Prologue:
I found a SQL injection in my own old private application. The injection is possible thanks to an older version of hibernate and the setComment(format("my comment. User input is: %s",userInput));
The rendered query looks like this:
/* my comment. User input is: foo */
select a, b, c, d, e, f, h, i, j, k, l from cooltable where a = 'FOO' and ....
An injection could like this:
userInput = "*/ select pg_sleep(42); /*"
The response results into an 302 redirect to the error page.
I would like to use sqlmap to further exploit this injection. I can see within the database log, that sqlmap tries it's best, but it cannot find any injection point:
sqlmap -r fromburp.txt --dbms=obfuscatedForStackeOverflow --level 5 --proxy http://localhost:8080
Question: How can I teach sqlmap to find the injection?
Additional thoughts: I think sqlmap cannot find the injection, because it mostly looks for injections into the where clause. I didn't find any request that would try to end a comment like in this example.