Ok, it looks like either you closed the two holes I found or I am not awake
The two I had were:
default.asp?page=srchprod&prod=
default.asp?page=menu&menuid=
I basically:
1) tried to create errors in your blanks and querystrings by using single-quotes, double-quotes, illegal characters until I found some that weren't protected like above
2) started trying to find tables that existed. Basically I was injecting a UNION statement into the SQL statement like so:
and '1' = '3' UNION select 'a','a','a','a','a','a','a','a','a' From [users] where '1'='1
The way I found the table name is I just kept trying differant table names that made sense until the ADO error stopped saying "Table not found". I did the same thing to get the number of fields in my union statement to match up the number of fields in your select from the products table. I believe there were 7 fields in the search form and 9 in the menuid one.
3) Now, I started doing queries to find field names. I found that I didn't get errors when I used [username] or [password] as field names for the [users] table, but I also didn't get any results. Your search page was a little more forgiving and would actually display some results if I did something like:
UNION select COUNT([username]),COUNT([username]),COUNT([username]),COUNT([username]),COUNT([username]),COUNT([username]),COUNT([username]) From [users] where '1'='1
Which gave me a display with a whole bunch of zeroes instead of a product, but also told me you had no users.
If you had had users I would have done a select for the [username] and [password]'s. Then I would have tried out some more field names and tried to log into /Admin.asp which I found by random guess.
If you had had users in the [users] table, I would have had them as well as possible having a login into the admin site or at least known that the login wasn't there and I needed to keep looking. Since i wasn't a serious attacker I gave up after this because my scotch was getting warm
-T
