Bump some years in headers

* Added SQL queries for 'Snowflake' DBMS

* Added necessary constants for the 'Snowflake' DBMS

* Added the 'Snowflake' DBMS to existing conditional which adds dynamic values to hardcoded statements (queries.xml)

* Added plugin logic for the 'Snowflake' DBMS

* Modified 'dbs' query to include 'ORDER BY'

* Moved 'LIMIT' to appear before 'OFFSET'

data/txt/sha256sums.txt

@@ -85,10 +85,10 @@ b0f434f64105bd61ab0f6867b3f681b97fa02b4fb809ac538db382d031f0e609  data/xml/paylo
 0648264166455010921df1ec431e4c973809f37ef12cbfea75f95029222eb689  data/xml/payloads/stacked_queries.xml
 997556b6170964a64474a2e053abe33cf2cf029fb1acec660d4651cc67a3c7e1  data/xml/payloads/time_blind.xml
 40a4878669f318568097719d07dc906a19b8520bc742be3583321fc1e8176089  data/xml/payloads/union_query.xml
-eeaec8f6590db3315a740b04f21fed8ae229d9d0ef8b85af5ad83a905e9bfd6e  data/xml/queries.xml
+12078af6bdd45397fc855f30738fba5ecaf9948e526d819d226b229d87db2b43  data/xml/queries.xml
 abb6261b1c531ad2ee3ada8184c76bcdc38732558d11a8e519f36fcc95325f7e  doc/AUTHORS
 ce20a4b452f24a97fde7ec9ed816feee12ac148e1fde5f1722772cc866b12740  doc/CHANGELOG.md
-2df1f15110f74ce4e52f0e7e4a605e6c7e08fbda243e444f9b60e26dfc5cf09d  doc/THANKS.md
+7af515e3ad13fb7e9cfa4debc8ec879758c0cfbe67642b760172178cda9cf5cb  doc/THANKS.md
 f939c6341e3ab16b0bb9d597e4b13856c7d922be27fd8dba3aa976b347771f16  doc/THIRD-PARTY.md
 25012296e8484ea04f7d2368ac9bdbcded4e42dbc5e3373d59c2bb3e950be0b8  doc/translations/README-ar-AR.md
 c25f7d7f0cc5e13db71994d2b34ada4965e06c87778f1d6c1a103063d25e2c89  doc/translations/README-bg-BG.md
@@ -160,43 +160,43 @@ ca86d61d3349ed2d94a6b164d4648cff9701199b5e32378c3f40fca0f517b128  extra/shutils/
 df768bcb9838dc6c46dab9b4a877056cb4742bd6cfaaf438c4a3712c5cc0d264  extra/shutils/recloak.sh
 1972990a67caf2d0231eacf60e211acf545d9d0beeb3c145a49ba33d5d491b3f  extra/shutils/strip.sh
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  extra/vulnserver/__init__.py
-11fd73d2a49ae110dff6ee9c28a6703d7573187d639a11a190f699221612b488  extra/vulnserver/vulnserver.py
+9e5e4d3d9acb767412259895a3ee75e1a5f42d0b9923f17605d771db384a6f60  extra/vulnserver/vulnserver.py
 b8411d1035bb49b073476404e61e1be7f4c61e205057730e2f7880beadcd5f60  lib/controller/action.py
-460d3da652b8f55c9eaf0f90be33eddf3355355e5c5b1c98b7fc4d83b1c54fda  lib/controller/checks.py
+e376093d4f6e42ee38b050af329179df9c1c136b7667b2f1cb559f5d4b69ebd9  lib/controller/checks.py
 430475857a37fd997e73a47d7485c5dd4aa0985ef32c5a46b5e7bff01749ba66  lib/controller/controller.py
-ccec2373f6393f3d644db3de2910e17ef705817063c03e7ca4417f9d7f622527  lib/controller/handler.py
+1ecbca13afdc7c2bc8dc215c5d7fca453bf836dbe3ca377609750bfbc4874a85  lib/controller/handler.py
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  lib/controller/__init__.py
 6da126b359e67f73cea7848d3f35dd0890aece16374d04b60490b85e26bf7224  lib/core/agent.py
 1da4ec9cd9b67c8b54e4a3d314f8237d58778d8f3a00bc26a1e0540294dca30f  lib/core/bigarray.py
-ed02b196398b8351ed6989c8fd8ec2a8244f2f9da6ca7b08691219dcc63422d8  lib/core/common.py
+5c05d5e27b987b47c4c66e4233e3f33eae77cffc8d1b2d90cb5439c9fafd9b7c  lib/core/common.py
 a6397b10de7ae7c56ed6b0fa3b3c58eb7a9dbede61bf93d786e73258175c981e  lib/core/compat.py
-d6e80cecc32601e903aaf5faeb6fd2fe4c6b64a206d7eabb353b7a36e9f2bc46  lib/core/convert.py
+a9997e97ebe88e0bf7efcf21e878bc5f62c72348e5aba18f64d6861390a4dcf2  lib/core/convert.py
 c03dc585f89642cfd81b087ac2723e3e1bb3bfa8c60e6f5fe58ef3b0113ebfe6  lib/core/data.py
-421509c42dab738d908f2453cbdd6eb75eb672a7b6de68bee8c95d867fac79f1  lib/core/datatype.py
-90070160f9e8f166f9ea69975436fb358eaced6fec8a5947953b2cf050c51434  lib/core/decorators.py
+e396b7971d38896e0e20b973a3a6a3fbc3171d080a21bc6e66a65bee452fd69c  lib/core/datatype.py
+e18c0c2c5a57924a623792a48bfd36e98d9bc085f6db61a95fc0dc8a3bcedc0c  lib/core/decorators.py
 147823c37596bd6a56d677697781f34b8d1d1671d5a2518fbc9468d623c6d07d  lib/core/defaults.py
-86fa0ffa7a3e7a7141eab730e3981faf6f0249125ea9a29a57aaa8b65b7503f9  lib/core/dicts.py
+76e2c68051c2c1d811d09eec1ca63bc146f4d047708d6296be1460d047743074  lib/core/dicts.py
 186f0331d66e861a942817a3321156a93a6f66c34a19ce90ec1d10aac8bc1cac  lib/core/dump.py
-f5272cda54f7cdd07fb6154d5a1ed1f1141a2a4f39b6a85d3f325fd60ac8dc9a  lib/core/enums.py
+1abf1edeacb85eaf5cffd35fcbde4eee2da6f5fc722a8dc1f9287fb55d138418  lib/core/enums.py
 5387168e5dfedd94ae22af7bb255f27d6baaca50b24179c6b98f4f325f5cc7b4  lib/core/exception.py
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  lib/core/__init__.py
 914a13ee21fd610a6153a37cbe50830fcbd1324c7ebc1e7fc206d5e598b0f7ad  lib/core/log.py
 02a2264324caa249154e024a01bcd7cc40dbca4d647d5d10a50654b4415a6d77  lib/core/optiondict.py
-a9ead7442c8e1f34f03ad4db1145c08ee5907904c97e7dfd3202c752618b1092  lib/core/option.py
-fb0a08ac6f8bb07711e4e895eebf9fb3c8d452cc7aaebcdf78d926cdf051550d  lib/core/patch.py
+6576d40a66fa7871d3498c193f4e1e50a9fa9a380005d019c5c2266c1dc31c21  lib/core/option.py
+8171f6ee33e7742f06bb3014a28324496374beddee7b378ace10a26414a97762  lib/core/patch.py
 49c0fa7e3814dfda610d665ee02b12df299b28bc0b6773815b4395514ddf8dec  lib/core/profiling.py
 03db48f02c3d07a047ddb8fe33a757b6238867352d8ddda2a83e4fec09a98d04  lib/core/readlineng.py
-73ef0895d728fe76bf9abda94d4b97951069532a088d603a064e793bb2ae45d9  lib/core/replication.py
+48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3  lib/core/replication.py
 3574639db4942d16a2dc0a2f04bb7c0913c40c3862b54d34c44075a760e0c194  lib/core/revision.py
 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c  lib/core/session.py
-3e2ecb51860fac6002973bc2d2149fe6d4f7860646768396e2f211bf41b9f327  lib/core/settings.py
+306d40d69dddc0bbd8168e40df4002bb6d666e323f8211780b5c9619cd70c068  lib/core/settings.py
 cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82  lib/core/shell.py
-00dc9e87db2c13d7eaf18edd503267430460d91baf76760350be545d4a387a9f  lib/core/subprocessng.py
+bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725  lib/core/subprocessng.py
 d35650179816193164a5f177102f18379dfbe6bb6d40fbb67b78d907b41c8038  lib/core/target.py
-85b7d6a724536bfcadd317972d4baec291e3813d6773921ee31755046a950a9a  lib/core/testing.py
+b942d164a8a22ff19a99fde94410cfb3434b0496ceb1fcb0a319e7cc6b6d2e9b  lib/core/testing.py
 cf4dca323645d623109a82277a8e8a63eb9abb3fff6c8a57095eb171c1ef91b3  lib/core/threads.py
 b9aacb840310173202f79c2ba125b0243003ee6b44c92eca50424f2bdfc83c02  lib/core/unescaper.py
-492126b1f4c5ec0a352c507907a6f2067ec3a459250ed1c5d75f6457ef14a01f  lib/core/update.py
+10719f5ca450610ad28242017b2d8a77354ca357ffa26948c5f62d20cac29a8b  lib/core/update.py
