I am trying to run sqlmap in order to find a flag for a CTF. The injection string is sent via a POST request in the parameter called search. The response is received as either 1, 2, or 3 (error codes), or flag{flag_name} (success). HTTO response code is always 200 (cannot use --code=200 sqlmap option).
What I want to do it run a blind boolean SQLi test which is able to recognize True versus False responses. This is the command I have so far:
sqlmap --url="vulnerable.url.com" --method=POST --data="search=123" -p "search" -a --level=5 --risk=3 --regex="flag" --flush-session --technique=B
However, the result is always reported as parameter 'search' might not be injectable. The reason for this is that there might not be any SQLi possible. However, I have also tried connecting to Burp with --proxy="http://127.0.0.1:8080" and intercepting the response so that flag{some_value} is returned, and the result is the same. I believe I have not configured the regex option properly.
I have looked through all documentation available online (it is very scarce), all examples I could find (even more scarce) and some of the source code, with no luck. Does anyone know what I can do to make this work?
Thank you!
