Couple of improvements

2026-06-28 04:20:58 +00:00 · 2026-06-18 17:46:40 +02:00 · 2026-06-18 17:46:40 +02:00 · 8de9c5899d
commit 8de9c5899d
parent 8a458fc8d0
18 changed files with 108 additions and 51 deletions
--- a/data/txt/sha256sums.txt
+++ b/data/txt/sha256sums.txt
@ -79,8 +79,8 @@ e2febc92f9686eacf17a0054f175917b783cc6638ca570435a5203b03245fc18  data/xml/banne
 a32fc8796082d2e45cfc969f0b45ad476bf87a8515d67b2fed77c5058df5a0f5  data/xml/boundaries.xml
 0baf0fade74d4ad294ee88ef306743da0c6a4631b8d640708809103ef9cf63ed  data/xml/errors.xml
 d0b094a110bccec97d50037cc51445191561c0722ec53bf2cebe1521786e2451  data/xml/payloads/boolean_blind.xml
-53d0f29459f37248c320d5cb9960d432f46889696d27ae30cc3a3309fd6e026c  data/xml/payloads/error_based.xml
-b0f434f64105bd61ab0f6867b3f681b97fa02b4fb809ac538db382d031f0e609  data/xml/payloads/inline_query.xml
+6ebf0da74b18c95aee4fd4fc2874bda4b3780dc4254806f3968b953fa01bdca1  data/xml/payloads/error_based.xml
+516a2ff314bba3ecf65d0371bf8c2654ad79b09c0737b1fe0f178d7885a9508d  data/xml/payloads/inline_query.xml
 0648264166455010921df1ec431e4c973809f37ef12cbfea75f95029222eb689  data/xml/payloads/stacked_queries.xml
 997556b6170964a64474a2e053abe33cf2cf029fb1acec660d4651cc67a3c7e1  data/xml/payloads/time_blind.xml
 40a4878669f318568097719d07dc906a19b8520bc742be3583321fc1e8176089  data/xml/payloads/union_query.xml
@ -162,13 +162,13 @@ df768bcb9838dc6c46dab9b4a877056cb4742bd6cfaaf438c4a3712c5cc0d264  extra/shutils/
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  extra/vulnserver/__init__.py
 63657c00a046ca0fb28fd069407ab6305bd7b95c42f26a96ed083fd05b152252  extra/vulnserver/vulnserver.py
 3abecaec1a9c59645a4821463a2d761235f7a4f763a491f188a41a083bbddd98  lib/controller/action.py
-72707b5bdfc757c4e5271e156178919292b991a6e7337d3dcdeffea9df6db3ea  lib/controller/checks.py
-dcd4adcd7a2447a624ca7927541941d25767a4581af2d762c3197dc93790f4df  lib/controller/controller.py
+9387fb775b694156a71b336a2a9638ef24c577aa38746f391ac040ff05306d95  lib/controller/checks.py
+96463b969312bd4fd29452b5fc739f33e5a73f81fdc1ef80ac27debbe9926e42  lib/controller/controller.py
 d69e84f1648cdb907f5d2dd454f03874a4613752b07867510145d51d84b3c56f  lib/controller/handler.py
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  lib/controller/__init__.py
-b36b085ff1b5797e375c1e2ca3b12c7ab4204f48acd1a1efb075cff8302d9750  lib/core/agent.py
-ca3e5ce56cb1cae0a8e815425ab6810068004bffe8861d1037c7c87c0ae02477  lib/core/bigarray.py
-734a00fd87c67cde48d9ab9b5cdfa8b064300939898c4de2636e91d16a4223ba  lib/core/common.py
+1d7ed24bc41b9b73d7483a41c8b9162e95c7c027b1d07e52904c75fcad42fcfd  lib/core/agent.py
+12d0f1f28796b6fbf5629a3fd335b4098eac0583f832d1aa650efa22bf52e782  lib/core/bigarray.py
+f3725380a33c370c263516863d8e2bf3582f0ea6e37d45df8c176aa62ade19a1  lib/core/common.py
 8f1272487e1adfcc8c755a2f56f0c6d21eac5e685a73a9a159482f9dc9142bc5  lib/core/compat.py
 742bce10b97034966021ec60c7ac294db4af4fe7893613d63172a02c29f009f8  lib/core/convert.py
 c03dc585f89642cfd81b087ac2723e3e1bb3bfa8c60e6f5fe58ef3b0113ebfe6  lib/core/data.py
@ -181,26 +181,26 @@ e4f92e09737ff0dda7ec30e0db1912570e252853b3af9b8f2b9f68ad33cf09fe  lib/core/enums
 5387168e5dfedd94ae22af7bb255f27d6baaca50b24179c6b98f4f325f5cc7b4  lib/core/exception.py
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  lib/core/__init__.py
 914a13ee21fd610a6153a37cbe50830fcbd1324c7ebc1e7fc206d5e598b0f7ad  lib/core/log.py
-06651cff25422dcb84c159f80faf8dc377d82ddd451b5910f12c4c6a3ebe1e94  lib/core/optiondict.py
-e3a3729a24306b7ecace614fe27a8123c0becb0c5283ca519e5bcf376af2c711  lib/core/option.py
+96d54c79a2982709ba5639bc997c76db700e85c7fdcb474cedb490132f7ae5ad  lib/core/optiondict.py
+8084a0efe82bf3d3ff98f988bc6227d72ca015ac665afee9a8afc09afac2be52  lib/core/option.py
 ccc4a717e887652b1fcce073d9409d9c59a3b28548c703a9e453d15845f90cd7  lib/core/patch.py
 49c0fa7e3814dfda610d665ee02b12df299b28bc0b6773815b4395514ddf8dec  lib/core/profiling.py
