Sqlmap

* [View changes](https://github.com/sqlmapproject/sqlmap/compare/1.0...1.1)
* [View issues](https://github.com/sqlmapproject/sqlmap/milestone/2?closed=1)

* Implemented support for automatic decoding of page content through detected charset.
* Implemented mechanism for proper data dumping on DBMSes not supporting `LIMIT/OFFSET` like mechanism(s) (e.g. Microsoft SQL Server, Sybase, etc.).
* Major improvements to program stabilization based on user reports.
* Added new tampering scripts avoiding popular WAF/IPS mechanisms.
* Fixed major bug with DNS leaking in Tor mode.
* Added wordlist compilation made of the most popular cracking dictionaries.
* Implemented multi-processor hash cracking routine(s).
* Implemented advanced detection techniques for inband and time-based injections by usage of standard deviation method.
* Old resume files are now deprecated and replaced by faster SQLite based session mechanism.
* Substantial code optimization and smaller memory footprint.
* Added option `-m` for scanning multiple targets enlisted in a given textual file.
* Added option `--randomize` for randomly changing value of a given parameter(s) based on it's original form.
* Added switch `--force-ssl` for forcing usage of SSL/HTTPS requests.
* Added option `--host` for manually setting HTTP Host header value.
* Added option `--eval` for evaluating provided Python code (with resulting parameter values) right before the request itself.
* Added option `--skip` for skipping tests for given parameter(s).
* Added switch `--titles` for comparing pages based only on their titles.
* Added option `--charset` for forcing character encoding used for data retrieval.
* Added switch `--check-tor` for checking if Tor is used properly.
* Added option `--crawl` for multithreaded crawling of a given website starting from the target url.
* Added option `--csv-del` for manually setting delimiting character used in CSV output.
* Added switch `--hex` for using DBMS hex conversion function(s) for data retrieval.
* Added switch `--smart` for conducting through tests only in case of positive heuristic(s).
* Added switch `--check-waf` for checking of existence of WAF/IPS protection.
* Added switch `--schema` to enumerate DBMS schema: shows all columns of all databases' tables.
* Added switch `--count` to count the number of entries for a specific table or all database(s) tables.
* Major improvements to switches `--tables` and `--columns`.
* Takeover switch `--os-pwn` improved: stealthier, faster and AV-proof.
* Added switch `--mobile` to imitate a mobile device through HTTP User-Agent header.
* Added switch `-a` to enumerate all DBMS data.
* Added option `--alert` to run host OS command(s) when SQL injection is found.
* Added option `--answers` to set user answers to asked questions during sqlmap run.
* Added option `--auth-file` to set HTTP authentication PEM cert/private key file.
* Added option `--charset` to force character encoding used during data retrieval.
* Added switch `--check-tor` to force checking of proper usage of Tor.
* Added option `--code` to set HTTP code to match when query is evaluated to True.
* Added option `--cookie-del` to set character to be used while splitting cookie values.
* Added option `--crawl` to set the crawling depth for the website starting from the target URL.
* Added option `--crawl-exclude` for setting regular expression for excluding pages from crawling (e.g. `"logout"`).
* Added option `--csrf-token` to set the parameter name that is holding the anti-CSRF token.
* Added option `--csrf-url` for setting the URL address for extracting the anti-CSRF token.
* Added option `--csv-del` for setting the delimiting character that will be used in CSV output (default `,`).
* Added option `--dbms-cred` to set the DBMS authentication credentials (user:password).
* Added switch `--dependencies` for turning on the checking of missing (non-core) sqlmap dependencies.
* Added switch `--disable-coloring` to disable console output coloring.
* Added option `--dns-domain` to set the domain name for usage in DNS exfiltration attack(s).
* Added option `--dump-format` to set the format of dumped data (`CSV` (default), `HTML` or `SQLITE`).
* Added option `--eval` for setting the Python code that will be evaluated before the request.
* Added switch `--force-ssl` to force usage of SSL/HTTPS.
* Added switch `--hex` to force usage of DBMS hex function(s) for data retrieval.
* Added option `-H` to set extra HTTP header (e.g. `"X-Forwarded-For: 127.0.0.1"`).
* Added switch `-hh` for showing advanced help message.
* Added option `--host` to set the HTTP Host header value.
* Added switch `--hostname` to turn on retrieval of DBMS server hostname.
* Added switch `--hpp` to turn on the usage of HTTP parameter pollution WAF bypass method.
* Added switch `--identify-waf` for turning on the thorough testing of WAF/IPS protection.
* Added switch `--ignore-401` to ignore HTTP Error Code 401 (Unauthorized).
* Added switch `--invalid-bignum` for usage of big numbers while invalidating values.
* Added switch `--invalid-logical` for usage of logical operations while invalidating values.
* Added switch `--invalid-string` for usage of random strings while invalidating values.
* Added option `--load-cookies` to set the file containing cookies in Netscape/wget format.
* Added option `-m` to set the textual file holding multiple targets for scanning purposes.
* Added option `--method` to force usage of provided HTTP method (e.g. `PUT`).
* Added switch `--no-cast` for turning off payload casting mechanism.
* Added switch `--no-escape` for turning off string escaping mechanism.
* Added option `--not-string` for setting string to be matched when query is evaluated to False.
* Added switch `--offline` to force work in offline mode (i.e. only use session data).
* Added option `--output-dir` to set custom output directory path.
* Added option `--param-del` to set character used for splitting parameter values.
* Added option `--pivot-column` to set column name that will be used while dumping tables by usage of pivot(ing).
* Added option `--proxy-file` to set file holding proxy list.
* Added switch `--purge-output` to turn on safe removal of all content(s) from output directory.
* Added option `--randomize` to set parameter name(s) that will be randomly changed during sqlmap run.
* Added option `--safe-post` to set POST data for sending to safe URL.
* Added option `--safe-req` for loading HTTP request from a file that will be used during sending to safe URL.
* Added option `--skip` to skip testing of given parameter(s).
* Added switch `--skip-static` to skip testing parameters that not appear to be dynamic.
* Added switch `--skip-urlencode` to skip URL encoding of payload data.
* Added switch `--skip-waf` to skip heuristic detection of WAF/IPS protection.
* Added switch `--smart` to conduct thorough tests only if positive heuristic(s).
* Added option `--sql-file` for setting file(s) holding SQL statements to be executed (in case of stacked SQLi).
* Added switch `--sqlmap-shell` to turn on interactive sqlmap shell prompt.
* Added option `--test-filter` for test filtration by payloads and/or titles (e.g. `ROW`).
* Added option `--test-skip` for skipping tests by payloads and/or titles (e.g. `BENCHMARK`).
* Added switch `--titles` to turn on comparison of pages based only on their titles.
* Added option `--tor-port` to explicitly set Tor proxy port.
* Added option `--tor-type` to set Tor proxy type (`HTTP` (default), `SOCKS4` or `SOCKS5`).
* Added option `--union-from` to set table to be used in `FROM` part of UNION query SQL injection.
* Added option `--where` to set `WHERE` condition to be used during the table dumping.
* Added option `-X` to exclude DBMS database table column(s) from enumeration.
* Added option `-x` to set URL of sitemap(.xml) for target(s) parsing.
* Added option `-z` for usage of short mnemonics (e.g. `"flu,bat,ban,tec=EU"`).

