There s a number of relatively new blind SQL injection vectors which are based on response delay - for example using WAITFOR DELAY
. At least sqlmap and BurpSuite use them (and others probably too).
These vectors however are prone to false positives, because the trigger is, well, HTTP response delay, which may also happen for thousand other reasons if you re scanning over Internet. If you got these over LAN, I would be more suspicious but still investigate other possible delay causes on the server side. Only if you get the delay consistently in a number of independent tried, you are probably dealing with a vulnerability.
Also note that SharePoint often triggers old FrontPage vulnerabilities in many vuln scanners, which are also false positives - for details see this article "SharePoint and FrontPage Server Extensions in security scanner results".