Merge branch 'master' into add-sortable-tables-to-html-dump

# Conflicts:
#	data/txt/sha256sums.txt

Author: tanaydin

lib/core/common.py

@@ -35,6 +35,7 @@
 import time
 import types
 import unicodedata
+import zlib
 
 from difflib import SequenceMatcher
 from math import sqrt
@@ -4005,7 +4006,8 @@ def createGithubIssue(errMsg, excMsg):
             pass
 
         data = {"title": "Unhandled exception (#%s)" % key, "body": "```%s\n```\n```\n%s```" % (errMsg, excMsg)}
-        req = _urllib.request.Request(url="https://api.github.com/repos/sqlmapproject/sqlmap/issues", data=getBytes(json.dumps(data)), headers={HTTP_HEADER.AUTHORIZATION: "token %s" % decodeBase64(GITHUB_REPORT_OAUTH_TOKEN, binary=False), HTTP_HEADER.USER_AGENT: fetchRandomAgent()})
+        token = getText(zlib.decompress(decodeBase64(GITHUB_REPORT_OAUTH_TOKEN[::-1], binary=True))[0::2][::-1])
+        req = _urllib.request.Request(url="https://api.github.com/repos/sqlmapproject/sqlmap/issues", data=getBytes(json.dumps(data)), headers={HTTP_HEADER.AUTHORIZATION: "token %s" % token, HTTP_HEADER.USER_AGENT: fetchRandomAgent()})
 
         try:
             content = getText(_urllib.request.urlopen(req).read())

lib/core/option.py

@@ -1175,7 +1175,7 @@ def _setHTTPHandlers():
                     proxyString = ""
 
                 proxyString += "%s:%d" % (hostname, port)
-                proxyHandler.proxies = {"http": proxyString, "https": proxyString}
+                proxyHandler.proxies = kb.proxies = {"http": proxyString, "https": proxyString}
 
             proxyHandler.__init__(proxyHandler.proxies)
 
@@ -2151,6 +2151,7 @@ def _setKnowledgeBaseAttributes(flushAll=True):
     kb.previousMethod = None
     kb.processNonCustom = None
     kb.processUserMarks = None
+    kb.proxies = None
     kb.proxyAuthHeader = None
     kb.queryCounter = 0
     kb.randomPool = {}

lib/core/settings.py

@@ -19,7 +19,7 @@
 from thirdparty import six
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.9.2.10"
+VERSION = "1.9.3.2"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
@@ -61,7 +61,7 @@
 UPPER_RATIO_BOUND = 0.98
 
 # For filling in case of dumb push updates
-DUMMY_JUNK = "ouZ0ii8A"
+DUMMY_JUNK = "ahy9Ouge"
 
 # Markers for special cases when parameter values contain html encoded characters
 PARAMETER_AMP_MARKER = "__AMP__"
@@ -701,7 +701,7 @@
 FORCE_COOKIE_EXPIRATION_TIME = "9999999999"
 
 # Github OAuth token used for creating an automatic Issue for unhandled exceptions
-GITHUB_REPORT_OAUTH_TOKEN = "Z2hwX0pNd0I2U25kN2Q5QmxlWkhxZmkxVXZTSHZiTlRDWjE5NUNpNA"
+GITHUB_REPORT_OAUTH_TOKEN = "wxqc7vTeW8ohIcX+1wK55Mnql2Ex9cP+2s1dqTr/mjlZJVfLnq24fMAi08v5vRvOmuhVZQdOT/lhIRovWvIJrdECD1ud8VMPWpxY+NmjHoEx+VLK1/vCAUBwJe"
 
