added BULK to EXCLUDE_UNESCAPE and preventing crashes when output=[]

stamparm · stamparm · commit 096efea282ac · 2011-02-07T10:22:43.000Z
diff --git a/lib/core/settings.py b/lib/core/settings.py
@@ -251,4 +251,4 @@
 MYSQL_ERROR_TRIM_LENGTH = 100
 
 # Do not unescape the injected statement if it contains any of the following SQL words
-EXCLUDE_UNESCAPE = ("WAITFOR DELAY ", " INTO DUMPFILE ", " INTO OUTFILE ", "CREATE ")
+EXCLUDE_UNESCAPE = ("WAITFOR DELAY ", " INTO DUMPFILE ", " INTO OUTFILE ", "CREATE ", "BULK ")
diff --git a/lib/takeover/xp_cmdshell.py b/lib/takeover/xp_cmdshell.py
@@ -123,10 +123,10 @@ def xpCmdshellEvalCmd(self, cmd, first=None, last=None):
         output = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.cmdTblName), resumeValue=False, sort=False, firstChar=first, lastChar=last)
         inject.goStacked("DELETE FROM %s" % self.cmdTblName)
 
-        if isinstance(output, (list, tuple)):
+        if output and isinstance(output, (list, tuple)):
             output = output[0]
 
-            if isinstance(output, (list, tuple)):
+            if output and isinstance(output, (list, tuple)):
                 output = output[0]
 
         return output
