|
1 | | -# Version 1.0 (upcoming) |
| 1 | +# Version 1.0 (2016-02-2X) |
2 | 2 |
|
3 | 3 | * Implemented support for automatic decoding of page content through detected charset. |
4 | 4 | * Implemented mechanism for proper data dumping on DBMSes not supporting `LIMIT/OFFSET` like mechanism(s) (e.g. Microsoft SQL Server, Sybase, etc.). |
5 | 5 | * Major improvements to program stabilization based on user reports. |
6 | 6 | * Added new tampering scripts avoiding popular WAF/IPS/IDS mechanisms. |
7 | | -* Added support for setting Tor proxy type together with port. |
8 | 7 | * Fixed major bug with DNS leaking in Tor mode. |
9 | 8 | * Added wordlist compilation made of the most popular cracking dictionaries. |
10 | | -* Added support for mnemonics substantially helping user with program setup. |
11 | | -* Implemented multi-processor hash cracking routine(s) on Linux OS. |
| 9 | +* Implemented multi-processor hash cracking routine(s). |
12 | 10 | * Implemented advanced detection techniques for inband and time-based injections by usage of standard deviation method. |
13 | 11 | * Old resume files are now deprecated and replaced by faster SQLite based session mechanism. |
14 | 12 | * Substantial code optimization and smaller memory footprint. |
|
31 | 29 | * Major improvements to switches `--tables` and `--columns`. |
32 | 30 | * Takeover switch `--os-pwn` improved: stealthier, faster and AV-proof. |
33 | 31 | * Added switch `--mobile` to imitate a mobile device through HTTP User-Agent header. |
| 32 | +* Added switch `-a` to enumerate all DBMS data. |
| 33 | +* Added option `--alert` to run host OS command(s) when SQL injection is found. |
| 34 | +* Added option `--answers` to set user answers to asked questions during sqlmap run. |
| 35 | +* Added option `--auth-file` to set HTTP authentication PEM cert/private key file. |
| 36 | +* Added option `--charset` to force character encoding used during data retrieval. |
| 37 | +* Added switch `--check-tor` to force checking of proper usage of Tor. |
| 38 | +* Added option `--code` to set HTTP code to match when query is evaluated to True. |
| 39 | +* Added option `--cookie-del` to set character to be used while splitting cookie values. |
| 40 | +* Added option `--crawl` to set the crawling depth for the website starting from the target URL. |
| 41 | +* Added option `--crawl-exclude` for setting regular expression for excluding pages from crawling (e.g. `"logout"`). |
| 42 | +* Added option `--csrf-token` to set the parameter name that is holding the anti-CSRF token. |
| 43 | +* Added option `--csrf-url` for setting the URL address for extracting the anti-CSRF token. |
| 44 | +* Added option `--csv-del` for setting the delimiting character that will be used in CSV output (default `,`). |
| 45 | +* Added option `--dbms-cred` to set the DBMS authentication credentials (user:password). |
| 46 | +* Added switch `--dependencies` for turning on the checking of missing (non-core) sqlmap dependencies. |
| 47 | +* Added switch `--disable-coloring` to disable console output coloring. |
| 48 | +* Added option `--dns-domain` to set the domain name for usage in DNS exfiltration attack(s). |
| 49 | +* Added option `--dump-format` to set the format of dumped data (`CSV` (default), `HTML` or `SQLITE`). |
| 50 | +* Added option `--eval` for setting the Python code that will be evaluated before the request. |
| 51 | +* Added switch `--force-ssl` to force usage of SSL/HTTPS. |
| 52 | +* Added switch `--hex` to force usage of DBMS hex function(s) for data retrieval. |
| 53 | +* Added option `-H` to set extra HTTP header (e.g. `"X-Forwarded-For: 127.0.0.1"`). |
| 54 | +* Added switch `-hh` for showing advanced help message. |
| 55 | +* Added option `--host` to set the HTTP Host header value. |
