diff --git a/lib/core/settings.py b/lib/core/settings.py
index 883ccb804..87d58759d 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -251,4 +251,4 @@ URI_INJECTION_MARK_CHAR = '*'
 MYSQL_ERROR_TRIM_LENGTH = 100
 
 # Do not unescape the injected statement if it contains any of the following SQL words
-EXCLUDE_UNESCAPE = ("WAITFOR DELAY ", " INTO DUMPFILE ", " INTO OUTFILE ", "CREATE ")
+EXCLUDE_UNESCAPE = ("WAITFOR DELAY ", " INTO DUMPFILE ", " INTO OUTFILE ", "CREATE ", "BULK ")
diff --git a/lib/takeover/xp_cmdshell.py b/lib/takeover/xp_cmdshell.py
index 5a4e261b7..3b12cf4db 100644
--- a/lib/takeover/xp_cmdshell.py
+++ b/lib/takeover/xp_cmdshell.py
@@ -123,10 +123,10 @@ class xp_cmdshell:
         output = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.cmdTblName), resumeValue=False, sort=False, firstChar=first, lastChar=last)
         inject.goStacked("DELETE FROM %s" % self.cmdTblName)
 
-        if isinstance(output, (list, tuple)):
+        if output and isinstance(output, (list, tuple)):
             output = output[0]
 
-            if isinstance(output, (list, tuple)):
+            if output and isinstance(output, (list, tuple)):
                 output = output[0]
 
         return output