googlesky · googlesky · Apr 8, 2024 · Mar 29, 2024 · Mar 29, 2024 · Apr 8, 2024
diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt
@@ -165,7 +165,7 @@ f9c96cd3fe99578bed9d49a8bdf8d76836d320a7c48c56eb0469f48b36775c35  lib/controller
 99d0e94dd5fe60137abf48bfa051129fb251f5c40f0f7a270c89fbcb07323730  lib/controller/__init__.py
 826c33f1105be4c0985e1bbe1d75bdb009c17815ad6552fc8d9bf39090d3c40f  lib/core/agent.py
 b2d69c99632da5c2acd0c0934e70d55862f1380a3f602cbe7456d617fb9c1fc9  lib/core/bigarray.py
-e4a608db78251ab01154f210f68023e0963721852abc9eea82ee0f087e6dcea2  lib/core/common.py
+ba3f0002aa93f8f21f06dbea343573c590b9e6ec160fc6668c15e68a970cfb12  lib/core/common.py
 5c26b0f308266bc3a9679ef837439e38d1dc7a69eac6bd3422280f49aaf114d2  lib/core/compat.py
 b60c96780cad4a257f91a0611b08cfcc52f242908c5d5ab2bf9034ef07869602  lib/core/convert.py
 5e381515873e71c395c77df00bf1dd8c4592afc6210a2f75cbc20daf384e539f  lib/core/data.py
@@ -187,7 +187,7 @@ bf77f9fc4296f239687297aee1fd6113b34f855965a6f690b52e26bd348cb353  lib/core/profi
 4eff81c639a72b261c8ba1c876a01246e718e6626e8e77ae9cc6298b20a39355  lib/core/replication.py
 bbd1dcda835934728efc6d68686e9b0da72b09b3ee38f3c0ab78e8c18b0ba726  lib/core/revision.py
 eed6b0a21b3e69c5583133346b0639dc89937bd588887968ee85f8389d7c3c96  lib/core/session.py
-9ce5e85152ffb3a499325cd00b45bf33eaa7a0c79814993a3de55e474423efc7  lib/core/settings.py
+0308b7517a512a96a28d39ecbcc14e825cec4f237d4db6f85cc9002ee3020530  lib/core/settings.py
 2bec97d8a950f7b884e31dfe9410467f00d24f21b35672b95f8d68ed59685fd4  lib/core/shell.py
 e90a359b37a55c446c60e70ccd533f87276714d0b09e34f69b0740fd729ddbf8  lib/core/subprocessng.py
 54f7c70b4c7a9931f7ff3c1c12030180bde38e35a306d5e343ad6052919974cd  lib/core/target.py
@@ -240,7 +240,7 @@ f948fefb0fa67da8cf037f7abbcdbb740148babda9ad8a58fab1693456834817  lib/techniques
 99d0e94dd5fe60137abf48bfa051129fb251f5c40f0f7a270c89fbcb07323730  lib/techniques/union/__init__.py
 700cc5e8cae85bd86674d0cb6c97093fde2c52a480cc1e40ae0010fffd649395  lib/techniques/union/test.py
 4252a1829e60bb9a69e3927bf68a320976b8ef637804b7032d7497699f2e89e7  lib/techniques/union/use.py
-94beefc155940e079f2243886eb3dc33d9165e2fbe509d55e0c0c1a9c89b92d1  lib/utils/api.py
+a642cacecff4b2e39983ea0704f5f4b19a7c43bd263b24de16354115ec6ad6b5  lib/utils/api.py
 1d4d1e49a0897746d4ad64316d4d777f4804c4c11e349e9eb3844130183d4887  lib/utils/brute.py
 c0a4765aa80c5d9b7ef1abe93401a78dd45b2766a1f4ff6286287dc6188294de  lib/utils/crawler.py
 3f97e327c548d8b5d74fda96a2a0d1b2933b289b9ec2351b06c91cefdd38629d  lib/utils/deps.py

diff --git a/lib/core/common.py b/lib/core/common.py
@@ -711,8 +711,16 @@ def walk(head, current=None):
                                                 if value:
                                                     walk(head, value)
 
