From 096efea282acbe045a007014d4b76735456a443d Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Mon, 7 Feb 2011 10:22:43 +0000
Subject: [PATCH] added BULK to EXCLUDE_UNESCAPE and preventing crashes when
 output=[]

---
 lib/core/settings.py        | 2 +-
 lib/takeover/xp_cmdshell.py | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/core/settings.py b/lib/core/settings.py
index 883ccb804..87d58759d 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -251,4 +251,4 @@ URI_INJECTION_MARK_CHAR = '*'
 MYSQL_ERROR_TRIM_LENGTH = 100
 
 # Do not unescape the injected statement if it contains any of the following SQL words
-EXCLUDE_UNESCAPE = ("WAITFOR DELAY ", " INTO DUMPFILE ", " INTO OUTFILE ", "CREATE ")
+EXCLUDE_UNESCAPE = ("WAITFOR DELAY ", " INTO DUMPFILE ", " INTO OUTFILE ", "CREATE ", "BULK ")
diff --git a/lib/takeover/xp_cmdshell.py b/lib/takeover/xp_cmdshell.py
index 5a4e261b7..3b12cf4db 100644
--- a/lib/takeover/xp_cmdshell.py
+++ b/lib/takeover/xp_cmdshell.py
@@ -123,10 +123,10 @@ class xp_cmdshell:
         output = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.cmdTblName), resumeValue=False, sort=False, firstChar=first, lastChar=last)
         inject.goStacked("DELETE FROM %s" % self.cmdTblName)
 
-        if isinstance(output, (list, tuple)):
+        if output and isinstance(output, (list, tuple)):
             output = output[0]
 
-            if isinstance(output, (list, tuple)):
+            if output and isinstance(output, (list, tuple)):
                 output = output[0]
 
         return output