 # Skip unforced HashDB flush requests below the threshold number of cached items
 HASHDB_FLUSH_THRESHOLD = 32

lib/parse/cmdline.py

@@ -1010,6 +1010,10 @@ def _format_action_invocation(self, action):
                 argv[i] = ""
             elif argv[i] in DEPRECATED_OPTIONS:
                 argv[i] = ""
+            elif argv[i] in ("-s", "--silent"):
+                if i + 1 < len(argv) and argv[i + 1].startswith('-') or i + 1 == len(argv):
+                    argv[i] = ""
+                    conf.verbose = 0
             elif argv[i].startswith("--data-raw"):
                 argv[i] = argv[i].replace("--data-raw", "--data", 1)
             elif argv[i].startswith("--auth-creds"):
@@ -1018,7 +1022,6 @@ def _format_action_invocation(self, action):
                 argv[i] = argv[i].replace("--drop-cookie", "--drop-set-cookie", 1)
             elif re.search(r"\A--tamper[^=\s]", argv[i]):
                 argv[i] = ""
-                continue
             elif re.search(r"\A(--(tamper|ignore-code|skip))(?!-)", argv[i]):
                 key = re.search(r"\-?\-(\w+)\b", argv[i]).group(1)
                 index = auxIndexes.get(key, None)

lib/request/comparison.py

@@ -21,7 +21,9 @@
 from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.exception import SqlmapNoneDataException
+from lib.core.exception import SqlmapSilentQuitException
 from lib.core.settings import DEFAULT_PAGE_ENCODING
+from lib.core.settings import DEV_EMAIL_ADDRESS
 from lib.core.settings import DIFF_TOLERANCE
 from lib.core.settings import HTML_TITLE_REGEX
 from lib.core.settings import LOWER_RATIO_BOUND
@@ -35,8 +37,14 @@
 from thirdparty import six
 
 def comparison(page, headers, code=None, getRatioValue=False, pageLength=None):
-    _ = _adjust(_comparison(page, headers, code, getRatioValue, pageLength), getRatioValue)
-    return _
+    try:
+        _ = _adjust(_comparison(page, headers, code, getRatioValue, pageLength), getRatioValue)
+        return _
+    except:
+        warnMsg = "there was a KNOWN issue inside the internals regarding the difflib/comparison of pages. "
+        warnMsg += "Please report details privately via e-mail to '%s'" % DEV_EMAIL_ADDRESS
+        logger.critical(warnMsg)
+        raise SqlmapSilentQuitException
 
 def _adjust(condition, getRatioValue):
     if not any((conf.string, conf.notString, conf.regexp, conf.code)):
@@ -120,7 +128,7 @@ def _comparison(page, headers, code, getRatioValue, pageLength):
         if isinstance(seqMatcher.a, six.binary_type) and isinstance(page, six.text_type):
             page = getBytes(page, kb.pageEncoding or DEFAULT_PAGE_ENCODING, "ignore")
         elif isinstance(seqMatcher.a, six.text_type) and isinstance(page, six.binary_type):
-            seqMatcher.a = getBytes(seqMatcher.a, kb.pageEncoding or DEFAULT_PAGE_ENCODING, "ignore")
+            seqMatcher.set_seq1(getBytes(seqMatcher.a, kb.pageEncoding or DEFAULT_PAGE_ENCODING, "ignore"))
 
         if any(_ is None for _ in (page, seqMatcher.a)):
             return None
@@ -146,12 +154,19 @@ def _comparison(page, headers, code, getRatioValue, pageLength):
             if seq1 is None or seq2 is None:
                 return None
 
-            seq1 = seq1.replace(REFLECTED_VALUE_MARKER, "")
-            seq2 = seq2.replace(REFLECTED_VALUE_MARKER, "")
+            if isinstance(seq1, six.binary_type):
+                seq1 = seq1.replace(REFLECTED_VALUE_MARKER.encode(), b"")
+            elif isinstance(seq1, six.text_type):
+                seq1 = seq1.replace(REFLECTED_VALUE_MARKER, "")
+
+            if isinstance(seq2, six.binary_type):
+                seq2 = seq2.replace(REFLECTED_VALUE_MARKER.encode(), b"")
+            elif isinstance(seq2, six.text_type):
+                seq2 = seq2.replace(REFLECTED_VALUE_MARKER, "")
 
