How do I exploit with vunerability in special format with sqlmap?

Question

I used ZAP proxy to determine that login was injectable with GET request as login" AND "1"="1 was injectable, but it returned the url to me in this format:

https://example.com/login%22%20AND%20%221%22=%221

I have checked, and it is injectable at that point, but I don't know what parameters to use to exploit it. My current setup, with redirects disabled (not shown), is not working. Here is the setup:

sqlmap -u "https://example.com/login%22%20AND%20%221%22=%221" --level=5 --risk=3 --fingerprint --common-tables --dbs --all --common-columns --technique=BEUSTQ --keep-alive --dependencies --hex --timeout=120 --time-sec=10

For some reason, even with between disabled, sqlmap is changing login" AND "1"="1 to #1*

Answer 1

This URL is https://example.com/login" AND "1"="1. You can not use like that for this parameter.

SqlMap has an option that you can use * char:

URI injection point

There are special cases when injection point is within the URI itself. sqlmap does not perform any automatic test against URI paths, unless manually pointed to. You have to specify these injection points in the command line by appending an asterisk (*) after each URI point that you want sqlmap to test for and exploit a SQL injection.

This is particularly useful when, for instance, Apache web server's mod_rewrite module is in use or other similar technologies.

An example of valid command line would be:

$ python sqlmap.py "http://targeturl/param1/varlue1*/param2/value2"