14543cef3cf7032831c6c0a99376ad24  lib/core/session.py
-13cb63f7e3c76e3251cd572b766b358389b5d997893aa649bf279169051270e8  lib/core/settings.py
+c4bd61235ac55e76e91545f4234e92b860fce1288971ee7cb9104da9984452a1  lib/core/settings.py
 a1e4f2860bffc73bbf2e5db293fa49dcb600ea35f950cda43dc953b3160ab3db  lib/core/shell.py
 841716e87b90a3b598515910841f7cf8d33bb87c24a27fba1a80e36a831cbcd7  lib/core/subprocessng.py
 9731092f195e346716929323ea3c93247b23b9b92b0f32d3fd0acc3adf9876cc  lib/core/target.py
@@ -210,8 +210,8 @@ cbabdde72df4bd8d6961d589f1721dd938d8f653aa6af8900a31af6e2586405d  lib/parse/site
 87109063dd336fe2705fdfef23bc9b340dcc58e410f15c372fab51ea6a1bf4b1  lib/request/basicauthhandler.py
 89417568d7f19e48d39a8a9a4227d3d2b71d1c9f61139a41b1835fb5266fcab8  lib/request/basic.py
 6139b926a3462d14ddd50acdb8575ae442b8fab089db222721535092b9af3ea1  lib/request/chunkedhandler.py
-6058fc4fce4b5ce660096d341eab3ae170e5406b31e2e9f51dcf60e7a2b67e68  lib/request/comparison.py
-7345c12a0a1d4c583766b46ba38263cbc4603a85aa4216deddd62958d4e5d596  lib/request/connect.py
+6be5719f3c922682931779830a4571a13d5612a69e2423fd60a254e8dbceaf5c  lib/request/comparison.py
+b27dd003eba5ac4697b6a1d5a6712e6aca380436a5a379bd5f2e831d6dca19bd  lib/request/connect.py
 0649a39c5cc2fc0f4c062b100ced17e3e6934a7e578247dfc65b650edc29825e  lib/request/direct.py
 5283754cf387ce4e645ee50834ee387cde29a768aaada1a6a07c338da216c94d  lib/request/dns.py
 844fae318d6b3141bfc817aac7a29868497b5e7b4b3fdd7c751ad1d4a485324f  lib/request/httpshandler.py
@@ -477,7 +477,7 @@ b3d9d0644197ecb864e899c04ee9c7cd63891ecf2a0d3c333aad563eef735294  plugins/generi
 8c4fd81d84598535643cf0ef1b2d350cd92977cb55287e23993b76eaa2215c30  sqlmapapi.py
 168309215af7dd5b0b71070e1770e72f1cbb29a3d8025143fb8aa0b88cd56b62  sqlmapapi.yaml
 4037f1c78180550c1896543581c0c2423e970086bae46f175397f2b4c54b7323  sqlmap.conf
-3795c6d03bc341a0e3aef3d7990ea8c272d91a4c307e1498e850594375af39f7  sqlmap.py
+f84846b8493d809d697a75b3d13d904013bbb03e0edd82b724f4753801609057  sqlmap.py
 9d408612a6780f7f50a7f7887f923ff3f40be5bfa09a951c6dc273ded05b56c0  tamper/0eunion.py
 c1c2eaa7df016cc7786ccee0ae4f4f363b1dce139c61fb3e658937cb0d18fc54  tamper/apostrophemask.py
 19023093ab22aec3bce9523f28e8111e8f6125973e6d9c82adb60da056bdf617  tamper/apostrophenullencode.py
@@ -511,6 +511,7 @@ d498e409c96d2ae2cc86263ead52ae385e95e9ec27f28247180c7c73ec348b3f  tamper/informa
 1d6e741e19e467650dce2ca84aa824d6df68ff74aedbe4afa8dbdb0193d94918  tamper/__init__.py
 b9a84211c84785361f4efa55858a1cdddd63cee644d0b8d4323b3a5e3db7d12f  tamper/least.py
 0de2bd766f883ac742f194f991c5d38799ffbf4346f4376be7ec8d750f2d9ef8  tamper/lowercase.py
+5015f35181dd4e4e0bddc67c4dfd86d6c509ae48a5f0212a122ff9a62f7352ce  tamper/luanginxmore.py
 c390d072ed48431ab5848d51b9ca5c4ff323964a770f0597bdde943ed12377f8  tamper/luanginx.py
 7eba10540514a5bfaee02e92b711e0f89ffe30b1672ec25c7680f2aa336c8a58  tamper/misunion.py
 b262da8d38dbb4be64d42e0ab07e25611da11c5d07aa11b09497b344a4c76b8d  tamper/modsecurityversioned.py
--- a/extra/shutils/precommit-hook.sh
+++ b/extra/shutils/precommit-hook.sh
@@ -24,7 +24,7 @@ git diff $SETTINGS_FULLPATH | grep "VERSION =" > /dev/null && exit 0

