Minor patches

.gitignore

@@ -14,3 +14,4 @@ extra/.DS_Store
 lib/.DS_Store
 plugins/.DS_Store
 thirdparty/.DS_Store
+CLAUDE.md

data/txt/sha256sums.txt

@@ -189,7 +189,7 @@ ccc4a717e887652b1fcce073d9409d9c59a3b28548c703a9e453d15845f90cd7  lib/core/patch
 9bf174058f15d14e24e94f9aaf42df045119d3617c6c54bd2f3af79b462f331d  lib/core/replication.py
 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6  lib/core/revision.py
 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c  lib/core/session.py
-af4dcbb3256ae407ade6fa8270d01d4bbf398d50be3be16b80572835662d6c2f  lib/core/settings.py
+dc6658683ad78759563aa8ae91696130112ea28e94d770ad72bdb5f09a81122c  lib/core/settings.py
 c7804223319e18eb0b8e2cbf0a8b6896d1cefb7b0b1a2e9f1cf826a8a3b56750  lib/core/shell.py
 a2e98a94b231432736d6b304fc75525c8b5fdb4768c418387c5b4c1a610dad64  lib/core/subprocessng.py
 19f1e3c5e3ba703d28d510cd7a9ab8284d5fbe9df5ce7e77c86e5931571364b7  lib/core/target.py
@@ -240,12 +240,12 @@ a66a4b9df6207dce722c9b71d290ea426723cb4b697b416065dc7dd5db96fe8e  lib/techniques
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  lib/techniques/error/__init__.py
 5bbef46c16e34fd80e3f9f0e9aa255ce2e39be0d0e57479e25890b041c7efc7d  lib/techniques/error/use.py
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  lib/techniques/graphql/__init__.py
-a1c5ec208843eb93e0fab40daac090aa3bf914a7dd0afb0f7c55c2db4db8d72b  lib/techniques/graphql/inject.py
+ffbc7583a563bb9fe5a560ca8363f3e4ec84ecf907b956883ab1f2904f19d529  lib/techniques/graphql/inject.py
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  lib/techniques/__init__.py
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  lib/techniques/ldap/__init__.py
-d469815c430caaafeeba285d10974456b96d7019f95738fe8038bfd0855068e4  lib/techniques/ldap/inject.py
+cc90c641d74244e45fa0c8c4026315452137e66b6fb5cef681d0eacd4e11eb69  lib/techniques/ldap/inject.py
 44401cad3e39ae9fb899ed5d0e2fdd0879561de05c3117f17f3b0db54f4e3724  lib/techniques/nosql/__init__.py
-d62b28bf9f1544e65a1017994402f484166f4d64a1efb724351b15e27b851990  lib/techniques/nosql/inject.py
+e2cd2b19f82393f9bbc8f374686cd851a4ccc264bb898ea54547ec479a05674c  lib/techniques/nosql/inject.py
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  lib/techniques/union/__init__.py
 ceec65f8cb7c3254c4671351c837418c76ac5bc55ccbc40779f67231b54d7085  lib/techniques/union/test.py
 c65766f71e285fc85cdf58e7448c4c1d015af2a9dbb44fa3b665a9f13362fbcc  lib/techniques/union/use.py

lib/core/settings.py

@@ -20,7 +20,7 @@ from lib.core.enums import OS
 from thirdparty import six
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.10.6.164"
+VERSION = "1.10.6.165"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

lib/techniques/graphql/inject.py

@@ -13,11 +13,13 @@ import time
 from collections import namedtuple
 from collections import OrderedDict
 