| 56 | +* Added switch `--hostname` to turn on retrieval of DBMS server hostname. |
| 57 | +* Added switch `--hpp` to turn on the usage of HTTP parameter pollution WAF bypass method. |
| 58 | +* Added switch `--identify-waf` for turning on the thorough testing of WAF/IPS/IDS protection. |
| 59 | +* Added switch `--ignore-401` to ignore HTTP Error Code 401 (Unauthorized). |
| 60 | +* Added switch `--invalid-bignum` for usage of big numbers while invalidating values. |
| 61 | +* Added switch `--invalid-logical` for usage of logical operations while invalidating values. |
| 62 | +* Added switch `--invalid-string` for usage of random strings while invalidating values. |
| 63 | +* Added option `--load-cookies` to set the file containing cookies in Netscape/wget format. |
| 64 | +* Added option `-m` to set the textual file holding multiple targets for scanning purposes. |
| 65 | +* Added option `--method` to force usage of provided HTTP method (e.g. `PUT`). |
| 66 | +* Added switch `--no-cast` for turning off payload casting mechanism. |
| 67 | +* Added switch `--no-escape` for turning off string escaping mechanism. |
| 68 | +* Added option `--not-string` for setting string to be matched when query is evaluated to False. |
| 69 | +* Added switch `--offline` to force work in offline mode (i.e. only use session data). |
| 70 | +* Added option `--output-dir` to set custom output directory path. |
| 71 | +* Added option `--param-del` to set character used for splitting parameter values. |
| 72 | +* Added option `--pivot-column` to set column name that will be used while dumping tables by usage of pivot(ing). |
| 73 | +* Added option `--proxy-file` to set file holding proxy list. |
| 74 | +* Added switch `--purge-output` to turn on safe removal of all content(s) from output directory. |
| 75 | +* Added option `--randomize` to set parameter name(s) that will be randomly changed during sqlmap run. |
| 76 | +* Added option `--safe-post` to set POST data for sending to safe URL. |
| 77 | +* Added option `--safe-req` for loading HTTP request from a file that will be used during sending to safe URL. |
| 78 | +* Added option `--skip` to skip testing of given parameter(s). |
| 79 | +* Added switch `--skip-static` to skip testing parameters that not appear dynamic. |
| 80 | +* Added switch `--skip-urlencode` to skip URL encoding of payload data. |
| 81 | +* Added switch `--skip-waf` to skip heuristic detection of WAF/IPS/IDS protection. |
| 82 | +* Added switch `--smart` to conduct thorough tests only if positive heuristic(s). |
| 83 | +* Added option `--sql-file` for setting file(s) holding SQL statements to be executed (in case of stacked SQLi). |
| 84 | +* Added switch `--sqlmap-shell` to turn on interactive sqlmap shell prompt. |
| 85 | +* Added option `--test-filter` for test filtration by payloads and/or titles (e.g. `ROW`). |
| 86 | +* Added option `--test-skip` for skiping tests by payloads and/or titles (e.g. `BENCHMARK`). |
| 87 | +* Added switch `--titles` to turn on comparison of pages based only on their titles. |
| 88 | +* Added option `--tor-port` to explicitly set Tor proxy port. |
| 89 | +* Added option `--tor-type` to set Tor proxy type (`HTTP` (default), `SOCKS4` or `SOCKS5`). |
| 90 | +* Added option `--union-from` to set table to be used in `FROM` part of UNION query SQL injection. |
| 91 | +* Added option `--where` to set `WHERE` condition to be used during the table dumping. |
| 92 | +* Added option `-X` to exclude DBMS database table column(s) from enumeration. |
| 93 | +* Added option `-x` to set URL of sitemap(.xml) for target(s) parsing. |
| 94 | +* Added option `-z` for usage of short mnemonics (e.g. `"flu,bat,ban,tec=EU"`). |
34 | 95 |
|
35 | 96 | # Version 0.9 (2011-04-10) |
36 | 97 |
|
|
0 commit comments