From: Roland Häder <roland@mxchange.org>
Date: Sun, 8 Jun 2025 23:54:49 +0000 (+0200)
Subject: Continued:
X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=b6391624202ff2a818b11327567fb5d001bc9079;p=ctracker.git

Continued:
- blocked/detected DBMS_PIPE and PG_SLEEP() (uncommon to do this in URLs)
- some attackers tried to use php:/ and not php://, so let's remove one slash
  to detect/block them all
---

diff --git a/libs/lib_detector.php b/libs/lib_detector.php
index c4dcf10..a9b2d04 100644
--- a/libs/lib_detector.php
+++ b/libs/lib_detector.php
@@ -51,7 +51,8 @@ function initCrackerTrackerArrays () {
 		// SQL injections
 		'union ', ' union', 'insert ',
 		'select ', ' like', 'drop ', 'update ',
-		'union(', 'union=',
+		'union(', 'union=', 'dbms_pipe',
+		'pg_sleep(',
 
 		// $GLOBAL/$_SERVER array elements
 		'HTTP_USER_AGENT', 'HTTP_HOST', 'HTTP_PHP', '_SESSION', 'CFG_ROOT',
@@ -127,7 +128,7 @@ function initCrackerTrackerArrays () {
 		'_phplib', '__callbackparam',
 
 		// Generic remote inclusion
-		'=http://', '=https://', '=php://',
+		'=http:/', '=https:/', '=php:/',
 		'path=', 'sql=',
 		'=%7BQUOT%7D', '=%5C', '=%22http','=%22ftp','=%22file','=%27http','=%27ftp',
 		'=%27file',