 9ed5a0aef84f55d42894a006ff3616e8ee388a55790b04d968c80d1470c6d3bc  lib/core/wordlist.py
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  lib/__init__.py
 54bfd31ebded3ffa5848df1c644f196eb704116517c7a3d860b5d081e984d821  lib/parse/banner.py
@@ -209,18 +209,18 @@ c5b258be7485089fac9d9cd179960e774fbd85e62836dc67cce76cc028bb6aeb  lib/parse/hand
 4ca378496510a02c0184b45107889625dc7faf459073e83b3520c66674049af4  lib/parse/payloads.py
 80d26a30abe948faf817a14f746cc8b3e2341ea8286830cccaae253b8ac0cdff  lib/parse/sitemap.py
 1be3da334411657461421b8a26a0f2ff28e1af1e28f1e963c6c92768f9b0847c  lib/request/basicauthhandler.py
-a30f18e52463c7c483430201b194350b55a54855507b253af826992e7e5c8435  lib/request/basic.py
+a1c638493ecdc5194db7186bbfed815c6eed2344f2607cac8c9fa50534824266  lib/request/basic.py
 bc61bc944b81a7670884f82231033a6ac703324b34b071c9834886a92e249d0e  lib/request/chunkedhandler.py
 2daf0ce19eacda64687f441c90ef8da51714c3e8947c993ba08fb4ecdc4f5287  lib/request/comparison.py
 626bb6f3316a906a4629c0feb8ecbbcf473fb59e5bc532603c35b6b8f63f1deb  lib/request/connect.py
 8e06682280fce062eef6174351bfebcb6040e19976acff9dc7b3699779783498  lib/request/direct.py
-9ef303e18311e204727dac71c0ed8b814ab6aa1185f2af0a9703b95e5b3ea6e8  lib/request/dns.py
-ea553def411d6e208fb831a219b0241397fada46aaad432fc3c34addf75a336e  lib/request/httpshandler.py
+cf019248253a5d7edb7bc474aa020b9e8625d73008a463c56ba2b539d7f2d8ec  lib/request/dns.py
+f56fc33251bd6214e3a6316c8f843eb192b2996aa84bd4c3e98790fdcf6e8cf0  lib/request/httpshandler.py
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  lib/request/__init__.py
 aeeeb5f0148078e30d52208184042efc3618d3f2e840d7221897aae34315824e  lib/request/inject.py
 ada4d305d6ce441f79e52ec3f2fc23869ee2fa87c017723e8f3ed0dfa61cdab4  lib/request/methodrequest.py
-5c3edfca5ad58153ad6cface03777e059d3308b2aa3c38db993b5054145faa8e  lib/request/pkihandler.py
-4efead49b76d1237c283ecf281673d8762e09575d05af2a1e24680900ca83d0b  lib/request/rangehandler.py
+43a7fdf64e7ba63c6b2d641c9f999a63c12ac23b43b64fedfce4e05b863de568  lib/request/pkihandler.py
+b90feeb16e89a844427df42373b0139eb6f6cf3c48ccec32b3e3a3f540c2451e  lib/request/rangehandler.py
 47a97b264fb588142b102d18100030ce333ce372c677b97ed6cb04105c6c9d30  lib/request/redirecthandler.py
 1bf93c2c251f9c422ecf52d9cae0cd0ff4ea2e24091ee6d019c7a4f69de8e5eb  lib/request/templates.py
 01600295b17c00d4a5ada4c77aa688cfe36c89934da04c031be7da8040a3b457  lib/takeover/abstraction.py
@@ -395,7 +395,7 @@ ba04af3683b9a6e29e8fa6b3bf436a57e59435cebb042414f2df82018d91599e  plugins/dbms/m
 6bdc774463ac87b1bd1b6a9d5c2346b7edbf40d9848b7870a30d1eaedde4fc51  plugins/dbms/mssqlserver/connector.py
 52c19e9067f22f5c386206943d1807af4c661500bf260930a5986e9a180e96c7  plugins/dbms/mssqlserver/enumeration.py
 838ed364ce46ae37fb5b02f47d2767f7d49595f81caf4bc51c1e25fd18e4aa65  plugins/dbms/mssqlserver/filesystem.py
-c378802702f6ccc3855ec117845f758794ea18baed64f7b571009c6bd7ffc8dd  plugins/dbms/mssqlserver/fingerprint.py
+38ade085f9f1b227eda8c89f78e3ce869e8f430c98bef0cc7cbd2c7dcd60c24e  plugins/dbms/mssqlserver/fingerprint.py
 1ecde09e80d7b709a710281f4983a6831bc02ca3458ae0b97b28446d6db241b4  plugins/dbms/mssqlserver/__init__.py
 a89074020253365b6c95a4fa53e41fb0dc16f26a209b31f28e65910f26b81d21  plugins/dbms/mssqlserver/syntax.py
 57f263084438e9b2ec2e62909fc51871e9eefb1a9156bbe87908592c5274b639  plugins/dbms/mssqlserver/takeover.py
@@ -434,6 +434,13 @@ b76606fe4dee18467bc0d19af1e6ab38c0b5593c6c0f2068a8d4c664d4bd71d8  plugins/dbms/r
 3b49758a10ce88c5d8db081cdb4924168c726d1e060e6d09601796fba2a3fbee  plugins/dbms/raima/__init__.py
 1df5c5d522b381ef48174cfc5c9e1149194e15c80b9d517e3ed61d60b1a46740  plugins/dbms/raima/syntax.py
 5b9572279051ab345f45c1db02b02279a070aafdc651aedd7f163d8a6477390b  plugins/dbms/raima/takeover.py
+5744531487abfb0368e55187a66cb615277754a14c2e7facea2778378e67d5c9  plugins/dbms/snowflake/connector.py
+bca8e2de881b59314e84f361682e810333b63f8211e6aa5f5a4d0efe1d9bcd31  plugins/dbms/snowflake/enumeration.py
+3b52302bc41ab185d190bbef58312a4d6f1ee63caa8757309cda58eb91628bc5  plugins/dbms/snowflake/filesystem.py
+f51afa612135dbc870bd48085baa867f94fe1809ec8123fea8f62bc3720ac619  plugins/dbms/snowflake/fingerprint.py
+1de7c93b445deb0766c314066cb122535e9982408614b0ff952a97cbae9b813a  plugins/dbms/snowflake/__init__.py
+859cc5b9be496fe35f2782743f8e573ff9d823de7e99b0d32dbc250c361c653e  plugins/dbms/snowflake/syntax.py
+da43fed8bfa4a94aaceb63e760c69e9927c1640e45e457b8f03189be6604693f  plugins/dbms/snowflake/takeover.py
 cae01d387617e3986b9cfb23519b7c6a444e2d116f2dc774163abec0217f6ed6  plugins/dbms/sqlite/connector.py
 fbcff0468fcccd9f86277d205b33f14578b7550b33d31716fd10003f16122752  plugins/dbms/sqlite/enumeration.py
 013f6cf4d04edce3ee0ede73b6415a2774e58452a5365ab5f7a49c77650ba355  plugins/dbms/sqlite/filesystem.py
@@ -464,8 +471,8 @@ e2e20e4707abe9ed8b6208837332d2daa4eaca282f847412063f2484dcca8fbd  plugins/dbms/v
 2b2dad6ba1d344215cad11b629546eb9f259d7c996c202edf3de5ab22418787e  plugins/dbms/virtuoso/takeover.py
 51c44048e4b335b306f8ed1323fd78ad6935a8c0d6e9d6efe195a9a5a24e46dc  plugins/generic/connector.py
 a967f4ebd101c68a5dcc10ff18c882a8f44a5c3bf06613d951a739ecc3abb9b3  plugins/generic/custom.py
-ba5d7cdebd0619454ab23b474e36231085f35a70961bfe4e93d5753736799b82  plugins/generic/databases.py
-c46904df889742d2c781749e153663cde29a7c77eb8cbaad6d1db3148e9a58bd  plugins/generic/entries.py
+f4b803320e9681250b90b7d46cd599ec27fd9f2c0f8ccc707f195707551d0bc0  plugins/generic/databases.py
+6a62dbe3feddb12b48c4077478668576e62663ebd8d8aa795820199d9588f919  plugins/generic/entries.py
 d2de7fc135cf0db3eb4ac4a509c23ebec5250a5d8043face7f8c546a09f301b5  plugins/generic/enumeration.py
 a02ac4ebc1cc488a2aa5ae07e6d0c3d5064e99ded7fd529dfa073735692f11df  plugins/generic/filesystem.py
 efd7177218288f32881b69a7ba3d667dc9178f1009c06a3e1dd4f4a4ee6980db  plugins/generic/fingerprint.py
@@ -478,7 +485,7 @@ eb45fd711efa71ab9d91d815cc8abebc9abc4770311fbb827159008b000f4fc2  plugins/generi
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  plugins/__init__.py
 423d9bfaddb3cf527d02ddda97e53c4853d664c51ef7be519e4f45b9e399bc30  README.md
 c6ad39bfd1810413402dedfc275fc805fa13f85fc490e236c1e725bde4e5100b  sqlmapapi.py
-168309215af7dd5b0b71070e1770e72f1cbb29a3d8025143fb8aa0b88cd56b62  sqlmapapi.yaml
+4e993cfe2889bf0f86ad0abafd9a6a25849580284ea279b2115e99707e14bb97  sqlmapapi.yaml
 a40607ce164eb2d21865288d24b863edb1c734b56db857e130ac1aef961c80b9  sqlmap.conf
 e9d3d52d4c0698b956cc0dc92c177d432b1f97c5918f750baa3e737de4ae574b  sqlmap.py
 eb37a88357522fd7ad00d90cdc5da6b57442b4fec49366aadb2944c4fbf8b804  tamper/0eunion.py