 if [ -f $SETTINGS_FULLPATH ]
 then
-    LINE=$(grep -o ${SETTINGS_FULLPATH} -e 'VERSION = "[0-9.]*"')
+    LINE=$(grep -o ${SETTINGS_FULLPATH} -e '^VERSION = "[0-9.]*"')
    declare -a LINE
    INCREMENTED=$(python -c "import re, sys, time; version = re.search('\"([0-9.]*)\"', sys.argv[1]).group(1); _ = version.split('.'); _.extend([0] * (4 - len(_))); _[-1] = str(int(_[-1]) + 1); month = str(time.gmtime().tm_mon); _[-1] = '0' if _[-2] != month else _[-1]; _[-2] = month; print sys.argv[1].replace(version, '.'.join(_))" "$LINE")
    if [ -n "$INCREMENTED" ]
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -19,7 +19,7 @@ from lib.core.enums import OS
 from thirdparty import six

 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.9.3.0"
+VERSION = "1.9.4.0"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
@@ -61,7 +61,7 @@ LOWER_RATIO_BOUND = 0.02
 UPPER_RATIO_BOUND = 0.98

 # For filling in case of dumb push updates
-DUMMY_JUNK = "ouZ0ii8A"
+DUMMY_JUNK = "ahy9Ouge"

 # Markers for special cases when parameter values contain html encoded characters
 PARAMETER_AMP_MARKER = "__AMP__"
@@ -835,6 +835,9 @@ INVALID_UNICODE_PRIVATE_AREA = False
 # Format used for representing invalid unicode characters
 INVALID_UNICODE_CHAR_FORMAT = r"\x%02x"

+# Minimum supported version of httpx library (for --http2)
+MIN_HTTPX_VERSION = "0.28"
+
 # Regular expression for XML POST data
 XML_RECOGNITION_REGEX = r"(?s)\A\s*<[^>]+>(.+>)?\s*\Z"

--- a/lib/request/comparison.py
+++ b/lib/request/comparison.py
@@ -21,7 +21,9 @@ from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.exception import SqlmapNoneDataException
+from lib.core.exception import SqlmapSilentQuitException
 from lib.core.settings import DEFAULT_PAGE_ENCODING
+from lib.core.settings import DEV_EMAIL_ADDRESS
 from lib.core.settings import DIFF_TOLERANCE
 from lib.core.settings import HTML_TITLE_REGEX
 from lib.core.settings import LOWER_RATIO_BOUND
@@ -35,8 +37,14 @@ from lib.core.threads import getCurrentThreadData
 from thirdparty import six

 def comparison(page, headers, code=None, getRatioValue=False, pageLength=None):
+    try:
        _ = _adjust(_comparison(page, headers, code, getRatioValue, pageLength), getRatioValue)
        return _
+    except:
+        warnMsg = "there was a KNOWN issue inside the internals regarding the difflib/comparison of pages. "
+        warnMsg += "Please report details privately via e-mail to '%s'" % DEV_EMAIL_ADDRESS
+        logger.critical(warnMsg)
+        raise SqlmapSilentQuitException

 def _adjust(condition, getRatioValue):
    if not any((conf.string, conf.notString, conf.regexp, conf.code)):
--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@@ -62,6 +62,7 @@ from lib.core.common import unsafeVariableNaming
 from lib.core.common import urldecode
 from lib.core.common import urlencode
 from lib.core.common import wasLastResponseDelayed
+from lib.core.compat import LooseVersion
 from lib.core.compat import patchHeaders
 from lib.core.compat import xrange
 from lib.core.convert import encodeBase64
@@ -109,6 +110,7 @@ from lib.core.settings import IS_WIN
 from lib.core.settings import JAVASCRIPT_HREF_REGEX
 from lib.core.settings import LARGE_READ_TRIM_MARKER
 from lib.core.settings import LIVE_COOKIES_TIMEOUT
+from lib.core.settings import MIN_HTTPX_VERSION
 from lib.core.settings import MAX_CONNECTION_READ_SIZE
 from lib.core.settings import MAX_CONNECTIONS_REGEX
 from lib.core.settings import MAX_CONNECTION_TOTAL_SIZE
@@ -618,6 +620,9 @@ class Connect(object):
                    except ImportError:
                        raise SqlmapMissingDependence("httpx[http2] not available (e.g. 'pip%s install httpx[http2]')" % ('3' if six.PY3 else ""))

