The query time is controllable using parameter value [' | case randomblob(1000000000) when not null then "" else "" end | '], which caused the request to take [142] milliseconds, parameter value [' | case randomblob(1000000000) when not null then "" else "" end | '], which caused the request to take [142] milliseconds, when the original unmodified query with value [24] took [66] milliseconds.
So I found a SQL injection vuln on my site and its ' | case randomblob(1000000000) when not null then "" else "" end | '
my site https://sample.com/cdn-cgi/bm/cv/result?req_id=6506bd25b9e42c3e
I don't know how to see the database on sqlmap to see if its vuln is that serious how can I test this SQL injection manually??
the link of the portswigger would help to understand the issue. if your server is delayed because of the request, your db server is vulnerable for SQLi.
https://portswigger.net/web-security/sql-injection/blind/lab-time-delays
https://portswigger.net/web-security/sql-injection/blind/lab-time-delays-info-retrieval