 03db48f02c3d07a047ddb8fe33a757b6238867352d8ddda2a83e4fec09a98d04  lib/core/readlineng.py
 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3  lib/core/replication.py
 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6  lib/core/revision.py
 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c  lib/core/session.py
-c5bd1d6e862412495961bee8513e9e2f78a8f90ca15fdc53a87f221b84f9ab70  lib/core/settings.py
+5edba86522bc49aa6caf80118fc560610e76cc7f35a3c3c09a8052747a3b97ef  lib/core/settings.py
 cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82  lib/core/shell.py
 bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725  lib/core/subprocessng.py
 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6  lib/core/target.py
-c39dae0602b356d42f55df369c05614bbfb00c2abf2f0419fefe2ae781aa3098  lib/core/testing.py
+a43da1fc59cbc48698db34dc3516967910c84ef5945cf5423c2954acd54fe898  lib/core/testing.py
 e3e653364d08d04d7492aa40a2bd29c6a28f4d78fecdd6c10f21f6cb28b98b4c  lib/core/threads.py
 b9aacb840310173202f79c2ba125b0243003ee6b44c92eca50424f2bdfc83c02  lib/core/unescaper.py
 53e396902cb2546eaa09e77073fcba8be8827ee9ce055cfc899e81b0e6ad4d6d  lib/core/update.py
 2400e465fa4d13e4c32795910878c71ff212e4361b46428d57ce43983f5e997c  lib/core/wordlist.py
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  lib/__init__.py
 54bfd31ebded3ffa5848df1c644f196eb704116517c7a3d860b5d081e984d821  lib/parse/banner.py
-14b2fcfa2d6c3a155e3b85f093929c6129893ad191d1988a717daa1ffbb422e7  lib/parse/cmdline.py
+8c18ec0dc54dd313033408d7f55556d2068dbbafd9dd92a759d770843a680fd9  lib/parse/cmdline.py
 02d82e4069bd98c52755417f8b8e306d79945672656ac24f1a45e7a6eff4b158  lib/parse/configfile.py
 c5b258be7485089fac9d9cd179960e774fbd85e62836dc67cce76cc028bb6aeb  lib/parse/handler.py
 5c9a9caee948843d5537745640cc7b98d70a0412cc0949f59d4ebe8b2907c06c  lib/parse/headers.py
@ -217,7 +217,7 @@ ec14b5139cd6b03aa167a7b91fab913baf042d4370471390c13eed325eeb245f  lib/request/co
 cf019248253a5d7edb7bc474aa020b9e8625d73008a463c56ba2b539d7f2d8ec  lib/request/dns.py
 92c81cc31ff4a396723242058fb2152c9e9745f8412d01ea74480b048a53af6c  lib/request/httpshandler.py
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  lib/request/__init__.py
-aeeeb5f0148078e30d52208184042efc3618d3f2e840d7221897aae34315824e  lib/request/inject.py
+7a0ac2522213e756348fd871a7af74cc963bdc82f9d7ade57be5de42b5bf7cab  lib/request/inject.py
 ada4d305d6ce441f79e52ec3f2fc23869ee2fa87c017723e8f3ed0dfa61cdab4  lib/request/methodrequest.py
 43a7fdf64e7ba63c6b2d641c9f999a63c12ac23b43b64fedfce4e05b863de568  lib/request/pkihandler.py
 b90feeb16e89a844427df42373b0139eb6f6cf3c48ccec32b3e3a3f540c2451e  lib/request/rangehandler.py
@ -237,11 +237,11 @@ f522436fbd14bdab090a1d305fcac0361800cb8e36c8cbcb47933298376a71e0  lib/takeover/r
 3df9839fb92a81d46b6194d7adacb43f391efb78b071783c132e8d596ecbfaf1  lib/techniques/dns/test.py
 2934514a60cbcd48675053a73f785b4c7bfe606b51c34ae81a86818362ec4672  lib/techniques/dns/use.py
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  lib/techniques/error/__init__.py
-ee63b978154b0cb9a385fe51926ef6dc6f425b07f62b0d17208e82b4ac020f5c  lib/techniques/error/use.py
+5bbef46c16e34fd80e3f9f0e9aa255ce2e39be0d0e57479e25890b041c7efc7d  lib/techniques/error/use.py
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  lib/techniques/__init__.py
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  lib/techniques/union/__init__.py
 30cae858e2a5a75b40854399f65ad074e6bb808d56d5ee66b94d4002dc6e101b  lib/techniques/union/test.py
-5b49f5bca4e35362fa7d83896e0769fdb01ad152f30059aafd8ce0f093400a3f  lib/techniques/union/use.py
+0a9d884d95734986a628e5846ed85c985a96534fb0c56f9d7042a89377801bc2  lib/techniques/union/use.py
 aeefb42ea0c68f72744bc1bfd7194ec1bc06480d8a7e23f4b8d3d23fbba2b014  lib/utils/api.py
 442555ab85277aff7c9e0cf465ea5b0d28395c326f68363449b2d3941f4b6de2  lib/utils/brute.py
 da5bcbcda3f667582adf5db8c1b5d511b469ac61b55d387cec66de35720ed718  lib/utils/crawler.py