+                    if LooseVersion(httpx.__version__) < LooseVersion(MIN_HTTPX_VERSION):
+                        raise SqlmapMissingDependence("outdated version of httpx detected (%s<%s)" % (httpx.__version__, MIN_HTTPX_VERSION))
+
                    try:
                        proxy_mounts = dict(("%s://" % key, httpx.HTTPTransport(proxy="%s%s" % ("http://" if not "://" in kb.proxies[key] else "", kb.proxies[key]))) for key in kb.proxies) if kb.proxies else None
                        with httpx.Client(verify=False, http2=True, timeout=timeout, follow_redirects=True, cookies=conf.cj, mounts=proxy_mounts) as client:
--- a/sqlmap.py
+++ b/sqlmap.py
@@ -543,7 +543,7 @@ def main():
        errMsg = maskSensitiveData(errMsg)
        excMsg = maskSensitiveData(excMsg)

-        if conf.get("api") or not valid:
+        if conf.get("api") or not valid or kb.lastCtrlCTime:
            logger.critical("%s\n%s" % (errMsg, excMsg))
        else:
            logger.critical(errMsg)
--- a/tamper/luanginxmore.py
+++ b/tamper/luanginxmore.py
@@ -0,0 +1,39 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2025 sqlmap developers (https://sqlmap.org/)
+See the file 'LICENSE' for copying permission
+"""
+
+import random
+import string
+import os
+
+from lib.core.compat import xrange
+from lib.core.common import singleTimeWarnMessage
+from lib.core.enums import HINT
+from lib.core.enums import PRIORITY
+from lib.core.settings import DEFAULT_GET_POST_DELIMITER
+
+__priority__ = PRIORITY.HIGHEST
+
+def dependencies():
+    singleTimeWarnMessage("tamper script '%s' is only meant to be run on POST requests" % (os.path.basename(__file__).split(".")[0]))
+
+def tamper(payload, **kwargs):
+    """
+    LUA-Nginx WAFs Bypass (e.g. Cloudflare) with 4.2 million parameters
+
+    Reference:
+        * https://opendatasecurity.io/cloudflare-vulnerability-allows-waf-be-disabled/
+
+    Notes:
+        * Lua-Nginx WAFs do not support processing of huge number of parameters
+    """
+
+    hints = kwargs.get("hints", {})
+    delimiter = kwargs.get("delimiter", DEFAULT_GET_POST_DELIMITER)
+
+    hints[HINT.PREPEND] = delimiter.join("%s=" % "".join(random.sample(string.ascii_letters + string.digits, 2)) for _ in xrange(4194304))
+
+    return payload
Author	SHA1	Message	Date
Miroslav Stampar	29825cd5d6	Minor patch	2025-04-01 10:29:33 +02:00
Miroslav Stampar	bb725d222c	Fixes #5885	2025-04-01 10:26:19 +02:00
Miroslav Stampar	04b293d44f	Fix related to #5881	2025-03-28 10:11:43 +01:00
Kenny Strawn	1b4fb3a86d	Add luanginxmore tamper script (#5881 ) * Add luanginxmore tamper script POST requests can accept far more parameters than GET requests, so for additional evasion, it's nice to have something capable of overwhelming a WAF with millions of parameters, not just hundreds. Tested against public bug bounty programs with great success. * Fix syntax error Oops, forgot an extra closing parenthesis * Fix missing imports	2025-03-28 10:09:42 +01:00
Miroslav Stampar	23dda1022d	Minor update	2025-03-19 10:16:49 +01:00
Miroslav Stampar	6c108d96a0	Minor update regarding the #5863	2025-03-14 13:59:42 +01:00
Miroslav Stampar	28c838a9f0	Dummy update	2025-03-12 16:01:21 +01:00