data/xml/queries.xml

@@ -1786,4 +1786,66 @@
         <search_table/>
         <search_column/>
    </dbms>
+    <dbms value="Snowflake">
+        <cast query="CAST(%s AS VARCHAR)"/>
+        <length query="LENGTH(%s)"/>
+        <isnull query="NVL(%s, ' ')"/>
+        <delimiter query="||"/>
+        <limit query="LIMIT %d OFFSET %d"/>
+        <limitregexp query="\s+LIMIT\s+([\d]+)\s+OFFSET\s+([\d]+)"/>
+        <limitgroupstart query="1"/>
+        <limitgroupstop query="2"/>
+        <limitstring query=" LIMIT "/>
+        <order query="ORDER BY %s ASC"/>
+        <count query="COUNT(%s)"/>
+        <comment query="--"/>
+        <concatenate query="%s||%s"/>
+        <case query="SELECT CASE WHEN (%s) THEN 1 ELSE 0 END"/>
+        <inference query="ASCII(SUBSTR((%s),%d,1))>%d"/>
+        <banner query="SELECT CURRENT_VERSION()"/>
+        <current_user query="SELECT CURRENT_USER()"/>
+        <current_db query="SELECT CURRENT_DATABASE()"/>
+        <hostname/>
+        <table_comment/>
+        <column_comment/>
+        <is_dba query="CURRENT_ROLE()='ACCOUNTADMIN'"/>
+        
+        <dbs>
+            <inband query="SELECT DATABASE_NAME FROM SNOWFLAKE.INFORMATION_SCHEMA.DATABASES"/>
+            <blind query="SELECT DATABASE_NAME FROM SNOWFLAKE.INFORMATION_SCHEMA.DATABASES ORDER BY DATABASE_NAME LIMIT 1 OFFSET %d" count="SELECT COUNT(*) FROM SNOWFLAKE.INFORMATION_SCHEMA.DATABASES"/>
+        </dbs>
+
+        <tables>
+            <inband query="SELECT TABLE_CATALOG, TABLE_NAME FROM INFORMATION_SCHEMA.TABLES" condition="TABLE_TYPE='BASE TABLE' AND TABLE_CATALOG"/>
+            
+            <blind query="SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_CATALOG='%s' ORDER BY TABLE_NAME LIMIT 1 OFFSET %d" count="SELECT COUNT(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_CATALOG='%s'"
+            />
+        </tables>
+        
+        <columns>
+            <inband query="SELECT COLUMN_NAME, DATA_TYPE FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='%s' AND TABLE_CATALOG='%s'"/>
+            <blind query="SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='%s' AND TABLE_CATALOG='%s' LIMIT 1 OFFSET %d" query2="SELECT DATA_TYPE FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='%s' AND COLUMN_NAME='%s' AND TABLE_CATALOG='%s'" count="SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='%s' AND TABLE_CATALOG='%s'"/>
+        </columns>
+        
+        <dump_table>
+            <inband query="SELECT %s FROM TABLE('%s')"/>
+            <blind query="SELECT %s FROM %s.%s LIMIT 1 OFFSET %d" count="SELECT COUNT(*) FROM %s.%s"/>
+        </dump_table>
+        
+        <users>
+            <inband query="SELECT NAME FROM SNOWFLAKE.ACCOUNT_USAGE.USERS"/>
+            <blind query="SELECT NAME FROM SNOWFLAKE.ACCOUNT_USAGE.USERS LIMIT 1 OFFSET %d" count="SELECT COUNT(*) FROM SNOWFLAKE.ACCOUNT_USAGE.USERS"/>
+        </users>
+        
+        <roles>
+            <inband query="SELECT NAME FROM SNOWFLAKE.ACCOUNT_USAGE.ROLES"/>
+            <blind query="SELECT NAME FROM SNOWFLAKE.ACCOUNT_USAGE.ROLES LIMIT 1 OFFSET %d" count="SELECT COUNT(*) FROM SNOWFLAKE.ACCOUNT_USAGE.ROLES"/>
+        </roles>
+        
+        <privileges/>
+        <statements/>
+        <search_db/>
+        <search_table/>
+        <search_column/>
+    </dbms>
 </root>

doc/THANKS.md

@@ -535,6 +535,9 @@ Duarte Silva <duarte.silva(at)serializing.me>
 M Simkin, <mlsimkin(at)cox.net>
 * for suggesting a feature
 
+Tanaydin Sirin, <tanaydinsirin(at)gmail.com>
+* for implementation of ncurses TUI (switch --tui)
+
 Konrads Smelkovs, <konrads(at)smelkovs.com>
 * for reporting a few bugs in --sql-shell and --sql-query on Microsoft SQL Server
 

extra/vulnserver/vulnserver.py

@@ -11,8 +11,10 @@ from __future__ import print_function
 
 import base64
 import json
+import random
 import re
 import sqlite3
+import string
 import sys
 import threading
 import traceback
@@ -49,9 +51,70 @@ SCHEMA = """
     );
     INSERT INTO users (id, name, surname) VALUES (1, 'luther', 'blisset');
     INSERT INTO users (id, name, surname) VALUES (2, 'fluffy', 'bunny');
-    INSERT INTO users (id, name, surname) VALUES (3, 'wu', '179ad45c6ce2cb97cf1029e212046e81');
-    INSERT INTO users (id, name, surname) VALUES (4, 'sqlmap/1.0-dev (https://sqlmap.org)', 'user agent header');
-    INSERT INTO users (id, name, surname) VALUES (5, NULL, 'nameisnull');
+    INSERT INTO users (id, name, surname) VALUES (3, 'wu', 'ming');
+    INSERT INTO users (id, name, surname) VALUES (4, NULL, 'nameisnull');
+    INSERT INTO users (id, name, surname) VALUES (5, 'mark', 'lewis');
+    INSERT INTO users (id, name, surname) VALUES (6, 'ada', 'lovelace');
+    INSERT INTO users (id, name, surname) VALUES (7, 'grace', 'hopper');
+    INSERT INTO users (id, name, surname) VALUES (8, 'alan', 'turing');
+    INSERT INTO users (id, name, surname) VALUES (9, 'margaret','hamilton');
+    INSERT INTO users (id, name, surname) VALUES (10, 'donald', 'knuth');
+    INSERT INTO users (id, name, surname) VALUES (11, 'tim', 'bernerslee');
+    INSERT INTO users (id, name, surname) VALUES (12, 'linus', 'torvalds');
+    INSERT INTO users (id, name, surname) VALUES (13, 'ken', 'thompson');
+    INSERT INTO users (id, name, surname) VALUES (14, 'dennis', 'ritchie');
+    INSERT INTO users (id, name, surname) VALUES (15, 'barbara', 'liskov');
+    INSERT INTO users (id, name, surname) VALUES (16, 'edsger', 'dijkstra');
+    INSERT INTO users (id, name, surname) VALUES (17, 'john', 'mccarthy');
+    INSERT INTO users (id, name, surname) VALUES (18, 'leslie', 'lamport');
+    INSERT INTO users (id, name, surname) VALUES (19, 'niklaus', 'wirth');
+    INSERT INTO users (id, name, surname) VALUES (20, 'bjarne', 'stroustrup');
+    INSERT INTO users (id, name, surname) VALUES (21, 'guido', 'vanrossum');
+    INSERT INTO users (id, name, surname) VALUES (22, 'brendan', 'eich');
+    INSERT INTO users (id, name, surname) VALUES (23, 'james', 'gosling');
+    INSERT INTO users (id, name, surname) VALUES (24, 'andrew', 'tanenbaum');
+    INSERT INTO users (id, name, surname) VALUES (25, 'yukihiro','matsumoto');
+    INSERT INTO users (id, name, surname) VALUES (26, 'radia', 'perlman');
+    INSERT INTO users (id, name, surname) VALUES (27, 'katherine','johnson');
+    INSERT INTO users (id, name, surname) VALUES (28, 'hady', 'lamarr');
+    INSERT INTO users (id, name, surname) VALUES (29, 'frank', 'miller');
+    INSERT INTO users (id, name, surname) VALUES (30, 'john', 'steward');
+
+    CREATE TABLE creds (
+        user_id INTEGER,
+        password_hash TEXT,
+        FOREIGN KEY (user_id) REFERENCES users(id)
+    );
+    INSERT INTO creds (user_id, password_hash) VALUES (1, 'db3a16990a0008a3b04707fdef6584a0');
+    INSERT INTO creds (user_id, password_hash) VALUES (2, '4db967ce67b15e7fb84c266a76684729');
+    INSERT INTO creds (user_id, password_hash) VALUES (3, 'f5a2950eaa10f9e99896800eacbe8275');
+    INSERT INTO creds (user_id, password_hash) VALUES (4, NULL);
+    INSERT INTO creds (user_id, password_hash) VALUES (5, '179ad45c6ce2cb97cf1029e212046e81');
+    INSERT INTO creds (user_id, password_hash) VALUES (6, '0f1e2d3c4b5a69788796a5b4c3d2e1f0');
+    INSERT INTO creds (user_id, password_hash) VALUES (7, 'a1b2c3d4e5f60718293a4b5c6d7e8f90');
+    INSERT INTO creds (user_id, password_hash) VALUES (8, '1a2b3c4d5e6f708192a3b4c5d6e7f809');
+    INSERT INTO creds (user_id, password_hash) VALUES (9, '9f8e7d6c5b4a3928170605f4e3d2c1b0');
+    INSERT INTO creds (user_id, password_hash) VALUES (10, '3c2d1e0f9a8b7c6d5e4f30291807f6e5');
+    INSERT INTO creds (user_id, password_hash) VALUES (11, 'b0c1d2e3f405162738495a6b7c8d9eaf');
+    INSERT INTO creds (user_id, password_hash) VALUES (12, '6e5d4c3b2a190807f6e5d4c3b2a1908f');
+    INSERT INTO creds (user_id, password_hash) VALUES (13, '11223344556677889900aabbccddeeff');
+    INSERT INTO creds (user_id, password_hash) VALUES (14, 'ffeeddccbbaa00998877665544332211');
+    INSERT INTO creds (user_id, password_hash) VALUES (15, '1234567890abcdef1234567890abcdef');
+    INSERT INTO creds (user_id, password_hash) VALUES (16, 'abcdef1234567890abcdef1234567890');
+    INSERT INTO creds (user_id, password_hash) VALUES (17, '0a1b2c3d4e5f60718a9b0c1d2e3f4051');
+    INSERT INTO creds (user_id, password_hash) VALUES (18, '51f04e3d2c1b0a9871605f4e3d2c1b0a');
+    INSERT INTO creds (user_id, password_hash) VALUES (19, '89abcdef0123456789abcdef01234567');
+    INSERT INTO creds (user_id, password_hash) VALUES (20, '76543210fedcba9876543210fedcba98');
+    INSERT INTO creds (user_id, password_hash) VALUES (21, '13579bdf2468ace013579bdf2468ace0');
+    INSERT INTO creds (user_id, password_hash) VALUES (22, '02468ace13579bdf02468ace13579bdf');
+    INSERT INTO creds (user_id, password_hash) VALUES (23, 'deadbeefdeadbeefdeadbeefdeadbeef');
+    INSERT INTO creds (user_id, password_hash) VALUES (24, 'cafebabecafebabecafebabecafebabe');
+    INSERT INTO creds (user_id, password_hash) VALUES (25, '00112233445566778899aabbccddeeff');
+    INSERT INTO creds (user_id, password_hash) VALUES (26, 'f0e1d2c3b4a5968778695a4b3c2d1e0f');
+    INSERT INTO creds (user_id, password_hash) VALUES (27, '7f6e5d4c3b2a190807f6e5d4c3b2a190');
+    INSERT INTO creds (user_id, password_hash) VALUES (28, '908f7e6d5c4b3a291807f6e5d4c3b2a1');
+    INSERT INTO creds (user_id, password_hash) VALUES (29, '3049b791fa83e2f42f37bae18634b92d');
+    INSERT INTO creds (user_id, password_hash) VALUES (30, 'd59a348f90d757c7da30418773424b5e');
 """
 