             if kb.heavilyDynamic:
-                seq1 = seq1.split("\n")
-                seq2 = seq2.split("\n")
+                seq1 = seq1.split("\n" if isinstance(seq1, six.text_type) else b"\n")
+                seq2 = seq2.split("\n" if isinstance(seq2, six.text_type) else b"\n")
 
                 key = None
             else:

lib/request/connect.py

@@ -615,10 +615,15 @@ class _(dict):
                 if conf.http2:
                     try:
                         import httpx
-                        with httpx.Client(verify=False, http2=True, timeout=timeout, follow_redirects=True, cookies=conf.cj) as client:
-                            conn = client.request(method or (HTTPMETHOD.POST if post is not None else HTTPMETHOD.GET), url, headers=headers, data=post)
                     except ImportError:
                         raise SqlmapMissingDependence("httpx[http2] not available (e.g. 'pip%s install httpx[http2]')" % ('3' if six.PY3 else ""))
+
+                    try:
+                        proxy_mounts = dict(("%s://" % key, httpx.HTTPTransport(proxy="%s%s" % ("http://" if not "://" in kb.proxies[key] else "", kb.proxies[key]))) for key in kb.proxies) if kb.proxies else None
+                        with httpx.Client(verify=False, http2=True, timeout=timeout, follow_redirects=True, cookies=conf.cj, mounts=proxy_mounts) as client:
+                            conn = client.request(method or (HTTPMETHOD.POST if post is not None else HTTPMETHOD.GET), url, headers=headers, data=post)
+                    except (httpx.HTTPError, httpx.InvalidURL, httpx.CookieConflict, httpx.StreamError) as ex:
+                        raise _http_client.HTTPException(getSafeExString(ex))
                     else:
                         conn.code = conn.status_code
                         conn.msg = conn.reason_phrase

lib/request/httpshandler.py

@@ -79,7 +79,8 @@ def create_sock():
                         try:
                             # Reference(s): https://askubuntu.com/a/1263098
                             #               https://askubuntu.com/a/1250807
-                            _contexts[protocol].set_ciphers("DEFAULT@SECLEVEL=1")
+                            #               https://git.zknt.org/mirror/bazarr/commit/7f05f932ffb84ba8b9e5630b2adc34dbd77e2b4a?style=split&whitespace=show-all&show-outdated=
+                            _contexts[protocol].set_ciphers("ALL@SECLEVEL=0")
                         except (ssl.SSLError, AttributeError):
                             pass
                     result = _contexts[protocol].wrap_socket(sock, do_handshake_on_connect=True, server_hostname=self.host if re.search(r"\A[\d.]+\Z", self.host or "") is None else None)

thirdparty/six/__init__.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2010-2020 Benjamin Peterson
+# Copyright (c) 2010-2024 Benjamin Peterson
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -29,7 +29,7 @@
 import types
 
 __author__ = "Benjamin Peterson <[email protected]>"
-__version__ = "1.16.0"
+__version__ = "1.17.0"
 
 
 # Useful for very coarse version differentiation.
@@ -435,12 +435,17 @@ class Module_six_moves_urllib_request(_LazyModule):
     MovedAttribute("HTTPErrorProcessor", "urllib2", "urllib.request"),
     MovedAttribute("urlretrieve", "urllib", "urllib.request"),
     MovedAttribute("urlcleanup", "urllib", "urllib.request"),
-    MovedAttribute("URLopener", "urllib", "urllib.request"),
-    MovedAttribute("FancyURLopener", "urllib", "urllib.request"),
     MovedAttribute("proxy_bypass", "urllib", "urllib.request"),
     MovedAttribute("parse_http_list", "urllib2", "urllib.request"),
     MovedAttribute("parse_keqv_list", "urllib2", "urllib.request"),
 ]
+if sys.version_info[:2] < (3, 14):
+    _urllib_request_moved_attributes.extend(
+        [
+            MovedAttribute("URLopener", "urllib", "urllib.request"),
+            MovedAttribute("FancyURLopener", "urllib", "urllib.request"),
+        ]
+    )
 for attr in _urllib_request_moved_attributes:
     setattr(Module_six_moves_urllib_request, attr.name, attr)
 del attr