@ -255,7 +255,7 @@ a94958be0ec3e9d28d8171813a6a90655a9ad7e6aa33c661e8d8ebbfcf208dbb  lib/utils/deps
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  lib/utils/__init__.py
 e7d31de0e268c129ee11c590eb618f73a85e1022c08b8ed1f77753043c949214  lib/utils/pivotdumptable.py
 c1dfc3bed0fed9b181f612d1d747955dd2b506dbe99bc9fd481495602371473a  lib/utils/progress.py
-0aeb890fb6b0783f25df7c1ba7c9d0098325b4f7a677ff0151e411be24760f04  lib/utils/prove.py
+c442e9ef8324fd6fdf7bc334d765f0a6ce4037397eb3d79d59b5ce3e9a043855  lib/utils/prove.py
 2cd84db16edef8c9948e197a51d870cf1c338f4a89037b4d422de990f4a45237  lib/utils/purge.py
 f635872093a12cd63a72d77adf88e8f8cd4084a5cc64384f12966cd75a499bdf  lib/utils/safe2bin.py
 de4be7e291db0962cd59f9c04b3f7259f846e315df1fd9b323954f89fae0b2db  lib/utils/search.py
@ -400,7 +400,7 @@ ba04af3683b9a6e29e8fa6b3bf436a57e59435cebb042414f2df82018d91599e  plugins/dbms/m
 38ade085f9f1b227eda8c89f78e3ce869e8f430c98bef0cc7cbd2c7dcd60c24e  plugins/dbms/mssqlserver/fingerprint.py
 1ecde09e80d7b709a710281f4983a6831bc02ca3458ae0b97b28446d6db241b4  plugins/dbms/mssqlserver/__init__.py
 a89074020253365b6c95a4fa53e41fb0dc16f26a209b31f28e65910f26b81d21  plugins/dbms/mssqlserver/syntax.py
-57f263084438e9b2ec2e62909fc51871e9eefb1a9156bbe87908592c5274b639  plugins/dbms/mssqlserver/takeover.py
+099f17ba54181e0dc4da721db6a2ef52f6b8e57adeaf69248500754f4ecf398d  plugins/dbms/mssqlserver/takeover.py
 275ffb2a63c179a5b1673866fcd4020d7f30a68e6d7736e7e21094e2a3234578  plugins/dbms/mysql/connector.py
 51590c30177adf8c435e4d6d4be070f6708d81793f70577d9317daa4ef2485ba  plugins/dbms/mysql/enumeration.py
 5114ca85e5aac6eaebf2ca2cf6b944250329d2d5c36a36015ac34599c9437838  plugins/dbms/mysql/filesystem.py
--- a/data/xml/payloads/error_based.xml
+++ b/data/xml/payloads/error_based.xml
@ -880,7 +880,7 @@
        <risk>1</risk>
        <clause>1,2,3,9</clause>
        <where>1</where>
-        <vector>AND [RANDNUM]=('[DELIMITER_START]'||CAST(([QUERY]) AS String)||'[DELIMITER_STOP]')</vector>
+        <vector>AND [RANDNUM]=('[DELIMITER_START]'||CAST(([QUERY]) AS Nullable(String))||'[DELIMITER_STOP]')</vector>
        <request>
            <payload>AND [RANDNUM]=('[DELIMITER_START]'||(CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END)||'[DELIMITER_STOP]')</payload>
        </request>
@ -899,7 +899,7 @@
        <risk>3</risk>
        <clause>1,2,3,9</clause>
        <where>1</where>
-        <vector>OR [RANDNUM]=('[DELIMITER_START]'||CAST(([QUERY]) AS String)||'[DELIMITER_STOP]')</vector>
+        <vector>OR [RANDNUM]=('[DELIMITER_START]'||CAST(([QUERY]) AS Nullable(String))||'[DELIMITER_STOP]')</vector>
        <request>
            <payload>OR [RANDNUM]=('[DELIMITER_START]'||(CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END)||'[DELIMITER_STOP]')</payload>
        </request>
--- a/data/xml/payloads/inline_query.xml
+++ b/data/xml/payloads/inline_query.xml
@ -141,7 +141,7 @@
        <risk>1</risk>
        <clause>1,2,3,8</clause>
        <where>3</where>
-        <vector>('[DELIMITER_START]'||CAST(([QUERY]) AS String)||'[DELIMITER_STOP]')</vector>
+        <vector>('[DELIMITER_START]'||CAST(([QUERY]) AS Nullable(String))||'[DELIMITER_STOP]')</vector>
        <request>
            <payload>('[DELIMITER_START]'||(CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END)||'[DELIMITER_STOP]')</payload>
        </request>
--- a/lib/controller/checks.py
+++ b/lib/controller/checks.py
@ -94,6 +94,7 @@ from lib.core.settings import SUHOSIN_MAX_VALUE_LENGTH
 from lib.core.settings import SUPPORTED_DBMS
 from lib.core.settings import UPPER_RATIO_BOUND
 from lib.core.settings import URI_HTTP_HEADER
+from lib.core.settings import WAF_BLOCK_HTTP_CODES
 from lib.core.threads import getCurrentThreadData
 from lib.core.unescaper import unescaper
 from lib.request.connect import Connect as Request
@ -588,6 +589,18 @@ def checkSqlInjection(place, parameter, value):
                                                    break