* Rewritten SQL injection detection engine.
* Support to directly connect to the database without passing via a SQL injection, option `-d`.
* Added full support for both time-based blind SQL injection and error-based SQL injection techniques.
* Implemented support for SQLite 2 and 3.
* Implemented support for Firebird.
* Implemented support for Microsoft Access, Sybase and SAP MaxDB.
* Extended old `--dump -C` functionality to be able to search for specific database(s), table(s) and column(s), option `--search`.
* Added support to tamper injection data with option `--tamper`.
* Added automatic recognition of password hashes format and support to crack them with a dictionary-based attack.
* Added support to enumerate roles on Oracle, `--roles` switch.
* Added support for SOAP based web services requests.
* Added support to fetch unicode data.
* Added support to use persistent HTTP(s) connection for speed improvement, switch `--keep-alive`.
* Implemented several optimization switches to speed up the exploitation of SQL injections.
* Support to test and inject against HTTP Referer header.
* Implemented HTTP(s) proxy authentication support, option `--proxy-cred`.
* Implemented feature to speedup the enumeration of table names.
* Support for customizable HTTP(s) redirections.
* Support to replicate the back-end DBMS tables structure and entries in a local SQLite 3 database, switch `--replicate`.
* Support to parse and test forms on target url, switch `--forms`.
* Added switches to brute-force tables names and columns names with a dictionary attack, `--common-tables` and `--common-columns`. Useful for instance when system table `information_schema` is not available on MySQL.
* Basic support for REST-style URL parameters by using the asterisk (`*`) to mark where to test for and exploit SQL injection.
* Added safe URL feature, `--safe-url` and `--safe-freq`.
* Added switch `--text-only` to strip from the HTTP response body the HTML/JS code and compare pages based only on their textual content.
* Implemented few other features and switches.
* Over 100 bugs fixed.
* Major code refactoring.
* User's manual updated.

* Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (`--os-bof`) to automatically bypass DEP memory protection.
* Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable.
* Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys.
* Added options for MySQL and PostgreSQL to inject custom user-defined functions.
* Added support for `--first` and `--last` so the user now has even more granularity in what to enumerate in the query output.
* Minor enhancement to save the session by default in 'output/hostname/session' file if `-s` option is not specified.
* Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system.
* Minor bugs fixed.
* Major code refactoring.

* Added support to execute arbitrary commands on the database server underlying operating system either returning the standard output or not via UDF injection on MySQL and PostgreSQL and via xp_cmdshell() stored procedure on Microsoft SQL Server;
* Added support for out-of-band connection between the attacker box and the database server underlying operating system via stand-alone payload stager created by Metasploit and supporting Meterpreter, shell and VNC payloads for both Windows and Linux;
* Added support for out-of-band connection via Microsoft SQL Server 2000 and 2005 'sp_replwritetovarbin' stored procedure heap-based buffer overflow (MS09-004) exploitation with multi-stage Metasploit payload support;
* Added support for out-of-band connection via SMB reflection attack with UNC path request from the database server to the attacker box by using the Metasploit smb_relay exploit;
* Added support to read and write (upload) both text and binary files on the database server underlying file system for MySQL, PostgreSQL and Microsoft SQL Server;
* Added database process' user privilege escalation via Windows Access Tokens kidnapping on MySQL and Microsoft SQL Server via either Meterpreter's incognito extension or Churrasco stand-alone executable;
* Speed up the inference algorithm by providing the minimum required charset for the query output;
* Major bug fix in the comparison algorithm to correctly handle also the case that the url is stable and the False response changes the page content very little;
* Many minor bug fixes, minor enhancements and layout adjustments.

* Major enhancement to make the comparison algorithm work properly also on url not stables automatically by using the difflib Sequence Matcher object;
* Major enhancement to support SQL data definition statements, SQL data manipulation statements, etc from user in SQL query and SQL shell if stacked queries are supported by the web application technology;
* Major speed increase in DBMS basic fingerprint;
* Minor enhancement to support an option (`--is-dba`) to show if the current user is a database management system administrator;
* Minor enhancement to support an option (`--union-tech`) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause bruteforcing;
* Added internal support to forge CASE statements, used only by `--is-dba` query at the moment;
* Minor layout adjustment to the `--update` output;
* Increased default timeout to 30 seconds;
* Major bug fix to correctly handle custom SQL "limited" queries on Microsoft SQL Server and Oracle;
* Major bug fix to avoid tracebacks when multiple targets are specified and one of them is not reachable;
* Minor bug fix to make the Partial UNION query SQL injection technique work properly also on Oracle and Microsoft SQL Server;
* Minor bug fix to make the `--postfix` work even if `--prefix` is not provided;
* Updated documentation.