I ran SQLMAP to test SQL injection for one of the site, and got the below information.
sqlmap identified the following injection points with a total of 78 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=666' AND 1737=1737 AND 'pQMi'='pQMi
---
web server operating system: Windows Vista
web application technology: ASP.NET, ASP.NET 1.1.4322, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005
I am not sure, to what extent is this site vulnerable with this much information?
First sqlmap found the vulnerability in only 78 request meaning this wouldn't take long to discover and Injection based attacks is the top threat in 2013. With this information the only limitations are privileges set up by the database administrator, different SQL syntax, and the attacker's imagination. It is likely that it would be trivial to extract data out and/or destroy data.
From OWASP:
The bottom of the results show other potentially exploitable information that could allow a more targeted attack. Programs such as Metasploit (packaged in SQLMAP) could then be use to target vulnerabilities in Microsoft SQL Server 2005, Windows Vista, and/or Microsoft IIS 7.0. If the attacker found they couldn't get to what they wanted due to their level of access in sql server they could exploit MSSQL 2005 for user privilege escalation. Any piece of information that can be gained can be used for a different exploit path to gain access/alter your data.
More Information about the type of problem you have
2013 top threats by owasp
SQL Server 2005 Vulnerabilities
IIS 7.0 Vulnerabilities