 LISTEN_ADDRESS = "localhost"
@@ -62,11 +125,15 @@ _cursor = None
 _lock = None
 _server = None
 _alive = False
+_csrf_token = None
 
 def init(quiet=False):
     global _conn
     global _cursor
     global _lock
+    global _csrf_token
+
+    _csrf_token = "".join(random.sample(string.ascii_letters + string.digits, 20))
 
     _conn = sqlite3.connect(":memory:", isolation_level=None, check_same_thread=False)
     _cursor = _conn.cursor()
@@ -131,6 +198,28 @@ class ReqHandler(BaseHTTPRequestHandler):
 
         self.url, self.params = path, params
 
+        if self.url == "/csrf":
+            if self.params.get("csrf_token") == _csrf_token:
+                self.url = "/"
+            else:
+                self.send_response(OK)
+                self.send_header("Content-type", "text/html; charset=%s" % UNICODE_ENCODING)
+                self.end_headers()
+
+                form = (
+                    "<html><body>"
+                    "CSRF protection check<br>"
+                    "<form action='/csrf' method='POST'>"
+                    "<input type='hidden' name='csrf_token' value='%s'>"
+                    "id: <input type='text' name='id'>"
+                    "<input type='submit' value='Submit'>"
+                    "</form>"
+                    "</body></html>"
+                ) % _csrf_token
+
+                self.wfile.write(form.encode(UNICODE_ENCODING))
+                return
+
         if self.url == '/':
             if not any(_ in self.params for _ in ("id", "query")):
                 self.send_response(OK)
@@ -139,7 +228,7 @@ class ReqHandler(BaseHTTPRequestHandler):
                 self.end_headers()
                 self.wfile.write(b"<!DOCTYPE html><html><head><title>vulnserver</title></head><body><h3>GET:</h3><a href='/?id=1'>link</a><hr><h3>POST:</h3><form method='post'>ID: <input type='text' name='id'><input type='submit' value='Submit'></form></body></html>")
             else:
-                code, output = OK, ""
+                code, output = OK, "<body><html>"
 
                 try:
                     if self.params.get("echo", ""):
@@ -177,6 +266,11 @@ class ReqHandler(BaseHTTPRequestHandler):
                         else:
                             output += "no results found"
 
+                        if not results:
+                            output = "<title>No results</title>" + output
+                        else:
+                            output = "<title>Results</title>" + output
+
                     output += "</body></html>"
                 except Exception as ex:
                     code = INTERNAL_SERVER_ERROR

lib/controller/checks.py

@@ -554,7 +554,7 @@ def checkSqlInjection(place, parameter, value):
 
                                     injectable = True
 
-                                elif (threadData.lastComparisonRatio or 0) > UPPER_RATIO_BOUND and not any((conf.string, conf.notString, conf.regexp, conf.code, kb.nullConnection)):
+                                elif (threadData.lastComparisonRatio or 0) > UPPER_RATIO_BOUND and not any((conf.string, conf.notString, conf.regexp, conf.code, conf.titles, kb.nullConnection)):
                                     originalSet = set(getFilteredPageContent(kb.pageTemplate, True, "\n").split("\n"))
                                     trueSet = set(getFilteredPageContent(truePage, True, "\n").split("\n"))
                                     falseSet = set(getFilteredPageContent(falsePage, True, "\n").split("\n"))
@@ -580,7 +580,7 @@ def checkSqlInjection(place, parameter, value):
                                                     break
 
                             if injectable:
-                                if kb.pageStable and not any((conf.string, conf.notString, conf.regexp, conf.code, kb.nullConnection)):
+                                if kb.pageStable and not any((conf.string, conf.notString, conf.regexp, conf.code, conf.titles, kb.nullConnection)):
                                     if all((falseCode, trueCode)) and falseCode != trueCode and trueCode != kb.heuristicCode:
                                         suggestion = conf.code = trueCode
 

lib/controller/handler.py

@@ -41,6 +41,7 @@ from lib.core.settings import SQLITE_ALIASES
 from lib.core.settings import SYBASE_ALIASES
 from lib.core.settings import VERTICA_ALIASES
 from lib.core.settings import VIRTUOSO_ALIASES
+from lib.core.settings import SNOWFLAKE_ALIASES
 from lib.utils.sqlalchemy import SQLAlchemy
 
 from plugins.dbms.access.connector import Connector as AccessConn
@@ -99,6 +100,8 @@ from plugins.dbms.vertica.connector import Connector as VerticaConn
 from plugins.dbms.vertica import VerticaMap
 from plugins.dbms.virtuoso.connector import Connector as VirtuosoConn
 from plugins.dbms.virtuoso import VirtuosoMap
+from plugins.dbms.snowflake.connector import Connector as SnowflakeConn
+from plugins.dbms.snowflake import SnowflakeMap
 
 def setHandler():
     """
@@ -107,6 +110,7 @@ def setHandler():
     """
 
     items = [
+        (DBMS.SNOWFLAKE, SNOWFLAKE_ALIASES, SnowflakeMap, SnowflakeConn),
         (DBMS.MYSQL, MYSQL_ALIASES, MySQLMap, MySQLConn),
         (DBMS.ORACLE, ORACLE_ALIASES, OracleMap, OracleConn),
         (DBMS.PGSQL, PGSQL_ALIASES, PostgreSQLMap, PostgreSQLConn),
@@ -135,6 +139,7 @@ def setHandler():
         (DBMS.FRONTBASE, FRONTBASE_ALIASES, FrontBaseMap, FrontBaseConn),
         (DBMS.RAIMA, RAIMA_ALIASES, RaimaMap, RaimaConn),
         (DBMS.VIRTUOSO, VIRTUOSO_ALIASES, VirtuosoMap, VirtuosoConn),
+        # TODO: put snowflake stuff on this line
     ]
 
     _ = max(_ if (conf.get("dbms") or Backend.getIdentifiedDbms() or kb.heuristicExtendedDbms or "").lower() in _[1] else () for _ in items)

lib/core/common.py

@@ -3461,6 +3461,9 @@ def parseSqliteTableSchema(value):
             columns[column] = match.group(3) or "TEXT"
 
         table[safeSQLIdentificatorNaming(conf.tbl, True)] = columns
+        if conf.db in kb.data.cachedColumns:
+            kb.data.cachedColumns[conf.db].update(table)
+        else:
             kb.data.cachedColumns[conf.db] = table
 
     return retVal

lib/core/convert.py

@@ -295,7 +295,11 @@ def getBytes(value, encoding=None, errors="strict", unsafe=True):
     except (LookupError, TypeError):
         encoding = UNICODE_ENCODING
 
-    if isinstance(value, six.text_type):
+    if isinstance(value, bytearray):
+        return bytes(value)
+    elif isinstance(value, memoryview):
+        return value.tobytes()
+    elif isinstance(value, six.text_type):
         if INVALID_UNICODE_PRIVATE_AREA:
             if unsafe:
                 for char in xrange(0xF0000, 0xF00FF + 1):

lib/core/decorators.py

@@ -96,13 +96,24 @@ def stackedmethod(f):
             result = f(*args, **kwargs)
         finally:
             if len(threadData.valueStack) > originalLevel:
-                threadData.valueStack = threadData.valueStack[:originalLevel]
+                del threadData.valueStack[originalLevel:]
 
         return result
 
     return _
 
 def lockedmethod(f):
+    """
+    Decorates a function or method with a reentrant lock (only one thread can execute the function at a time)
+
+    >>> @lockedmethod
+    ... def recursive_count(n):
+    ...     if n <= 0: return 0
+    ...     return n + recursive_count(n - 1)
+    >>> recursive_count(5)
+    15
+    """
+
     lock = threading.RLock()
 
     @functools.wraps(f)

lib/core/dicts.py

@@ -39,6 +39,7 @@ from lib.core.settings import SYBASE_ALIASES
 from lib.core.settings import VERTICA_ALIASES
 from lib.core.settings import VIRTUOSO_ALIASES
 from lib.core.settings import CLICKHOUSE_ALIASES
+from lib.core.settings import SNOWFLAKE_ALIASES
 
 FIREBIRD_TYPES = {
     261: "BLOB",
@@ -250,6 +251,7 @@ DBMS_DICT = {
     DBMS.FRONTBASE: (FRONTBASE_ALIASES, None, None, None),
     DBMS.RAIMA: (RAIMA_ALIASES, None, None, None),
     DBMS.VIRTUOSO: (VIRTUOSO_ALIASES, None, None, None),
+    DBMS.SNOWFLAKE: (SNOWFLAKE_ALIASES, None, None, "snowflake"),
 }
 
 # Reference: https://blog.jooq.org/tag/sysibm-sysdummy1/

lib/core/enums.py

@@ -60,6 +60,7 @@ class DBMS(object):
     FRONTBASE = "FrontBase"
     RAIMA = "Raima Database Manager"
     VIRTUOSO = "Virtuoso"
+    SNOWFLAKE = "Snowflake"
 
 class DBMS_DIRECTORY_NAME(object):
     ACCESS = "access"
@@ -90,6 +91,7 @@ class DBMS_DIRECTORY_NAME(object):
     FRONTBASE = "frontbase"
     RAIMA = "raima"
     VIRTUOSO = "virtuoso"
+    SNOWFLAKE = "snowflake"
 
 class FORK(object):
     MARIADB = "MariaDB"

lib/core/option.py

@@ -2038,7 +2038,7 @@ def _setKnowledgeBaseAttributes(flushAll=True):
     kb.cache.addrinfo = {}
     kb.cache.content = LRUDict(capacity=16)
     kb.cache.comparison = {}
-    kb.cache.encoding = {}
+    kb.cache.encoding = LRUDict(capacity=256)
     kb.cache.alphaBoundaries = None
     kb.cache.hashRegex = None
     kb.cache.intBoundaries = None

lib/core/patch.py

@@ -101,7 +101,7 @@ def dirtyPatches():
 