                            if injectable:
+                                # WAF/IPS block-artifact guard: a TRUE condition (the always-true payload that
+                                # mimics a legitimate request) coming back with a blocked HTTP status (e.g. 403)
+                                # while the FALSE condition passes (2xx) is the WAF answering, not the database.
+                                # A real boolean injection's TRUE condition reproduces the normal page, so this
+                                # status-code asymmetry is the classic false positive - refuse it here.
+                                if not kb.negativeLogic and trueCode in WAF_BLOCK_HTTP_CODES and (falseCode or 0) < 400 and (kb.heuristicCode or 200) < 400:
+                                    warnMsg = "%sparameter '%s' TRUE/FALSE responses differ only by a blocked HTTP %d vs %d status, " % ("%s " % paramType if paramType != parameter else "", parameter, trueCode, falseCode)
+                                    warnMsg += "which is characteristic of a WAF/IPS block rather than a SQL injection; skipping as a likely false positive"
+                                    logger.warning(warnMsg)
+                                    injectable = False
+                                    continue
+
                                if kb.pageStable and not any((conf.string, conf.notString, conf.regexp, conf.code, conf.titles, kb.nullConnection)):
                                    if all((falseCode, trueCode)) and falseCode != trueCode and trueCode != kb.heuristicCode:
                                        suggestion = conf.code = trueCode
--- a/lib/controller/controller.py
+++ b/lib/controller/controller.py
@ -817,7 +817,7 @@ def start():
                    try:
                        action()
                    finally:
-                        if conf.prove:
+                        if conf.proof:
                            from lib.utils.prove import proveExploitation
                            proveExploitation()

