Continued:

- blocked/detected DBMS_PIPE and PG_SLEEP() (uncommon to do this in URLs)
- some attackers tried to use php:/ and not php://, so let's remove one slash
  to detect/block them all

diff --git a/libs/lib_detector.php b/libs/lib_detector.php
index c4dcf10dda43b5b1d12103f245ce8e1289a45539..a9b2d04dc1b25e960d6b9c8c0513b5eec40c1d79 100644 (file)
--- a/libs/lib_detector.php
+++ b/libs/lib_detector.php
@@ -51,7 +51,8 @@ function initCrackerTrackerArrays () {
                // SQL injections
                'union ', ' union', 'insert ',
                'select ', ' like', 'drop ', 'update ',
-               'union(', 'union=',
+               'union(', 'union=', 'dbms_pipe',
+               'pg_sleep(',
 
                // $GLOBAL/$_SERVER array elements
                'HTTP_USER_AGENT', 'HTTP_HOST', 'HTTP_PHP', '_SESSION', 'CFG_ROOT',
@@ -127,7 +128,7 @@ function initCrackerTrackerArrays () {
                '_phplib', '__callbackparam',
 
                // Generic remote inclusion
-               '=http://', '=https://', '=php://',
+               '=http:/', '=https:/', '=php:/',
                'path=', 'sql=',
                '=%7BQUOT%7D', '=%5C', '=%22http','=%22ftp','=%22file','=%27http','=%27ftp',
                '=%27file',