New Features / Improvements

New "brute" command, to bruteforce the names of the tables and columns (dictionnary / brute force).

Multithreading support for inband queries.

Added option to convert spaces to /**/

Added version information display when starting sqlsus.

Bug Fixes

Fixed a bug where "get columns" would use one file descriptor per column when storing the structure in the local sqlite db, which could result in a croak because of too many files opened.

Small fixes/enhancements here and there.

New Features / Improvements

Full SQLite backend, storing queries / results, databases structure, variables into a local SQLite database.

Added "clone" command to clone some columns, a table, or the full database into a local SQLite database.

"clone" has a resume ability, allowing to continue accross sessions.

Rewrite of the blind injection engine (A LOT faster now):

• keep all the threads busy with micro tasks (huge speed improvement)
• regular expression matching for each item, prior to bruteforcing (huge drop in the number of hits required)
• progress meter

Added cookie support.

Possibility to change the current database ("use xxx"), and still be able to use all the commands transparently

Better query shortening, allowing even more data to be fetched per server hit.

Use of BINARY for inband injections, to avoid collation issues.

User controlled "UNION SELECT" string

Got rid of IPC::Shareable, using socketpair() instead.

Added "test" command for boolean query testing from the command line (blind mode).

Inband injection is now only contained in subqueries, to allow more complex sql injection scenarios.

Improved "get columns" to minimize the hits in the inband query scenario.

Improved the web crawler to minimize the hits.

exec mode STDERR redirected to STDOUT in shell/backdoor.php

Minor improvement of some commands behaviours (show all / show db / set).

Added, modified, and removed some options in conf.pm, as well as via "set"

sqlsus does not die anymore if addhistory is not available from the Terminal module.

Lots of small changes...

Bug Fixes

Blind injection columns result are now always properly ordered

Multiple rows inband injection doesn't stop on an empty item if it is last on one fetch anymore

Only loop on relevant HTTP errors, not all errors > 400

The web crawler now properly loads HTTP proxy / credentials / cookies.

"eval" now works properly.

"get count" now caps to max_sendable.

URI encoding of the characters + and # when using get

Changed the way sqlsus finds the suitable columns for injection, to avoid false positives. Lots of small bug fixes...

Improvements

No longer look for error messages in the HTML when trying to guess the number of columns in a inband mode injection, directly look for expected hex values instead.

added sleep_between_hits option : basic sleep() after each hit.

added max_subqueries option : maximum number of subqueries to use per query.

added max_array_elements option : above which data will be dumped to disk (to $dump_array_file), to avoid huge RAM consumption when fecthing a huge amount of data

added some core options.

allowed more variables to be changed via "set"

speeded up the stacking function.

added a progress indicator for inband mass queries, telling which rows are being fetched at the moment

Bug Fixes

fixed an inconsistency that prevented the results from being logged with the same charset as they were displayed

now correctly displays what has been fetched if the user breaks using ctrl+c

lots of fixes here and there