--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@ -827,7 +827,7 @@ class Agent(object):

    def forgeUnionQuery(self, query, position, count, comment, prefix, suffix, char, where, multipleUnions=None, limited=False, fromTable=None):
        """
-        Take in input an query (pseudo query) string and return its
+        Take in input a query (pseudo query) string and return its
        processed UNION ALL SELECT query.

        Examples:
--- a/lib/core/bigarray.py
+++ b/lib/core/bigarray.py
@ -210,9 +210,9 @@ class BigArray(list):
        except (OSError, IOError) as ex:
            errMsg = "exception occurred while storing data "
            errMsg += "to a temporary file ('%s'). Please " % ex
-            errMsg += "make sure that there is enough disk space left. If problem persists, "
+            errMsg += "make sure that there is enough disk space left. If the problem persists, "
            errMsg += "try to set environment variable 'TEMP' to a location "
-            errMsg += "writeable by the current user"
+            errMsg += "writable by the current user"
            raise SqlmapSystemException(errMsg)

    def _checkcache(self, index):
--- a/lib/core/common.py
+++ b/lib/core/common.py
@ -2761,7 +2761,7 @@ def getPartRun(alias=True):

 def longestCommonPrefix(*sequences):
    """
-    Returns longest common prefix occuring in given sequences
+    Returns longest common prefix occurring in given sequences

    # Reference: http://boredzo.org/blog/archives/2007-01-06/longest-common-prefix-in-python-2

@ -3158,7 +3158,7 @@ def getPublicTypeMembers(type_, onlyValues=False):

 def enumValueToNameLookup(type_, value_):
    """
-    Returns name of a enum member with a given value
+    Returns name of an enum member with a given value

    >>> enumValueToNameLookup(SORT_ORDER, 100)
    'LAST'
--- a/lib/core/option.py
+++ b/lib/core/option.py
@ -608,7 +608,7 @@ def _setMetasploit():
        else:
            warnMsg = "the provided Metasploit Framework path "
            warnMsg += "'%s' is not valid. The cause could " % conf.msfPath
-            warnMsg += "be that the path does not exists or that one "
+            warnMsg += "be that the path does not exist or that one "
            warnMsg += "or more of the needed Metasploit executables "
            warnMsg += "within msfcli, msfconsole, msfencode and "
            warnMsg += "msfpayload do not exist"
@ -1675,9 +1675,9 @@ def _createTemporaryDirectory():
        except Exception as ex:
            warnMsg = "there has been a problem while accessing "
            warnMsg += "system's temporary directory location(s) ('%s'). Please " % getSafeExString(ex)
-            warnMsg += "make sure that there is enough disk space left. If problem persists, "
+            warnMsg += "make sure that there is enough disk space left. If the problem persists, "
            warnMsg += "try to set environment variable 'TEMP' to a location "
-            warnMsg += "writeable by the current user"
+            warnMsg += "writable by the current user"
            logger.warning(warnMsg)

    if "sqlmap" not in (tempfile.tempdir or "") or conf.tmpDir and tempfile.tempdir == conf.tmpDir:
--- a/lib/core/optiondict.py
+++ b/lib/core/optiondict.py
@ -100,7 +100,7 @@ optDict = {
        "prefix": "string",
        "suffix": "string",
        "tamper": "string",
-        "prove": "boolean",
+        "proof": "boolean",
    },

    "Detection": {
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -20,7 +20,7 @@ from lib.core.enums import OS
 from thirdparty import six

 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.10.6.122"
+VERSION = "1.10.6.123"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
@ -54,6 +54,11 @@ IPS_WAF_CHECK_RATIO = 0.5
 # Timeout used in heuristic check for WAF/IPS protected targets
 IPS_WAF_CHECK_TIMEOUT = 10

