Sql Injection big5 consultancy

["joseph blater" <t5con () hotmail com>]

Hello list,

While updating my resume at a regional HR site of a top5 consultancy, I 
faced a programming bug (terribly written asp dissapeared with my session 
id), which returned an OLE Error.
I decided to make a little test, so I started playing with sql injection. 
Surprisingly, it worked. Every Sql Server attack I attempted worked, no 
stripping or customized exceptions.
So far, I counted over 50 fields in the same table... damned be their dba. 
This table has all candidate resumes and, deducing by the names of the 
fields, all employees resumes with current classification inside the corp 
(Potential,Supervisor,Inscription and so on).

I guess it would be kinda simple to move on to Stored Procedure and Activex 
attacks, but I have not the least intention of getting unprivledge access or 
confidential information from the db.

What should I do? Tell them their whole HR system is vulnerable and face the 
risks of being charged for something?
Although owning certs from most vendors, I never got to work for a top5. 
Shall I take the risk and use this vuln to help me getting a job?

They probably could trace my real ip used in the early requests,when I was 
updating the resume using no proxies. So it wouldnt be a good idea sending 
an anonymous advice.

_________________________________________________________________
Tired of spam? Get advanced junk mail protection with MSN 8. 
http://join.msn.com/?page=features/junkmail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html