From b6391624202ff2a818b11327567fb5d001bc9079 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Roland=20H=C3=A4der?= <roland@mxchange.org>
Date: Mon, 9 Jun 2025 01:54:49 +0200
Subject: [PATCH] Continued: - blocked/detected DBMS_PIPE and PG_SLEEP()
 (uncommon to do this in URLs) - some attackers tried to use php:/ and not
 php://, so let's remove one slash   to detect/block them all

---
 libs/lib_detector.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libs/lib_detector.php b/libs/lib_detector.php
index c4dcf10..a9b2d04 100644
--- a/libs/lib_detector.php
+++ b/libs/lib_detector.php
@@ -51,7 +51,8 @@ function initCrackerTrackerArrays () {
 		// SQL injections
 		'union ', ' union', 'insert ',
 		'select ', ' like', 'drop ', 'update ',
-		'union(', 'union=',
+		'union(', 'union=', 'dbms_pipe',
+		'pg_sleep(',
 
 		// $GLOBAL/$_SERVER array elements
 		'HTTP_USER_AGENT', 'HTTP_HOST', 'HTTP_PHP', '_SESSION', 'CFG_ROOT',
@@ -127,7 +128,7 @@ function initCrackerTrackerArrays () {
 		'_phplib', '__callbackparam',
 
 		// Generic remote inclusion
-		'=http://', '=https://', '=php://',
+		'=http:/', '=https:/', '=php:/',
 		'path=', 'sql=',
 		'=%7BQUOT%7D', '=%5C', '=%22http','=%22ftp','=%22file','=%27http','=%27ftp',
 		'=%27file',
-- 
2.39.5