+# HTTP status codes a WAF/IPS typically returns when it blocks a request. Used to reject a boolean
+# "injection" whose only TRUE/FALSE difference is the always-true payload being blocked (a status-code
+# false positive) rather than the back-end actually answering.
+WAF_BLOCK_HTTP_CODES = (403, 406, 429, 451, 501, 503)
+
 # Candidate tamper scripts for automatic WAF-bypass, ordered by empirical WAF-bypass value
 # (structural token-substitution first, camouflage last; per identYwaf data). The back-end DBMS
 # is not pre-filtered here: semantics-preservation is verified at runtime by re-running detection
--- a/lib/core/testing.py
+++ b/lib/core/testing.py
@ -61,7 +61,7 @@ def vulnTest():
        ("-u <url> --data=\"security_level=3\" -p id --flush-session --technique=B", ("bypassed the WAF/IPS by using tamper script", "Type: boolean-based blind")),   # automatic WAF-bypass: SQL-tamper dimension at a stricter signature threshold
        ("-u <url> --data=\"security_level=4\" -p id --flush-session --technique=B --banner", ("random (non-scanner) User-Agent and browser-like headers to bypass the WAF/IPS", "Type: boolean-based blind", "banner: '3.")),   # automatic WAF-bypass against a libinjection-class WAF: tampers cannot help, only the non-scanner User-Agent does
        ("-u <url> --data=\"security_level=5\" -p id --flush-session --technique=B", ("unable to automatically bypass the WAF/IPS", "does not seem to be injectable")),   # automatic WAF-bypass honest bail: a libinjection-class WAF that no User-Agent or tamper can defeat
-        ("-u <url> -p id --flush-session --prove", ("sqlmap proved exploitation of the following injection point", "Parameter: id (GET)", "Technique: boolean-based blind", "TRUE (5/5)", "repeatably", "Retrieved: back-end DBMS banner '3.")),   # --prove: report-grade proof in the injection-point style - forces the boolean technique (so a multi-technique point still proves), and actively reads a value out as the strongest proof
+        ("-u <url> -p id --flush-session --proof", ("sqlmap proved exploitation of the following injection point", "Parameter: id (GET)", "Technique: boolean-based blind", "TRUE (5/5)", "repeatably", "Retrieved: back-end DBMS banner '3.")),   # --proof: report-grade proof in the injection-point style - forces the boolean technique (so a multi-technique point still proves), and actively reads a value out as the strongest proof
        ("-r <request> --flush-session -v 5 --test-skip=\"heavy\" --save=<config>", ("CloudFlare", "web application technology: Express", "possible DBMS: 'SQLite'", "User-Agent: foobar", "~Type: time-based blind", "saved command line options to the configuration file")),
        ("-c <config>", ("CloudFlare", "possible DBMS: 'SQLite'", "User-Agent: foobar", "~Type: time-based blind")),
        ("-l <log> --flush-session --keep-alive --skip-waf -vvvvv --technique=U --union-from=users --banner --parse-errors", ("banner: '3.", "ORDER BY term out of range", "~xp_cmdshell", "Connection: keep-alive")),
--- a/lib/parse/cmdline.py
+++ b/lib/parse/cmdline.py
@ -375,7 +375,7 @@ def cmdLineParser(argv=None):
        injection.add_argument("--tamper", dest="tamper",
            help="Use given script(s) for tampering injection data")

-        injection.add_argument("--prove", dest="prove", action="store_true",
+        injection.add_argument("--proof", dest="proof", action="store_true",
            help="Prove exploitation of the detected injection point(s)")

        # Detection options
--- a/lib/request/inject.py
+++ b/lib/request/inject.py
@ -162,8 +162,8 @@ def _goInferenceFields(expression, expressionFields, expressionFieldsList, paylo

 def _goInferenceProxy(expression, fromUser=False, batch=False, unpack=True, charsetType=None, firstChar=None, lastChar=None, dump=False):
    """
-    Retrieve the output of a SQL query characted by character taking
-    advantage of an blind SQL injection vulnerability on the affected
+    Retrieve the output of a SQL query character by character taking
+    advantage of a blind SQL injection vulnerability on the affected
    parameter through a bisection algorithm.
    """

