* Implemented support for automatic decoding of page content through detected charset (Miroslav)

* Implemented mechanism for proper data dumping on DBMSes not supporting LIMIT/OFFSET like mechanism(s) (e.g. Microsoft SQL Server, Sybase, etc.) (Miroslav)

* Takeover switch --os-pwn improved: stealthier, faster and AV-proof (Bernardo)

* Added --mobile switch to imitate a mobile device through HTTP User-Agent header (Miroslav)

* Rewritten SQL injection detection engine (Bernardo and Miroslav).

* Support to directly connect to the database without passing via a SQL injection, -d switch (Bernardo and Miroslav).

* Major code refactoring (Bernardo and Miroslav).

* User's manual updated (Bernardo).

* Support to enumerate and dump all databases' tables containing user provided column(s) by specifying for instance '--dump -C user,pass'. Useful to identify for instance tables containing custom application credentials (Bernardo).

* Support to parse -C (column name(s)) when fetching columns of a table with --columns: it will enumerate only columns like the provided one(s) within the specified table (Bernardo).

* Updated user's manual (Bernardo and Miroslav).

* Created several demo videos, hosted on YouTube (http://www.youtube.com/user/inquisb) and linked from http://www.sqlmap.org/demo.html (Bernardo).

* Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection.

* Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable.

* Minor bugs fixed.

* Major code refactoring.

* Adapted Metasploit wrapping functions to work with latest 3.3 development version too.

* Adjusted code to make sqlmap 0.7 to work again on Mac OSX too.

* Fixed basic Microsoft SQL Server 2000 fingerprint.

* Many minor bug fixes and code refactoring.

* Added support to execute arbitrary commands on the database server underlying operating system either returning the standard output or not via UDF injection on MySQL and PostgreSQL and via xp_cmdshell() stored procedure on Microsoft SQL Server;

* Added support for out-of-band connection between the attacker box and the database server underlying operating system via stand-alone payload stager created by Metasploit and supporting Meterpreter, shell and VNC payloads for both Windows and Linux;

* Major bug fix in the comparison algorithm to correctly handle also the case that the url is stable and the False response changes the page content very little;

* Many minor bug fixes, minor enhancements and layout adjustments.

* Major enhancement to make the comparison algorithm work properly also on url not stables automatically by using the difflib Sequence Matcher object;

* Major enhancement to support SQL data definition statements, SQL data manipulation statements, etc from user in SQL query and SQL shell if stacked queries are supported by the web application technology;

* Minor bug fix to make the --postfix work even if --prefix is not provided;

* Updated documentation.

* Major enhancement to get list of targets to test from Burp proxy (http://portswigger.net/suite/) requests log file path or WebScarab proxy (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project) 'conversations/' folder path by providing option -l <filepath>;

* Major enhancement to support Partial UNION query SQL injection technique too;

* Increased default output level from 0 to 1;

* Updated documentation.

* Major bug fix to correctly dump tables entries when --stop is not specified;

* Major bug fix so that the users' privileges enumeration now works properly also on both MySQL < 5.0 and MySQL >= 5.0;

* Updated the database management system fingerprint checks to correctly identify MySQL 5.1.x, MySQL 6.0.x and PostgreSQL 8.3;

* More user-friendly warning messages.

* Major bug fix to blind SQL injection bisection algorithm to handle an exception;

* Added a Metasploit Framework 3 auxiliary module to run sqlmap;

* Changed the order sqlmap dump table entries from column by column to row by row. Now it also dumps entries as they are stored in the tables, not forcing the entries' order alphabetically anymore;

* Minor bug fix to correctly handle parameters' value with % character.

* Complete code refactor and many bugs fixed;

* Added multithreading support to set the maximum number of concurrent HTTP requests;

* Updated some docstrings;

* Updated documentation files.

* Added support for Oracle database management system

* Extended inband SQL injection functionality (--union-use) to all other possible queries since it only worked with -e and --file on all DMBS plugins;

* Complete code refactoring, a lot of minor and some major fixes in libraries, many minor improvements;

* Updated all documentation files.

* Added DBMS fingerprint based also upon HTML error messages parsing defined in lib/parser.py which reads an XML file defining default error messages for each supported DBMS;

* Added Microsoft SQL Server extensive DBMS fingerprint checks based upon accurate '@@version' parsing matching on an XML file to get also the exact patching level of the DBMS;

* Splitted lib/common.py: inband injection functionalities now are moved to lib/union.py;

* Updated documentation files.

* Added module for MS SQL Server;

* Strongly improved MySQL dbms active fingerprint and added MySQL comment injection check;

* Rewritten documentation files;

* Complete code restyling.

* complete refactor of entire program;

* added TODO and THANKS files;

* added InjectionCheck class in injection.py which performs check on url stability, dynamics of parameters and injection on dynamic url parameters;

* improved output methods in dump.py;

* layout enhancement on main program file (sqlmap.py), adapted to call new option/injection classes and improvements on catching of exceptions.