     # Reference: https://github.com/sqlmapproject/sqlmap/issues/5929
     try:
-        global collections
+        import collections
         if not hasattr(collections, "MutableSet"):
             import collections.abc
             collections.MutableSet = collections.abc.MutableSet
@@ -139,7 +139,7 @@ def dirtyPatches():
     # Installing "reversible" unicode (decoding) error handler
     def _reversible(ex):
         if INVALID_UNICODE_PRIVATE_AREA:
-            return (u"".join(_unichr(int('000f00%2x' % (_ if isinstance(_, int) else ord(_)), 16)) for _ in ex.object[ex.start:ex.end]), ex.end)
+            return (u"".join(_unichr(int('000f00%02x' % (_ if isinstance(_, int) else ord(_)), 16)) for _ in ex.object[ex.start:ex.end]), ex.end)
         else:
             return (u"".join(INVALID_UNICODE_CHAR_FORMAT % (_ if isinstance(_, int) else ord(_)) for _ in ex.object[ex.start:ex.end]), ex.end)
 

lib/core/replication.py

@@ -106,10 +106,12 @@ class Replication(object):
             """
             This function is used for selecting row(s) from current table.
             """
-            _ = 'SELECT * FROM %s' % self.name
+            query = 'SELECT * FROM "%s"' % self.name
             if condition:
-                _ += 'WHERE %s' % condition
-            return self.execute(_)
+                query += ' WHERE %s' % condition
+
+            self.execute(query)
+            return self.parent.cursor.fetchall()
 
     def createTable(self, tblname, columns=None, typeless=False):
         """

lib/core/settings.py

@@ -19,7 +19,7 @@ from lib.core.enums import OS
 from thirdparty import six
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.10"
+VERSION = "1.10.1.24"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
@@ -61,7 +61,7 @@ LOWER_RATIO_BOUND = 0.02
 UPPER_RATIO_BOUND = 0.98
 
 # For filling in case of dumb push updates
-DUMMY_JUNK = "Aich8ooT"
+DUMMY_JUNK = "theim1Ga"
 
 # Markers for special cases when parameter values contain html encoded characters
 PARAMETER_AMP_MARKER = "__PARAMETER_AMP__"
@@ -292,6 +292,7 @@ EXTREMEDB_SYSTEM_DBS = ("",)
 FRONTBASE_SYSTEM_DBS = ("DEFINITION_SCHEMA", "INFORMATION_SCHEMA")
 RAIMA_SYSTEM_DBS = ("",)
 VIRTUOSO_SYSTEM_DBS = ("",)
+SNOWFLAKE_SYSTEM_DBS = ("INFORMATION_SCHEMA",)
 
 # Note: (<regular>) + (<forks>)
 MSSQL_ALIASES = ("microsoft sql server", "mssqlserver", "mssql", "ms")
@@ -322,10 +323,11 @@ EXTREMEDB_ALIASES = ("extremedb", "extreme")
 FRONTBASE_ALIASES = ("frontbase",)
 RAIMA_ALIASES = ("raima database manager", "raima", "raimadb", "raimadm", "rdm", "rds", "velocis")
 VIRTUOSO_ALIASES = ("virtuoso", "openlink virtuoso")
+SNOWFLAKE_ALIASES = ("snowflake",)
 
 DBMS_DIRECTORY_DICT = dict((getattr(DBMS, _), getattr(DBMS_DIRECTORY_NAME, _)) for _ in dir(DBMS) if not _.startswith("_"))
 
-SUPPORTED_DBMS = set(MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIASES + SQLITE_ALIASES + ACCESS_ALIASES + FIREBIRD_ALIASES + MAXDB_ALIASES + SYBASE_ALIASES + DB2_ALIASES + HSQLDB_ALIASES + H2_ALIASES + INFORMIX_ALIASES + MONETDB_ALIASES + DERBY_ALIASES + VERTICA_ALIASES + MCKOI_ALIASES + PRESTO_ALIASES + ALTIBASE_ALIASES + MIMERSQL_ALIASES + CLICKHOUSE_ALIASES + CRATEDB_ALIASES + CUBRID_ALIASES + CACHE_ALIASES + EXTREMEDB_ALIASES + RAIMA_ALIASES + VIRTUOSO_ALIASES)
+SUPPORTED_DBMS = set(MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIASES + SQLITE_ALIASES + ACCESS_ALIASES + FIREBIRD_ALIASES + MAXDB_ALIASES + SYBASE_ALIASES + DB2_ALIASES + HSQLDB_ALIASES + H2_ALIASES + INFORMIX_ALIASES + MONETDB_ALIASES + DERBY_ALIASES + VERTICA_ALIASES + MCKOI_ALIASES + PRESTO_ALIASES + ALTIBASE_ALIASES + MIMERSQL_ALIASES + CLICKHOUSE_ALIASES + CRATEDB_ALIASES + CUBRID_ALIASES + CACHE_ALIASES + EXTREMEDB_ALIASES + RAIMA_ALIASES + VIRTUOSO_ALIASES + SNOWFLAKE_ALIASES)
 SUPPORTED_OS = ("linux", "windows")
 
 DBMS_ALIASES = ((DBMS.MSSQL, MSSQL_ALIASES), (DBMS.MYSQL, MYSQL_ALIASES), (DBMS.PGSQL, PGSQL_ALIASES), (DBMS.ORACLE, ORACLE_ALIASES), (DBMS.SQLITE, SQLITE_ALIASES), (DBMS.ACCESS, ACCESS_ALIASES), (DBMS.FIREBIRD, FIREBIRD_ALIASES), (DBMS.MAXDB, MAXDB_ALIASES), (DBMS.SYBASE, SYBASE_ALIASES), (DBMS.DB2, DB2_ALIASES), (DBMS.HSQLDB, HSQLDB_ALIASES), (DBMS.H2, H2_ALIASES), (DBMS.INFORMIX, INFORMIX_ALIASES), (DBMS.MONETDB, MONETDB_ALIASES), (DBMS.DERBY, DERBY_ALIASES), (DBMS.VERTICA, VERTICA_ALIASES), (DBMS.MCKOI, MCKOI_ALIASES), (DBMS.PRESTO, PRESTO_ALIASES), (DBMS.ALTIBASE, ALTIBASE_ALIASES), (DBMS.MIMERSQL, MIMERSQL_ALIASES), (DBMS.CLICKHOUSE, CLICKHOUSE_ALIASES), (DBMS.CRATEDB, CRATEDB_ALIASES), (DBMS.CUBRID, CUBRID_ALIASES), (DBMS.CACHE, CACHE_ALIASES), (DBMS.EXTREMEDB, EXTREMEDB_ALIASES), (DBMS.FRONTBASE, FRONTBASE_ALIASES), (DBMS.RAIMA, RAIMA_ALIASES), (DBMS.VIRTUOSO, VIRTUOSO_ALIASES))

lib/core/subprocessng.py

@@ -75,7 +75,7 @@ class Popen(subprocess.Popen):
     def recv_err(self, maxsize=None):
         return self._recv('stderr', maxsize)
 
-    def send_recv(self, input='', maxsize=None):
+    def send_recv(self, input=b'', maxsize=None):
         return self.send(input), self.recv(maxsize), self.recv_err(maxsize)
 
     def get_conn_maxsize(self, which, maxsize):
@@ -97,7 +97,7 @@ class Popen(subprocess.Popen):
             try:
                 x = msvcrt.get_osfhandle(self.stdin.fileno())
                 (_, written) = WriteFile(x, input)
-            except ValueError:
+            except (ValueError, NameError):
                 return self._close('stdin')
             except Exception as ex:
                 if getattr(ex, "args", None) and ex.args[0] in (109, errno.ESHUTDOWN):
@@ -187,7 +187,7 @@ def recv_some(p, t=.1, e=1, tr=5, stderr=0):
             y.append(r)
         else:
             time.sleep(max((x - time.time()) / tr, 0))
-    return b''.join(y)
+    return b''.join(getBytes(i) for i in y)
 
 def send_all(p, data):
     if not data:

