More statements to exclude from unescap'ing

2025-12-06 16:32:23 +01:00 · 2011-02-07 00:33:54 +00:00 · 2011-02-07 00:33:54 +00:00 · ba3a8a69d4
commit ba3a8a69d4
parent 3719f085ae
1 changed files with 2 additions and 2 deletions
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -250,5 +250,5 @@ URI_INJECTION_MARK_CHAR = '*'
 # Maximum length used for retrieving data over MySQL error based payload due to "known" problems with longer result strings
 MYSQL_ERROR_TRIM_LENGTH = 100

-#
-EXCLUDE_UNESCAPE = ("WAITFOR DELAY ", " INTO DUMPFILE ", " INTO OUTFILE ")
+# Do not unescape the injected statement if it contains any of the following SQL words
+EXCLUDE_UNESCAPE = ("WAITFOR DELAY ", " INTO DUMPFILE ", " INTO OUTFILE ", "CREATE ")