@ -209,9 +209,11 @@ def _goInferenceProxy(expression, fromUser=False, batch=False, unpack=True, char
                    test = False

            if test:
-                # Count the number of SQL query entries output
-                countFirstField = queries[Backend.getIdentifiedDbms()].count.query % expressionFieldsList[0]
-                countedExpression = expression.replace(expressionFields, countFirstField, 1)
+                # Count the number of SQL query entries output. NOTE: COUNT(*) (row count), not
+                # COUNT(<first field>) - the latter excludes NULLs and would drop NULL-valued rows from
+                # the dump (e.g. dumping a single column whose value is NULL on some rows).
+                countField = queries[Backend.getIdentifiedDbms()].count.query % '*'
+                countedExpression = expression.replace(expressionFields, countField, 1)

                if " ORDER BY " in countedExpression.upper():
                    _ = countedExpression.upper().rindex(" ORDER BY ")
--- a/lib/techniques/error/use.py
+++ b/lib/techniques/error/use.py
@ -326,8 +326,10 @@ def errorUse(expression, dump=False):
        expression, limitCond, topLimit, startLimit, stopLimit = agent.limitCondition(expression, dump)

        if limitCond:
-            # Count the number of SQL query entries output
-            countedExpression = expression.replace(expressionFields, queries[Backend.getIdentifiedDbms()].count.query % ('*' if len(expressionFieldsList) > 1 else expressionFields), 1)
+            # Count the number of SQL query entries output. NOTE: always COUNT(*) (row count); a single
+            # field must NOT use COUNT(field) as that excludes NULLs and would drop NULL-valued rows from
+            # the dump (e.g. a column whose value is NULL on some rows).
+            countedExpression = expression.replace(expressionFields, queries[Backend.getIdentifiedDbms()].count.query % '*', 1)

            if " ORDER BY " in countedExpression.upper():
                _ = countedExpression.upper().rindex(" ORDER BY ")
--- a/lib/techniques/union/use.py
+++ b/lib/techniques/union/use.py
@ -295,8 +295,10 @@ def unionUse(expression, unpack=True, dump=False):
        expression, limitCond, topLimit, startLimit, stopLimit = agent.limitCondition(expression, dump)

        if limitCond:
-            # Count the number of SQL query entries output
-            countedExpression = expression.replace(expressionFields, queries[Backend.getIdentifiedDbms()].count.query % ('*' if len(expressionFieldsList) > 1 else expressionFields), 1)
+            # Count the number of SQL query entries output. NOTE: always COUNT(*) (row count); a single
+            # field must NOT use COUNT(field) as that excludes NULLs and would drop NULL-valued rows from
+            # the dump (e.g. a column whose value is NULL on some rows).
+            countedExpression = expression.replace(expressionFields, queries[Backend.getIdentifiedDbms()].count.query % '*', 1)

            if " ORDER BY " in countedExpression.upper():
                _ = countedExpression.upper().rindex(" ORDER BY ")
--- a/lib/utils/prove.py
+++ b/lib/utils/prove.py
@ -104,12 +104,16 @@ def _signalArtifacts(expression):
        return None, None


-def _proveBoolean(injection):
+def _proveBoolean(injection, signal=None):
    """
    Demonstrates deterministic boolean control, rendered with the distinguishing signal sqlmap already
    auto-selected (--string / --code / --title), repeated to show it is stable (not a fluke). The signal
    line quotes the actual distinguishing artifact: the matched string, the two HTTP codes, or the two
    page titles - so a reader sees exactly what tells TRUE from FALSE.
+
+    When a mutable 'signal' dict is supplied it is filled with the distinguishing artifact (code-based?
+    and the TRUE/FALSE HTTP codes) so the caller can tell a genuine signal from a blocked-response (WAF)
+    artifact - a TRUE condition that yields an HTTP 4xx is a block, not a database answer.
    """

    retVal = []
@ -128,6 +132,10 @@ def _proveBoolean(injection):
        trueCode, trueTitle = _signalArtifacts("%d=%d" % (n, n))
        falseCode, falseTitle = _signalArtifacts("%d=%d" % (n, n + 1))

+    if signal is not None:
+        signal["codeBased"] = bool(injection.conf.code)
+        signal["trueCode"], signal["falseCode"] = trueCode, falseCode
+
    if injection.conf.string:
        retVal.append("the response contains %s only when the condition is TRUE" % repr(injection.conf.string).lstrip('u'))
    elif injection.conf.notString:
@ -277,7 +285,7 @@ def _retrieveProof():
 def proveExploitation():
    """
    Renders a report-grade, best-effort demonstration of exploitation for the confirmed injection point
-    (option '--prove'), in the same style as sqlmap's injection-point summary so it reads naturally: the
+    (option '--proof'), in the same style as sqlmap's injection-point summary so it reads naturally: the
    target URL and the confirmed injection point (parameter / type / title / payload), then the strongest
    proof first - an actual value read out of the back-end (drilling from the plain read to a more evasive
    one so a WAF/IPS does not stop it) - backed by a deterministic boolean differential (rendered with the
@ -290,11 +298,12 @@ def proveExploitation():

    injection = kb.injection if getattr(kb.injection, "place", None) else kb.injections[0]