lib/core/testing.py

@@ -43,7 +43,7 @@ def vulnTest():
         ("-u <url> --data=\"reflect=1\" --flush-session --wizard --disable-coloring", ("Please choose:", "back-end DBMS: SQLite", "current user is DBA: True", "banner: '3.")),
         ("-u <url> --data=\"code=1\" --code=200 --technique=B --banner --no-cast --flush-session", ("back-end DBMS: SQLite", "banner: '3.", "~COALESCE(CAST(")),
         (u"-c <config> --flush-session --output-dir=\"<tmpdir>\" --smart --roles --statements --hostname --privileges --sql-query=\"SELECT '\u0161u\u0107uraj'\" --technique=U", (u": '\u0161u\u0107uraj'", "on SQLite it is not possible", "as the output directory")),
-        (u"-u <url> --flush-session --sql-query=\"SELECT '\u0161u\u0107uraj'\" --technique=B --no-escape --string=luther --unstable", (u": '\u0161u\u0107uraj'",)),
+        (u"-u <url> --flush-session --sql-query=\"SELECT '\u0161u\u0107uraj'\" --titles --technique=B --no-escape --string=luther --unstable", (u": '\u0161u\u0107uraj'", "~with --string",)),
         ("-m <multiple> --flush-session --technique=B --banner", ("/3] URL:", "back-end DBMS: SQLite", "banner: '3.")),
         ("--dummy", ("all tested parameters do not appear to be injectable", "does not seem to be injectable", "there is not at least one", "~might be injectable")),
         ("-u \"<url>&id2=1\" -p id2 -v 5 --flush-session --level=5 --text-only --test-filter=\"AND boolean-based blind - WHERE or HAVING clause (MySQL comment)\"", ("~1AND",)),
@@ -62,19 +62,20 @@ def vulnTest():
         ("-u <base> --flush-session -H \"Foo: Bar\" -H \"Sna: Fu\" --data=\"<root><param name=\\\"id\\\" value=\\\"1*\\\"/></root>\" --union-char=1 --mobile --answers=\"smartphone=3\" --banner --smart -v 5", ("might be injectable", "Payload: <root><param name=\"id\" value=\"1", "Type: boolean-based blind", "Type: time-based blind", "Type: UNION query", "banner: '3.", "Nexus", "Sna: Fu", "Foo: Bar")),
         ("-u <base> --flush-session --technique=BU --method=PUT --data=\"a=1;id=1;b=2\" --param-del=\";\" --skip-static --har=<tmpfile> --dump -T users --start=1 --stop=2", ("might be injectable", "Parameter: id (PUT)", "Type: boolean-based blind", "Type: UNION query", "2 entries")),
         ("-u <url> --flush-session -H \"id: 1*\" --tables -t <tmpfile>", ("might be injectable", "Parameter: id #1* ((custom) HEADER)", "Type: boolean-based blind", "Type: time-based blind", "Type: UNION query", " users ")),
-        ("-u <url> --flush-session --banner --invalid-logical --technique=B --predict-output --test-filter=\"OR boolean\" --tamper=space2dash", ("banner: '3.", " LIKE ")),
+        ("-u <url> --flush-session --banner --invalid-logical --technique=B --predict-output --titles --test-filter=\"OR boolean\" --tamper=space2dash", ("banner: '3.", " LIKE ")),
         ("-u <url> --flush-session --cookie=\"PHPSESSID=d41d8cd98f00b204e9800998ecf8427e; id=1*; id2=2\" --tables --union-cols=3", ("might be injectable", "Cookie #1* ((custom) HEADER)", "Type: boolean-based blind", "Type: time-based blind", "Type: UNION query", " users ")),
-        ("-u <url> --flush-session --null-connection --technique=B --tamper=between,randomcase --banner --count -T users", ("NULL connection is supported with HEAD method", "banner: '3.", "users | 5")),
+        ("-u <url> --flush-session --null-connection --technique=B --tamper=between,randomcase --banner --count -T users", ("NULL connection is supported with HEAD method", "banner: '3.", "users | 30")),
         ("-u <base> --data=\"aWQ9MQ==\" --flush-session --base64=POST -v 6", ("aWQ9MTtXQUlURk9SIERFTEFZICcwOjA",)),
         ("-u <url> --flush-session --parse-errors --test-filter=\"subquery\" --eval=\"import hashlib; id2=2; id3=hashlib.md5(id.encode()).hexdigest()\" --referer=\"localhost\"", ("might be injectable", ": syntax error", "back-end DBMS: SQLite", "WHERE or HAVING clause (subquery")),
-        ("-u <url> --banner --schema --dump -T users --binary-fields=surname --where \"id>3\"", ("banner: '3.", "INTEGER", "TEXT", "id", "name", "surname", "2 entries", "6E616D6569736E756C6C")),
-        ("-u <url> --technique=U --fresh-queries --force-partial --dump -T users --dump-format=HTML --answers=\"crack=n\" -v 3", ("performed 6 queries", "nameisnull", "~using default dictionary", "dumped to HTML file")),
-        ("-u <url> --flush-session --technique=BU --all", ("5 entries", "Type: boolean-based blind", "Type: UNION query", "luther", "blisset", "fluffy", "179ad45c6ce2cb97cf1029e212046e81", "NULL", "nameisnull", "testpass")),
-        ("-u <url> -z \"tec=B\" --hex --fresh-queries --threads=4 --sql-query=\"SELECT * FROM users\"", ("SELECT * FROM users [5]", "nameisnull")),
+        ("-u <url> --banner --schema --dump -T users --binary-fields=surname --where \"id>3\"", ("banner: '3.", "INTEGER", "TEXT", "id", "name", "surname", "27 entries", "6E616D6569736E756C6C")),
+        ("-u <url> --technique=U --fresh-queries --force-partial --dump -T users --dump-format=HTML --answers=\"crack=n\" -v 3", ("performed 31 queries", "nameisnull", "~using default dictionary", "dumped to HTML file")),
+        ("-u <url> --flush-session --technique=BU --all", ("30 entries", "Type: boolean-based blind", "Type: UNION query", "luther", "blisset", "fluffy", "179ad45c6ce2cb97cf1029e212046e81", "NULL", "nameisnull", "testpass")),
+        ("-u <url> -z \"tec=B\" --hex --fresh-queries --threads=4 --sql-query=\"SELECT * FROM users\"", ("SELECT * FROM users [30]", "nameisnull")),
         ("-u \"<url>&echo=foobar*\" --flush-session", ("might be vulnerable to cross-site scripting",)),
         ("-u \"<url>&query=*\" --flush-session --technique=Q --banner", ("Title: SQLite inline queries", "banner: '3.")),
-        ("-d \"<direct>\" --flush-session --dump -T users --dump-format=SQLITE --binary-fields=name --where \"id=3\"", ("7775", "179ad45c6ce2cb97cf1029e212046e81 (testpass)", "dumped to SQLITE database")),
-        ("-d \"<direct>\" --flush-session --banner --schema --sql-query=\"UPDATE users SET name='foobar' WHERE id=5; SELECT * FROM users; SELECT 987654321\"", ("banner: '3.", "INTEGER", "TEXT", "id", "name", "surname", "5,foobar,nameisnull", "'987654321'",)),
+        ("-d \"<direct>\" --flush-session --dump -T creds --dump-format=SQLITE --binary-fields=password_hash --where \"user_id=5\"", ("3137396164343563366365326362393763663130323965323132303436653831", "dumped to SQLITE database")),
+        ("-d \"<direct>\" --flush-session --banner --schema --sql-query=\"UPDATE users SET name='foobar' WHERE id=4; SELECT * FROM users; SELECT 987654321\"", ("banner: '3.", "INTEGER", "TEXT", "id", "name", "surname", "4,foobar,nameisnull", "'987654321'",)),
+        ("-u <base>csrf --data=\"id=1&csrf_token=1\" --banner --answers=\"update=y\" --flush-session", ("back-end DBMS: SQLite", "banner: '3.")),
         ("--purge -v 3", ("~ERROR", "~CRITICAL", "deleting the whole directory tree")),
     )
 

lib/core/update.py

@@ -163,7 +163,7 @@ def update():
             infoMsg += "to use a GitHub for Windows client for updating "
             infoMsg += "purposes (https://desktop.github.com/) or just "
             infoMsg += "download the latest snapshot from "
-            infoMsg += "https://github.com/sqlmapproject/sqlmap/downloads"
+            infoMsg += "https://github.com/sqlmapproject/sqlmap/releases"
         else:
             infoMsg = "for Linux platform it's recommended "
             infoMsg += "to install a standard 'git' package (e.g.: 'apt install git')"

lib/request/basic.py

@@ -10,7 +10,6 @@ import gzip
 import io
 import logging
 import re
-import struct
 import zlib
 
 from lib.core.common import Backend
@@ -249,6 +248,7 @@ def checkCharEncoding(encoding, warn=True):
 
     return encoding
 
+@lockedmethod
 def getHeuristicCharEncoding(page):
     """
     Returns page encoding charset detected by usage of heuristics
@@ -259,8 +259,11 @@ def getHeuristicCharEncoding(page):
     'ascii'
     """
 
-    key = hash(page)
-    retVal = kb.cache.encoding[key] if key in kb.cache.encoding else detect(page[:HEURISTIC_PAGE_SIZE_THRESHOLD])["encoding"]
+    key = (len(page), hash(page))
+
+    retVal = kb.cache.encoding.get(key)
+    if retVal is None:
+        retVal = detect(page[:HEURISTIC_PAGE_SIZE_THRESHOLD])["encoding"]
         kb.cache.encoding[key] = retVal
 
     if retVal and retVal.lower().replace('-', "") == UNICODE_ENCODING.lower().replace('-', ""):
@@ -282,8 +285,8 @@ def decodePage(page, contentEncoding, contentType, percentDecode=True):
     if not page or (conf.nullConnection and len(page) < 2):
         return getUnicode(page)
 
-    contentEncoding = contentEncoding.lower() if hasattr(contentEncoding, "lower") else ""
-    contentType = contentType.lower() if hasattr(contentType, "lower") else ""
+    contentEncoding = getText(contentEncoding).lower() if contentEncoding else ""
+    contentType = getText(contentType).lower() if contentType else ""
 
     if contentEncoding in ("gzip", "x-gzip", "deflate"):
         if not kb.pageCompress:
@@ -291,14 +294,16 @@ def decodePage(page, contentEncoding, contentType, percentDecode=True):
 
         try:
             if contentEncoding == "deflate":
-                data = io.BytesIO(zlib.decompress(page, -15))  # Reference: http://stackoverflow.com/questions/1089662/python-inflate-and-deflate-implementations
+                obj = zlib.decompressobj(-15)
+                page = obj.decompress(page, MAX_CONNECTION_TOTAL_SIZE + 1)
+                page += obj.flush()
+                if len(page) > MAX_CONNECTION_TOTAL_SIZE:
+                    raise Exception("size too large")
             else:
                 data = gzip.GzipFile("", "rb", 9, io.BytesIO(page))
-                size = struct.unpack("<l", page[-4:])[0]  # Reference: http://pydoc.org/get.cgi/usr/local/lib/python2.5/gzip.py
-                if size > MAX_CONNECTION_TOTAL_SIZE:
+                page = data.read(MAX_CONNECTION_TOTAL_SIZE + 1)
+                if len(page) > MAX_CONNECTION_TOTAL_SIZE:
                     raise Exception("size too large")
-
-            page = data.read()
         except Exception as ex:
             if b"<html" not in page:  # in some cases, invalid "Content-Encoding" appears for plain HTML (should be ignored)
                 errMsg = "detected invalid data for declared content "

lib/request/dns.py

@@ -89,15 +89,20 @@ class DNSServer(object):
 
     def _check_localhost(self):
         response = b""
+        s = None
 
         try:
             s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+            s.settimeout(1.0)
             s.connect(("", 53))
             s.send(binascii.unhexlify("6509012000010000000000010377777706676f6f676c6503636f6d00000100010000291000000000000000"))  # A www.google.com
             response = s.recv(512)
         except:
             pass
         finally:
+            if s:
+                s.close()
+
         if response and b"google" in response:
             raise socket.error("another DNS service already running on '0.0.0.0:53'")
 

lib/request/httpshandler.py

@@ -65,6 +65,7 @@ class HTTPSConnection(_http_client.HTTPSConnection):
         #               https://www.mnot.net/blog/2014/12/27/python_2_and_tls_sni
         if hasattr(ssl, "SSLContext"):
             for protocol in (_ for _ in _protocols if _ >= ssl.PROTOCOL_TLSv1):
+                sock = None
                 try:
                     sock = create_sock()
                     if protocol not in _contexts:
@@ -94,6 +95,8 @@ class HTTPSConnection(_http_client.HTTPSConnection):
                         sock.close()
                 except (ssl.SSLError, socket.error, _http_client.BadStatusLine, AttributeError) as ex:
                     self._tunnel_host = None
+                    if sock:
+                        sock.close()
                     logger.debug("SSL connection error occurred for '%s' ('%s')" % (_lut[protocol], getSafeExString(ex)))
 
         elif hasattr(ssl, "wrap_socket"):

lib/request/pkihandler.py

@@ -5,12 +5,20 @@ Copyright (c) 2006-2026 sqlmap developers (https://sqlmap.org)
 See the file 'LICENSE' for copying permission
 """
 
