* Implemented support for automatic decoding of page content through detected charset

* Implemented mechanism for proper data dumping on DBMSes not supporting LIMIT/OFFSET like mechanism(s) (e.g. Microsoft SQL Server, Sybase, etc.)

* Major improvements to program stabilization based on user reports

* Added new tampering scripts avoiding popular WAF/IPS/IDS mechanisms

* Added support for setting Tor proxy type together with port

* Fixed major bug with DNS leaking in Tor mode

* Added wordlist compilation made of the most popular cracking dictionaries

* Added support for mnemonics substantially helping user with program setup

* Implemented multi-processor hash cracking routine(s) on Linux OS

* Implemented advanced detection techniques for inband and time-based injections by usage of standard deviation method

* Old resume files are now deprecated and replaced by faster SQLite based session mechanism

* Substantial code optimization and smaller memory footprint

* Added switch -m for scanning multiple targets enlisted in a given textual file

* Added switch --randomize for randomly changing value of a given parameter(s) based on it's original form

* Added switch --force-ssl for forcing usage of SSL/HTTPS requests

* Added switch --host for manually setting HTTP Host header value

* Added switch --eval for evaluating provided Python code (with resulting parameter values) right before the request itself

* Added switch --skip for skipping tests for given parameter(s)

* Added switch --titles for comparing pages based only on their titles

* Added switch --charset for forcing character encoding used for data retrieval

* Added switch --check-tor for checking if Tor is used properly

* Added switch --crawl for multithreaded crawling of a given website starting from the target url

* Added switch --csv-del for manually setting delimiting character used in CSV output

* Added switch --hex for using DBMS hex conversion function(s) for data retrieval

* Added switch --smart for conducting through tests only in case of positive heuristic(s)

* Added switch --check-waf for checking of existence of WAF/IPS/IDS protection

* Added --schema switch to enumerate DBMS schema: shows all columns of all databases' tables

* Added --count switch to count the number of entries for a specific table or all database(s) tables

* Major improvements to --tables and --columns switches

* Takeover switch --os-pwn improved: stealthier, faster and AV-proof

* Added --mobile switch to imitate a mobile device through HTTP User-Agent header

* Support to directly connect to the database without passing via a SQL injection, -d switch.

* Extended old '--dump -C' functionality to be able to search for specific database(s), table(s) and column(s), --search switch.

* Added support to tamper injection data with --tamper switch.

* Added support to use persistent HTTP(s) connection for speed improvement, --keep-alive switch.

* Implemented HTTP(s) proxy authentication support, --proxy-cred switch.

* Support to replicate the back-end DBMS tables structure and entries in a local SQLite 3 database, --replicate switch.

* Support to parse and test forms on target url, --forms switch.

* Added switches to brute-force tables names and columns names with a dictionary attack, --common-tables and --common-columns. Useful for instance when system table 'information_schema' is not available on MySQL.

* Basic support for REST-style URL parameters by using the asterisk (*) to mark where to test for and exploit SQL injection.

* Added safe URL feature, --safe-url and --safe-freq.

* Added --text-only switch to strip from the HTTP response body the HTML/JS code and compare pages based only on their textual content.

* Support to enumerate and dump all databases' tables containing user provided column(s) by specifying for instance '--dump -C user,pass'. Useful to identify for instance tables containing custom application credentials.

* Support to parse -C (column name(s)) when fetching columns of a table with --columns: it will enumerate only columns like the provided one(s) within the specified table.

* Enhanced --priv-esc to rely on new Metasploit Meterpreter's 'getsystem' command to elevate privileges of the user running the back-end DBMS instance to SYSTEM on Windows.

* Automatic support in --os-pwn to use the web uploader/backdoor to upload and execute the Metasploit payload stager when stacked queries SQL injection is not supported, for instance on MySQL/PHP and MySQL/ASP, but there is a writable folder within the web server document root.

* Fixed web backdoor functionality for --os-cmd, --os-shell and --os-pwn useful when web application does not support stacked queries.

* Added support to properly read (--read-file) also binary files via PostgreSQL by injecting sqlmap new sys_fileread() user-defined function.

* Support for NTLM authentication via python-ntlm third party library, http://code.google.com/p/python-ntlm/, --auth-type NTLM.

* Support to automatically decode deflate, gzip and x-gzip HTTP responses.

* Support for Certificate authentication, --auth-cert option added.

* Added support for regular expression based scope when parsing Burp or Web Scarab proxy log file (-l), --scope.

* Added option (-r) to load a single HTTP request from a text file.

* Added option (--ignore-proxy) to ignore system default HTTP proxy.

* Added support to ignore Set-Cookie in HTTP responses, --drop-set-cookie.

* Added support to specify which Google dork result page to parse, --gpage to be used together with -g.

* Major bug fix and enhancements to the multi-threading (--threads) functionality.

* Refactored --update to use python-svn third party library if available or 'svn' command to update sqlmap to the latest development version from subversion repository.