I have a server which seems to be vulnerable to SQL injection with the following payload detected by BurpSuite:
param=value,(select*from(select(sleep(10)))a)
The application takes twice the time defined in sleep to respond (sleep 10 returns a response after 20 seconds). I am trying to get Sqlmap to detect the insertion point, however it won't pick it up. I have tried with --prefix and --suffix, increasing the risk...
Does anyone know Sqlmap can be tweaked to detect this?
Burp Suite won't always pick up right detection. On your question, you noted the application seemed to be vulnerable; This meant it's never determined if it's a positive detection. You will need to check if the detection is Certain or it's just Tentative? (What does Burp Suite tell you?) If it's Tentative detection, you could try using SQLMap or rather try detecting manually.
The application takes twice the time defined in sleep to respond (sleep 10 returns a response after 20 seconds)
Did you try that manually, if yes - there is a probability of a web application firewall.
Since, SQLMap is the approach which you've taken - I assume you should be targeting on a particular parameter using -p switch and then the name of the parameter which you are testing. You have noted that --risk & --level doesn't help. It's because if the parameter detection is Tentative, it's a false positive.
On a sidenote, use --tamper=ptm & tamper=charencode, let us know how that went.
Another way could be using --identify-waf switch to determine if the target is beyond a firewall which might be dropping interesting packets.
