Minor update

stamparm · tanaydin · commit 900a5dac8df9 · 2025-02-20T01:55:02.000+01:00
diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt
diff --git a/lib/core/common.py b/lib/core/common.py
@@ -58,7 +58,7 @@
 from lib.core.convert import getUnicode
 from lib.core.convert import htmlUnescape
 from lib.core.convert import stdoutEncode
-from lib.core.data import cmdLineOptions
+from lib.core.data import cmdLineOptions, paths
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
@@ -2554,7 +2554,7 @@ def initCommonOutputs():
                     if line not in kb.commonOutputs[key]:
                         kb.commonOutputs[key].add(line)
 
-def getFileItems(filename, commentPrefix='#', unicoded=True, lowercase=False, unique=False):
+def getFileItems(filename, commentPrefix='#', unicoded=True, lowercase=False, unique=False, raiseOnError=True):
     """
     Returns newline delimited items contained inside file
 
@@ -2567,7 +2567,7 @@ def getFileItems(filename, commentPrefix='#', unicoded=True, lowercase=False, un
     if filename:
         filename = filename.strip('"\'')
 
-    checkFile(filename)
+    checkFile(filename, raiseOnError=raiseOnError)
 
     try:
         with openFile(filename, 'r', errors="ignore") if unicoded else open(filename, 'r') as f:
@@ -5599,18 +5599,35 @@ def checkSums():
 
     retVal = True
 
-    if paths.get("DIGEST_FILE"):
-        for entry in getFileItems(paths.DIGEST_FILE):
-            match = re.search(r"([0-9a-f]+)\s+([^\s]+)", entry)
-            if match:
-                expected, filename = match.groups()
-                filepath = os.path.join(paths.SQLMAP_ROOT_PATH, filename).replace('/', os.path.sep)
-                if not checkFile(filepath, False):
-                    continue
-                with open(filepath, "rb") as f:
-                    content = f.read()
-                if not hashlib.sha256(content).hexdigest() == expected:
-                    retVal &= False
-                    break
+    for entry in getFileItems(paths.DIGEST_FILE, raiseOnError=False):
+        file_data = entry.split()
+        if len(file_data) == 2 and len(file_data[0]) == 64:
+            filepath = os.path.join(paths.SQLMAP_ROOT_PATH, file_data[1]).replace('/', os.path.sep)
+            content = openFile(filepath, 'rb').read()
+            if not hashlib.sha256(content.encode('utf-8')).hexdigest() == file_data[0]:
+                retVal &= False
+                break
+
 
     return retVal
+
+
+def updateSums():
+    # Read existing entries to maintain file order
+    entries = []
+    for entry in getFileItems(paths.DIGEST_FILE):
+        file_data = entry.split()
+        if len(file_data) == 2 and len(file_data[0]) == 64:
+            filepath = os.path.join(paths.SQLMAP_ROOT_PATH, file_data[1]).replace('/', os.path.sep)
+            content = openFile(filepath, 'rb').read()
+            newline = b"%s  %s\n" % (
+                hashlib.sha256(content.encode('utf-8')).hexdigest().encode('utf-8'),
+                file_data[1].encode('utf-8')
+            )
+            entries.append(newline)
+
+    # Write updated hashes back to file
+    if entries:
+        with open(paths.DIGEST_FILE, "wb") as f:
+            f.write(b"".join(entries))
+
diff --git a/lib/core/settings.py b/lib/core/settings.py
@@ -19,7 +19,7 @@
 from thirdparty import six
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.9.2.8"
+VERSION = "1.9.2.9"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py
@@ -796,6 +796,9 @@ def cmdLineParser(argv=None):
         miscellaneous.add_argument("--wizard", dest="wizard", action="store_true",
             help="Simple wizard interface for beginner users")
 
+        miscellaneous.add_argument("--update-sums", dest="updateSums", action="store_true",
+            help="Update SHA256 sums in digest file must run with --smoke")
+
         # Hidden and/or experimental options
         parser.add_argument("--crack", dest="hashFile",
             help=SUPPRESS)  # "Load and crack hashes from a file (standalone)"
diff --git a/sqlmap.py b/sqlmap.py
@@ -179,6 +179,9 @@ def main():
         if not conf.updateAll:
             # Postponed imports (faster start)
             if conf.smokeTest:
+                if conf.updateSums:
+                    from lib.core.common import updateSums
+                    updateSums()
                 from lib.core.testing import smokeTest
                 os._exitcode = 1 - (smokeTest() or 0)
             elif conf.vulnTest:
diff --git a/tamper/0eunion.py b/tamper/0eunion.py
@@ -16,7 +16,7 @@ def dependencies():
 
 def tamper(payload, **kwargs):
     """
-    Replaces instances of <int> UNION with <int>e0UNION
+    Replaces an integer followed by UNION with an integer followed by e0UNION
 
