From ba3a8a69d479eef5a2bfa0484b737ace9c582c90 Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Mon, 7 Feb 2011 00:33:54 +0000 Subject: [PATCH] More statements to exclude from unescap'ing --- lib/core/settings.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/core/settings.py b/lib/core/settings.py index bea34fb41..883ccb804 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -250,5 +250,5 @@ URI_INJECTION_MARK_CHAR = '*' # Maximum length used for retrieving data over MySQL error based payload due to "known" problems with longer result strings MYSQL_ERROR_TRIM_LENGTH = 100 -# -EXCLUDE_UNESCAPE = ("WAITFOR DELAY ", " INTO DUMPFILE ", " INTO OUTFILE ") +# Do not unescape the injected statement if it contains any of the following SQL words +EXCLUDE_UNESCAPE = ("WAITFOR DELAY ", " INTO DUMPFILE ", " INTO OUTFILE ", "CREATE ")