Is Drupal 6.x is vulnerable to SQL injection Attack AKA Drupalgeddon?
If yes, what are vulnerable forms, directory or anything?
It was. It received a patch (long-term support).
The vulnerability has been patched with the release of Drupal 7.58, 8.5.1, 8.3.9 and 8.4.6. While Drupal 6 has reached end of life and it’s not supported since February 2016, a fix has still been developed due to the severity of the flaw and the high risk of exploitation. https://www.securityweek.com/drupalgeddon-critical-flaw-exposes-million-drupal-websites-attacks
Here is the patch for version 6: https://cgit.drupalcode.org/d6lts/tree/common/core/SA-CORE-2018-002.patch or the full release: https://github.com/d6lts/drupal/releases/tag/6.44 that contains commits for SA-CORE-2018-001,002,004