     Requirement:
         * MySQL
diff --git a/tamper/apostrophemask.py b/tamper/apostrophemask.py
@@ -14,7 +14,7 @@ def dependencies():
 
 def tamper(payload, **kwargs):
     """
-    Replaces apostrophe character (') with its UTF-8 full width counterpart (e.g. ' -> %EF%BC%87)
+    Replaces single quotes (') with their UTF-8 full-width equivalents (e.g. ' -> %EF%BC%87)
 
     References:
         * http://www.utf8-chartable.de/unicode-utf8-table.pl?start=65280&number=128
diff --git a/tamper/apostrophenullencode.py b/tamper/apostrophenullencode.py
@@ -14,7 +14,7 @@ def dependencies():
 
 def tamper(payload, **kwargs):
     """
-    Replaces apostrophe character (') with its illegal double unicode counterpart (e.g. ' -> %00%27)
+    Replaces single quotes (') with an illegal double Unicode encoding (e.g. ' -> %00%27)
 
     >>> tamper("1 AND '1'='1")
     '1 AND %00%271%00%27=%00%271'
diff --git a/tamper/appendnullbyte.py b/tamper/appendnullbyte.py
@@ -18,7 +18,7 @@ def dependencies():
 
 def tamper(payload, **kwargs):
     """
-    Appends (Access) NULL byte character (%00) at the end of payload
+    Appends an (Access) NULL byte character (%00) at the end of payload
 
     Requirement:
         * Microsoft Access
diff --git a/tamper/base64encode.py b/tamper/base64encode.py
@@ -15,7 +15,7 @@ def dependencies():
 
 def tamper(payload, **kwargs):
     """
-    Base64-encodes all characters in a given payload
+    Encodes the entire payload using Base64
 
     >>> tamper("1' AND SLEEP(5)#")
     'MScgQU5EIFNMRUVQKDUpIw=='
diff --git a/tamper/between.py b/tamper/between.py
@@ -16,7 +16,7 @@ def dependencies():
 
 def tamper(payload, **kwargs):
     """
-    Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' and equals operator ('=') with 'BETWEEN # AND #'
+    Replaces the greater-than operator (>) with NOT BETWEEN 0 AND # and the equal sign (=) with BETWEEN # AND #
 
     Tested against:
         * Microsoft SQL Server 2005
diff --git a/tamper/binary.py b/tamper/binary.py
@@ -16,7 +16,7 @@ def dependencies():
 
 def tamper(payload, **kwargs):
     """
-    Injects keyword binary where possible
+    Injects the keyword binary where applicable
 
     Requirement:
         * MySQL
diff --git a/tamper/bluecoat.py b/tamper/bluecoat.py
@@ -17,7 +17,7 @@ def dependencies():
 
 def tamper(payload, **kwargs):
     """
-    Replaces space character after SQL statement with a valid random blank character. Afterwards replace character '=' with operator LIKE
+    Replaces the space following an SQL statement with a random valid blank character, then converts = to LIKE
 
     Requirement:
         * Blue Coat SGOS with WAF activated as documented in
diff --git a/tamper/chardoubleencode.py b/tamper/chardoubleencode.py
@@ -16,7 +16,7 @@ def dependencies():
 
 def tamper(payload, **kwargs):
     """
-    Double URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %2553%2545%254C%2545%2543%2554)
+    Double URL-encodes each character in the payload (ignores already encoded ones) (e.g. SELECT -> %2553%2545%254C%2545%2543%2554)
 
     Notes:
         * Useful to bypass some weak web application firewalls that do not double URL-decode the request before processing it through their ruleset
diff --git a/tamper/randomcomments.py b/tamper/randomcomments.py
@@ -16,7 +16,7 @@
 
 def tamper(payload, **kwargs):
     """
-    Add random inline comments inside SQL keywords (e.g. SELECT -> S/**/E/**/LECT)
+    Inserts random inline comments within SQL keywords (e.g. SELECT -> S/**/E/**/LECT)
 
     >>> import random
     >>> random.seed(0)