+ssl = None
+try:
+    import ssl as _ssl
+    ssl = _ssl
+except ImportError:
+    pass
+
 from lib.core.data import conf
 from lib.core.common import getSafeExString
 from lib.core.exception import SqlmapConnectionException
 from thirdparty.six.moves import http_client as _http_client
 from thirdparty.six.moves import urllib as _urllib
 
+
 class HTTPSPKIAuthHandler(_urllib.request.HTTPSHandler):
     def __init__(self, auth_file):
         _urllib.request.HTTPSHandler.__init__(self)
@@ -20,10 +28,24 @@ class HTTPSPKIAuthHandler(_urllib.request.HTTPSHandler):
         return self.do_open(self.getConnection, req)
 
     def getConnection(self, host, timeout=None):
+        if timeout is None:
+            timeout = conf.timeout
+
+        if not hasattr(_http_client, "HTTPSConnection"):
+            raise SqlmapConnectionException("HTTPS support is not available in this Python build")
+
         try:
-            # Reference: https://docs.python.org/2/library/ssl.html#ssl.SSLContext.load_cert_chain
-            return _http_client.HTTPSConnection(host, cert_file=self.auth_file, key_file=self.auth_file, timeout=conf.timeout)
-        except IOError as ex:
+            if ssl and hasattr(ssl, "SSLContext") and hasattr(ssl, "create_default_context"):
+                ctx = ssl.create_default_context()
+                ctx.load_cert_chain(certfile=self.auth_file, keyfile=self.auth_file)
+                try:
+                    return _http_client.HTTPSConnection(host, timeout=timeout, context=ctx)
+                except TypeError:
+                    pass
+
+            return _http_client.HTTPSConnection(host, cert_file=self.auth_file, key_file=self.auth_file, timeout=timeout)
+
+        except (IOError, OSError) as ex:
             errMsg = "error occurred while using key "
             errMsg += "file '%s' ('%s')" % (self.auth_file, getSafeExString(ex))
             raise SqlmapConnectionException(errMsg)

lib/request/rangehandler.py

@@ -25,5 +25,5 @@ class HTTPRangeHandler(_urllib.request.BaseHandler):
     def http_error_416(self, req, fp, code, msg, hdrs):
         # HTTP's Range Not Satisfiable error
         errMsg = "there was a problem while connecting "
-        errMsg += "target ('406 - Range Not Satisfiable')"
+        errMsg += "target ('416 - Range Not Satisfiable')"
         raise SqlmapConnectionException(errMsg)

plugins/dbms/mssqlserver/fingerprint.py

@@ -82,7 +82,7 @@ class Fingerprint(GenericFingerprint):
         if conf.direct:
             result = True
         else:
-            result = inject.checkBooleanExpression("UNICODE(SQUARE(NULL)) IS NULL")
+            result = inject.checkBooleanExpression("IS_SRVROLEMEMBER(NULL) IS NULL")
 
         if result:
             infoMsg = "confirming %s" % DBMS.MSSQL

plugins/dbms/snowflake/__init__.py

@@ -0,0 +1,29 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2026 sqlmap developers (https://sqlmap.org)
+See the file 'LICENSE' for copying permission
+"""
+
+from lib.core.enums import DBMS
+from lib.core.settings import SNOWFLAKE_SYSTEM_DBS
+from lib.core.unescaper import unescaper
+from plugins.dbms.snowflake.enumeration import Enumeration
+from plugins.dbms.snowflake.filesystem import Filesystem
+from plugins.dbms.snowflake.fingerprint import Fingerprint
+from plugins.dbms.snowflake.syntax import Syntax
+from plugins.dbms.snowflake.takeover import Takeover
+from plugins.generic.misc import Miscellaneous
+
+class SnowflakeMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous, Takeover):
+    """
+    This class defines Snowflake methods
+    """
+
+    def __init__(self):
+        self.excludeDbsList = SNOWFLAKE_SYSTEM_DBS
+
+        for cls in self.__class__.__bases__:
+            cls.__init__(self)
+
+    unescaper[DBMS.SNOWFLAKE] = Syntax.escape

plugins/dbms/snowflake/connector.py

@@ -0,0 +1,70 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2026 sqlmap developers (https://sqlmap.org)
+See the file 'LICENSE' for copying permission
+"""
+
+try:
+    import snowflake.connector
+except:
+    pass
+
+import logging
+
+from lib.core.common import getSafeExString
+from lib.core.convert import getText
+from lib.core.data import conf
+from lib.core.data import logger
+from lib.core.exception import SqlmapConnectionException
+from plugins.generic.connector import Connector as GenericConnector
+
+class Connector(GenericConnector):
+    """
+    Homepage: https://www.snowflake.com/
+    User guide: https://docs.snowflake.com/en/developer-guide/python-connector/python-connector
+    API: https://docs.snowflake.com/en/developer-guide/python-connector/python-connector-api
+    """
+
+    def __init__(self):
+        GenericConnector.__init__(self)
+
+    def connect(self):
+        self.initConnection()
+
+        try:
+            self.connector = snowflake.connector.connect(
+                user=self.user,
+                password=self.password,
+                account=self.account,
+                warehouse=self.warehouse,
+                database=self.db,
+                schema=self.schema
+            )
+            cursor = self.connector.cursor()
+            cursor.execute("SELECT CURRENT_VERSION()")
+            cursor.close()
+
+        except Exception as ex:
+            raise SqlmapConnectionException(getSafeExString(ex))
+
+        self.initCursor()
+        self.printConnected()
+
+    def fetchall(self):
+        try:
+            return self.cursor.fetchall()
+        except Exception as ex:
+            logger.log(logging.WARNING if conf.dbmsHandler else logging.DEBUG, "(remote) '%s'" % getSafeExString(ex))
+            return None
+
+    def execute(self, query):
+        try:
+            self.cursor.execute(getText(query))
+        except Exception as ex:
+            logger.log(logging.WARNING if conf.dbmsHandler else logging.DEBUG, "(remote) '%s'" % getSafeExString(ex))
+            return None
+
+    def select(self, query):
+        self.execute(query)
+        return self.fetchall()

plugins/dbms/snowflake/enumeration.py

@@ -0,0 +1,39 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2026 sqlmap developers (https://sqlmap.org)
+See the file 'LICENSE' for copying permission
+"""
+
+from lib.core.data import logger
+from lib.core.exception import SqlmapUnsupportedFeatureException
+from plugins.generic.enumeration import Enumeration as GenericEnumeration
+
+class Enumeration(GenericEnumeration):
+    def getPasswordHashes(self):
+        warnMsg = "on Snowflake it is not possible to enumerate the user password hashes"
+        logger.warning(warnMsg)
+        return {}
+
+    def getHostname(self):
+        warnMsg = "on Snowflake it is not possible to enumerate the hostname"
+        logger.warning(warnMsg)
+
+    def searchDb(self):
+        warnMsg = "on Snowflake it is not possible to search databases"
+        logger.warning(warnMsg)
+        return []
+
+    def searchColumn(self):
+        errMsg = "on Snowflake it is not possible to search columns"
+        raise SqlmapUnsupportedFeatureException(errMsg)
+
+    def getPrivileges(self, *args, **kwargs):
+        warnMsg = "on SQLite it is not possible to enumerate the user privileges"
+        logger.warning(warnMsg)
+        return {}
+
+    def getStatements(self):
+        warnMsg = "on Snowflake it is not possible to enumerate the SQL statements"
+        logger.warning(warnMsg)
+        return []

plugins/dbms/snowflake/filesystem.py

@@ -0,0 +1,18 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2026 sqlmap developers (https://sqlmap.org)
+See the file 'LICENSE' for copying permission
+"""
+
+from lib.core.exception import SqlmapUnsupportedFeatureException
+from plugins.generic.filesystem import Filesystem as GenericFilesystem
+
+class Filesystem(GenericFilesystem):
+    def readFile(self, remoteFile):
+        errMsg = "on Snowflake it is not possible to read files"
+        raise SqlmapUnsupportedFeatureException(errMsg)
+
+    def writeFile(self, localFile, remoteFile, fileType=None, forceCheck=False):
+        errMsg = "on Snowflake it is not possible to write files"
+        raise SqlmapUnsupportedFeatureException(errMsg)