-                                deserialized = json.loads(testableParameters[parameter])
-                                walk(deserialized)
+                                # NOTE: for cases with custom injection marker(s) inside (e.g. https://github.com/sqlmapproject/sqlmap/issues/4137#issuecomment-2013783111) - p.s. doesn't care too much about the structure (e.g. injection into the flat array values)
+                                if CUSTOM_INJECTION_MARK_CHAR in testableParameters[parameter]:
+                                    for match in re.finditer(r'(\w+)[^\w]*"\s*:[^\w]*\w*%s' % re.escape(CUSTOM_INJECTION_MARK_CHAR), testableParameters[parameter]):
+                                        key = match.group(1)
+                                        value = testableParameters[parameter].replace(match.group(0), match.group(0).replace(CUSTOM_INJECTION_MARK_CHAR, BOUNDED_INJECTION_MARKER))
+                                        candidates["%s (%s)" % (parameter, key)] = re.sub(r"\b(%s\s*=\s*)%s" % (re.escape(parameter), re.escape(testableParameters[parameter])), r"\g<1>%s" % value, parameters)
+
+                                if not candidates:
+                                    deserialized = json.loads(testableParameters[parameter])
+                                    walk(deserialized)
 
                                 if candidates:
                                     message = "it appears that provided value for %sparameter '%s' " % ("%s " % place if place != parameter else "", parameter)

diff --git a/lib/core/settings.py b/lib/core/settings.py
@@ -20,7 +20,7 @@
 from thirdparty.six import unichr as _unichr
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.8.3.13"
+VERSION = "1.8.3.15"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

diff --git a/lib/utils/api.py b/lib/utils/api.py
@@ -122,9 +122,9 @@ def execute(self, statement, arguments=None):
             return self.cursor.fetchall()
 
     def init(self):
-        self.execute("CREATE TABLE logs(id INTEGER PRIMARY KEY AUTOINCREMENT, taskid INTEGER, time TEXT, level TEXT, message TEXT)")
-        self.execute("CREATE TABLE data(id INTEGER PRIMARY KEY AUTOINCREMENT, taskid INTEGER, status INTEGER, content_type INTEGER, value TEXT)")
-        self.execute("CREATE TABLE errors(id INTEGER PRIMARY KEY AUTOINCREMENT, taskid INTEGER, error TEXT)")
+        self.execute("CREATE TABLE IF NOT EXISTS logs(id INTEGER PRIMARY KEY AUTOINCREMENT, taskid INTEGER, time TEXT, level TEXT, message TEXT)")
+        self.execute("CREATE TABLE IF NOT EXISTS data(id INTEGER PRIMARY KEY AUTOINCREMENT, taskid INTEGER, status INTEGER, content_type INTEGER, value TEXT)")
+        self.execute("CREATE TABLE IF NOT EXISTS errors(id INTEGER PRIMARY KEY AUTOINCREMENT, taskid INTEGER, error TEXT)")
 
 class Task(object):
     def __init__(self, taskid, remote_addr):
@@ -276,7 +276,7 @@ def emit(self, record):
         Record emitted events to IPC database for asynchronous I/O
         communication with the parent process
         """
-        conf.databaseCursor.execute("INSERT INTO logs VALUES(NULL, ?, ?, ?, ?)", (conf.taskid, time.strftime("%X"), record.levelname, record.msg % record.args if record.args else record.msg))
+        conf.databaseCursor.execute("INSERT INTO logs VALUES(NULL, ?, ?, ?, ?)", (conf.taskid, time.strftime("%X"), record.levelname, str(record.msg % record.args if record.args else record.msg)))
 
 def setRestAPILog():
     if conf.api: