Fixed direct connection to always use the same query as of UNION query SQL injection (= one query with multiple columns/entries output).
Minor fixes to Firebird/Access/SQLite connectors to use connector's execute()/fetchall() as wrapper for third-party libraries' methods.
Forced conf.timeout to 10 seconds when directly connecting to database.
Slightly improved regular expression to parse -d parameter.
Added import check for all connectors' third-party libraries.
Code refactoring:
* Moved conf.direct request to direct() function in lib/request/direct.py (code reused where needed).
* Back-delegated to generic connector close() and other methods.
Initial support for Firebird (30% approx).
Initial support for Access (10% approx).
Shared libraries code/installation scripts ported to 64bit, directory structure adapted.
Minor code adjustments.
--columns now accepts also -C option: user can provide a string column and sqlmap will enumerate all columns of a specific table like '%provided_string%'.
Minor enhancements.
Minor bug fixes.
DML & co. statements in SQL query and SQL shell. Minor improvements on
this new feature.
Increased default connection timeout to 30 seconds (needed for vmware
machine not correctly synched).
Added support internally to forge CASE statements, used only by
--is-dba query at the moment.
Allow DDL, DML (INSERT, UPDATE, etc.) from user in SQL query and
SQL shell.
Minor code adjustments.
and HTTP response headers.
Initial web application technology fingerprint (for the moment based only on
X-Powered-By HTTP response header and not shown yet to the user).
Minor layout adjustments.
implemented Time based blind SQL injection now is a single test file
within the lib/techniques/ folder.
Renamed lib/techniques/inference to lib/techniques/blind, it is more
approriate and adapted the rest of the libraries.
Updated ChangeLog file.
entries also if the database name is not provided by using the current
database on MySQL and MSSQL, the 'public' scheme on PostgreSQL and the
'USERS' TABLESPACE_NAME on Oracle.
Minor bug fix so that when the user provide as SELECT statement to be
processed an asterisk, now it also work if in the FROM there is no
database name specified.
Minor layout adjustments.
Added method to test for Time based blind SQL injection query stacking
on the affected parameter a SLEEP() or similar DBMS specific function.
Adapted libraries, plugins and XML with the above changes.
Minor layout adjustments.