plugins/dbms/snowflake/fingerprint.py

@@ -0,0 +1,96 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2026 sqlmap developers (https://sqlmap.org)
+See the file 'LICENSE' for copying permission
+"""
+
+from lib.core.common import Backend
+from lib.core.common import Format
+from lib.core.data import conf
+from lib.core.data import kb
+from lib.core.data import logger
+from lib.core.enums import DBMS
+from lib.core.session import setDbms
+from lib.core.settings import METADB_SUFFIX
+from lib.core.settings import SNOWFLAKE_ALIASES
+from lib.request import inject
+from plugins.generic.fingerprint import Fingerprint as GenericFingerprint
+
+class Fingerprint(GenericFingerprint):
+    def __init__(self):
+        GenericFingerprint.__init__(self, DBMS.SNOWFLAKE)
+
+    def getFingerprint(self):
+        value = ""
+        wsOsFp = Format.getOs("web server", kb.headersFp)
+
+        if wsOsFp:
+            value += "%s\n" % wsOsFp
+
+        if kb.data.banner:
+            dbmsOsFp = Format.getOs("back-end DBMS", kb.bannerFp)
+
+            if dbmsOsFp:
+                value += "%s\n" % dbmsOsFp
+
+        value += "back-end DBMS: "
+
+        if not conf.extensiveFp:
+            value += DBMS.SNOWFLAKE
+            return value
+
+        actVer = Format.getDbms()
+        blank = " " * 15
+        value += "active fingerprint: %s" % actVer
+
+        if kb.bannerFp:
+            banVer = kb.bannerFp.get("dbmsVersion")
+
+            if banVer:
+                banVer = Format.getDbms([banVer])
+                value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)
+
+        htmlErrorFp = Format.getErrorParsedDBMSes()
+
+        if htmlErrorFp:
+            value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
+
+        return value
+
+    def checkDbms(self):
+        """
+        References for fingerprint:
+
+        * https://docs.snowflake.com/en/sql-reference/functions/current_warehouse
+        * https://docs.snowflake.com/en/sql-reference/functions/md5_number_upper64
+        """
+
+        if not conf.extensiveFp and Backend.isDbmsWithin(SNOWFLAKE_ALIASES):
+            setDbms("%s %s" % (DBMS.SNOWFLAKE, Backend.getVersion()))
+            self.getBanner()
+            return True
+
+        infoMsg = "testing %s" % DBMS.SNOWFLAKE
+        logger.info(infoMsg)
+
+        result = inject.checkBooleanExpression("CURRENT_WAREHOUSE()=CURRENT_WAREHOUSE()")
+        if result:
+            infoMsg = "confirming %s" % DBMS.SNOWFLAKE
+            logger.info(infoMsg)
+
+            result = inject.checkBooleanExpression("MD5_NUMBER_UPPER64('z')=MD5_NUMBER_UPPER64('z')")
+            if not result:
+                warnMsg = "the back-end DBMS is not %s" % DBMS.SNOWFLAKE
+                logger.warning(warnMsg)
+                return False
+            
+            setDbms(DBMS.SNOWFLAKE)
+            self.getBanner()
+            return True
+            
+        else:
+            warnMsg = "the back-end DBMS is not %s" % DBMS.SNOWFLAKE
+            logger.warning(warnMsg)
+
+            return False

plugins/dbms/snowflake/syntax.py

@@ -0,0 +1,22 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2026 sqlmap developers (https://sqlmap.org)
+See the file 'LICENSE' for copying permission
+"""
+
+from lib.core.convert import getOrds
+from plugins.generic.syntax import Syntax as GenericSyntax
+
+class Syntax(GenericSyntax):
+    @staticmethod
+    def escape(expression, quote=True):
+        """
+        >>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT CHR(97)||CHR(98)||CHR(99)||CHR(100)||CHR(101)||CHR(102)||CHR(103)||CHR(104) FROM foobar"
+        True
+        """
+
+        def escaper(value):
+            return "||".join("CHR(%d)" % _ for _ in getOrds(value))
+
+        return Syntax._escape(expression, quote, escaper)

plugins/dbms/snowflake/takeover.py

@@ -0,0 +1,28 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2026 sqlmap developers (https://sqlmap.org)
+See the file 'LICENSE' for copying permission
+"""
+
+from lib.core.exception import SqlmapUnsupportedFeatureException
+from plugins.generic.takeover import Takeover as GenericTakeover
+
+class Takeover(GenericTakeover):
+    def osCmd(self):
+        errMsg = "on Snowflake it is not possible to execute commands"
+        raise SqlmapUnsupportedFeatureException(errMsg)
+
+    def osShell(self):
+        errMsg = "on Snowflake it is not possible to execute commands"
+        raise SqlmapUnsupportedFeatureException(errMsg)
+
+    def osPwn(self):
+        errMsg = "on Snowflake it is not possible to establish an "
+        errMsg += "out-of-band connection"
+        raise SqlmapUnsupportedFeatureException(errMsg)
+
+    def osSmb(self):
+        errMsg = "on Snowflake it is not possible to establish an "
+        errMsg += "out-of-band connection"
+        raise SqlmapUnsupportedFeatureException(errMsg)

plugins/generic/databases.py

@@ -621,7 +621,7 @@ class Databases(object):
                     condQueryStr = "%%s%s" % colCondParam
                     condQuery = " AND (%s)" % " OR ".join(condQueryStr % (condition, unsafeSQLIdentificatorNaming(col)) for col in sorted(colList))
 
-                if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.HSQLDB, DBMS.H2, DBMS.MONETDB, DBMS.VERTICA, DBMS.PRESTO, DBMS.CRATEDB, DBMS.CUBRID, DBMS.CACHE, DBMS.FRONTBASE, DBMS.VIRTUOSO, DBMS.CLICKHOUSE):
+                if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.HSQLDB, DBMS.H2, DBMS.MONETDB, DBMS.VERTICA, DBMS.PRESTO, DBMS.CRATEDB, DBMS.CUBRID, DBMS.CACHE, DBMS.FRONTBASE, DBMS.VIRTUOSO, DBMS.CLICKHOUSE, DBMS.SNOWFLAKE):
                     query = rootQuery.inband.query % (unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(conf.db))
                     query += condQuery
 
@@ -757,7 +757,7 @@ class Databases(object):
                     condQueryStr = "%%s%s" % colCondParam
                     condQuery = " AND (%s)" % " OR ".join(condQueryStr % (condition, unsafeSQLIdentificatorNaming(col)) for col in sorted(colList))
 
-                if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.HSQLDB, DBMS.H2, DBMS.MONETDB, DBMS.VERTICA, DBMS.PRESTO, DBMS.CRATEDB, DBMS.CUBRID, DBMS.CACHE, DBMS.FRONTBASE, DBMS.VIRTUOSO, DBMS.CLICKHOUSE):
+                if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.HSQLDB, DBMS.H2, DBMS.MONETDB, DBMS.VERTICA, DBMS.PRESTO, DBMS.CRATEDB, DBMS.CUBRID, DBMS.CACHE, DBMS.FRONTBASE, DBMS.VIRTUOSO, DBMS.CLICKHOUSE, DBMS.SNOWFLAKE):
                     query = rootQuery.blind.count % (unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(conf.db))
                     query += condQuery
 

plugins/generic/entries.py

@@ -187,7 +187,7 @@ class Entries(object):
 
                     if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2, DBMS.DERBY, DBMS.ALTIBASE, DBMS.MIMERSQL):
                         query = rootQuery.inband.query % (colString, tbl.upper() if not conf.db else ("%s.%s" % (conf.db.upper(), tbl.upper())))
-                    elif Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD, DBMS.MAXDB, DBMS.MCKOI, DBMS.EXTREMEDB, DBMS.RAIMA):
+                    elif Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD, DBMS.MAXDB, DBMS.MCKOI, DBMS.EXTREMEDB, DBMS.RAIMA, DBMS.SNOWFLAKE):
                         query = rootQuery.inband.query % (colString, tbl)
                     elif Backend.getIdentifiedDbms() in (DBMS.SYBASE, DBMS.MSSQL):
                         # Partial inband and error

sqlmapapi.yaml

@@ -37,6 +37,106 @@ paths:
                   success:
                     type: boolean
                     example: true
+  /task/{taskid}/delete:
+    get:
+      description: Delete an existing task
+      parameters:
+        - in: path
+          name: taskid
+          required: true
+          schema:
+            type: string
+          description: Scan task ID
+      responses:
+        '200':
+          description: OK
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  success:
+                    type: boolean
+                    example: true
+  /option/{taskid}/list:
+    get:
+      description: List options for a given task ID
+      parameters:
+        - in: path
+          name: taskid
+          required: true
+          schema:
+            type: string
+          description: Scan task ID
+      responses:
+        '200':
+          description: OK
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  success:
+                    type: boolean
+                    example: true
+                  options:
+                    type: array
+                    items:
+                      type: object
+  /option/{taskid}/get:
+    post:
+      description: Get value of option(s) for a certain task ID
+      parameters:
+        - in: path
+          name: taskid
+          required: true
+          schema:
+            type: string
+      requestBody:
+        content:
+          application/json:
+            schema:
+              type: array
+              items:
+                type: string
+              example: ["url", "cookie"]
+      responses:
+        '200':
+          description: OK
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  success:
+                    type: boolean
+                  options:
+                    type: object
+  /option/{taskid}/set:
+    post:
+      description: Set value of option(s) for a certain task ID
+      parameters:
+        - in: path
+          name: taskid
+          required: true
+          schema:
+            type: string
+      requestBody:
+        content:
+          application/json:
+            schema:
+              type: object
+              example: {"cookie": "id=1"}
+      responses:
+        '200':
+          description: OK
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  success:
+                    type: boolean
   /scan/{taskid}/start:
     post:
       description: Launch a scan
@@ -120,31 +220,6 @@ paths:
                   success:
                     type: boolean
                     example: true
-  /scan/{taskid}/list:
-    get:
-      description: List options for a given task ID
-      parameters:
-        - in: path
-          name: taskid
-          required: true
-          schema:
-            type: string
-          description: Scan task ID
-      responses:
-        '200':
-          description: OK
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:
-                  success:
-                    type: boolean
-                    example: true
-                  options:
-                    type: array
-                    items:
-                      type: object
   /scan/{taskid}/data:
     get:
       description: Retrieve the scan resulting data
@@ -220,24 +295,3 @@ paths:
                   success:
                     type: boolean
                     example: true
-  /task/{taskid}/delete:
-    get:
-      description: Delete an existing task
-      parameters:
-        - in: path
-          name: taskid
-          required: true
-          schema:
-            type: string
-          description: Scan task ID
-      responses:
-        '200':
-          description: OK
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:
-                  success:
-                    type: boolean
-                    example: true