+    signal = {}
    saved = _activateInjection(injection)
    try:
        if PAYLOAD.TECHNIQUE.BOOLEAN in injection.data:
            stype = PAYLOAD.TECHNIQUE.BOOLEAN
-            proof = _proveBoolean(injection)
+            proof = _proveBoolean(injection, signal)
        elif PAYLOAD.TECHNIQUE.TIME in injection.data or PAYLOAD.TECHNIQUE.STACKED in injection.data:
            stype = PAYLOAD.TECHNIQUE.TIME if PAYLOAD.TECHNIQUE.TIME in injection.data else PAYLOAD.TECHNIQUE.STACKED
            proof = _proveTime(injection)
@ -330,16 +339,40 @@ def proveExploitation():
        if sdata.payload:
            payload = urldecode(agent.adjustLateValues(sdata.payload), unsafe="&", spaceplus=(injection.place != PLACE.GET and kb.postSpaceToPlus))
            fields.append(_field("Payload", payload))
-    if proof:
-        fields.append(_field("Proof", proof))
-    if rungs:
+    # Reading a value back out of the back-end is the GATE, not a bonus: it is the only thing that
+    # distinguishes a real injection from a differential that merely correlates with the payload. A
+    # WAF/IPS that answers blocked payloads with a distinct HTTP status (e.g. 403 when TRUE, 200 when
+    # FALSE) reproduces a perfect, repeatable boolean differential WITHOUT any SQL ever executing - so
+    # the differential alone is exactly the signal detection already (mis)read. If nothing could be read
+    # back, exploitation is NOT proven; say so plainly instead of echoing the detection verdict.
+    proven = bool(rungs)
+
+    if proven:
+        if proof:
+            fields.append(_field("Proof", proof))
        for label, text in rungs:
            fields.append(_field(label, text))
+        header = "sqlmap proved exploitation of the following injection point"
    else:
-        fields.append(_field("Retrieved", "(no value could be read back; the proof above still confirms exploitation)"))
+        if proof:
+            fields.append(_field("Observed", proof))     # the differential is observed, but unconfirmed
+        suspectWaf = bool(signal.get("codeBased")) and (signal.get("trueCode") or 0) >= 400
+        wafInterfering = suspectWaf or kb.droppingRequests or bool(kb.identifiedWafs)
+        verdict = ["no value could be read back through the injection (tried a random arithmetic product and the DBMS banner)"]
+        if suspectWaf:
+            verdict.append("the TRUE/FALSE difference is only an HTTP %s (blocked) response - characteristic of a WAF/IPS, not a database answer" % signal.get("trueCode"))
+        if wafInterfering:
+            # behind a WAF, an unconfirmed read-back is ambiguous: a genuine injection whose data-retrieval
+            # payloads are being blocked looks the same as a pure WAF artifact - so don't assert "false
+            # positive", point the user at the way to disambiguate instead
+            verdict.append("a WAF/IPS is interfering: this may be a real injection whose data-retrieval is blocked, or a false positive")
+            verdict.append("=> exploitation is NOT proven; re-test directly (no WAF) or with --tamper, then re-prove")
+        else:
+            verdict.append("=> exploitation is NOT proven; the reported injection is likely a FALSE POSITIVE")
+        fields.append(_field("Verdict", verdict))
+        header = "sqlmap could NOT prove exploitation of the reported injection point"

    data = "\n".join(fields)
-    header = "sqlmap proved exploitation of the following injection point"
    conf.dumper.string(header, data)

    try:
--- a/plugins/dbms/mssqlserver/takeover.py
+++ b/plugins/dbms/mssqlserver/takeover.py
@ -61,7 +61,7 @@ class Takeover(GenericTakeover):
                break

        if not addrs:
-            errMsg = "sqlmap can not exploit the stored procedure buffer "
+            errMsg = "sqlmap cannot exploit the stored procedure buffer "
            errMsg += "overflow because it does not have a valid return "
            errMsg += "code for the underlying operating system (Windows "
            errMsg += "%s Service Pack %d)" % (Backend.getOsVersion(), Backend.getOsServicePack())