+from lib.core.common import beep
 from lib.core.common import randomStr
 from lib.core.convert import getUnicode
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
+from lib.core.enums import CUSTOM_LOGGING
 from lib.core.enums import POST_HINT
 from lib.core.settings import ERROR_PARSING_REGEXES
 from lib.core.settings import GRAPHQL_ENDPOINT_PATHS
@@ -234,6 +236,13 @@ def _gqlSend(endpoint, query, variables=None):
     body = {"query": query}
     if variables:
         body["variables"] = variables
+
+    if conf.delay:
+        time.sleep(conf.delay)
+
+    if conf.verbose >= 3:
+        logger.log(CUSTOM_LOGGING.PAYLOAD, query[:200])
+
     oldPostHint = getattr(kb, "postHint", None)
     try:
         kb.postHint = POST_HINT.JSON
@@ -974,6 +983,8 @@ def _testSlot(slot, endpoint):
     report = "---\nParameter: %s.%s(%s:) (%s)\n    Type: GraphQL injection\n    Title: %s\n    Payload: %s\n---" % (
         slot.parentType, slot.fieldName, slot.targetArg, slot.strategy, title, _escapeGraphQLString(payload))
     conf.dumper.singleString(report)
+    if conf.beep:
+        beep()
 
     # In-band exposure: the always-true payload reflecting extra records directly
     if kind == "boolean" and templatePage:

lib/techniques/ldap/inject.py

@@ -7,9 +7,11 @@ See the file 'LICENSE' for copying permission
 
 import difflib
 import re
+import time
 
 from collections import namedtuple
 
+from lib.core.common import beep
 from lib.core.common import randomStr
 from lib.core.convert import getUnicode
 from lib.core.data import conf
@@ -154,12 +156,16 @@ def _send(place, parameter, value):
     skipUrlEncode = conf.skipUrlEncode
     conf.skipUrlEncode = True
 
+    if conf.delay:
+        time.sleep(conf.delay)
+
     try:
         kwargs = {"raise404": False, "silent": True}
         payload = _replaceSegment(place, parameter, value)
         kwargs["post" if place in (PLACE.POST, PLACE.CUSTOM_POST) else "get"] = payload
 
-        logger.log(CUSTOM_LOGGING.PAYLOAD, payload)
+        if conf.verbose >= 3:
+            logger.log(CUSTOM_LOGGING.PAYLOAD, payload)
         page, _, _ = Request.getPage(**kwargs)
         return page or ""
     except Exception as ex:
@@ -671,6 +677,8 @@ def ldapScan():
                 found += 1
                 backend = backendHint or None
                 logger.info("%s parameter '%s' is vulnerable to LDAP injection (back-end: '%s')" % (place, parameter, backend or "Generic"))
+                if conf.beep:
+                    beep()
 
                 oracle = _makeOracle(place, parameter, template)
                 slots.append(Slot(place=place, parameter=parameter, backend=backend, oracle=oracle, template=template, payload=payload, breakout=breakout))
@@ -681,6 +689,8 @@ def ldapScan():
             if bypass:
                 found += 1
                 logger.info("%s parameter '%s' allows LDAP wildcard auth bypass (password=*)" % (place, parameter))
+                if conf.beep:
+                    beep()
                 slots.append(Slot(place=place, parameter=parameter, bypass=bypass))
                 continue
 

lib/techniques/nosql/inject.py

@@ -13,6 +13,7 @@ import time
 from collections import namedtuple
 from collections import OrderedDict
 
+from lib.core.common import beep
 from lib.core.common import randomStr
 from lib.core.data import conf
 from lib.core.data import kb
@@ -134,6 +135,9 @@ def _send(place, parameter, segment=None, jsonValue=_UNSET):
     skipUrlEncode = conf.skipUrlEncode
     conf.skipUrlEncode = True
 
+    if conf.delay:
+        time.sleep(conf.delay)
+
     try:
         kwargs = {"raise404": False, "silent": True}
 
@@ -705,6 +709,8 @@ def nosqlScan():
             found += 1
             infoMsg = "%s parameter '%s' is vulnerable to NoSQL injection (back-end: '%s')" % (place, key, vector.dbms)
             logger.info(infoMsg)
+            if conf.beep:
+                beep()
 
             # standard sqlmap-style injection-point summary (reproducible vector)
             if vector.bypass == '{"$ne": null}':