# Week 7 - Advanced SQLMap ## Custom SQLMap Payloads It’s Week 7 of our Web App Hacking Tips & Tricks Series! Today we’ll be covering one of my favorite topics, Advanced SQL Injection.\ \ Have you ever been testing an application that appears vulnerable to SQL Injection, but you were unable to automate using SQLMap? This has happened to me in the past and is a major pain-in-the-butt. I used to add a “*tamper=space2comment*” and hope for the best! Nowadays I have a much better approach.\ \ To start off, I always recommend manually finding a working Proof-of-Concept (POC) with Burp Suite (if you want a future post on manual SQL Injection tips, let me know in the comments). From here, you can add your own custom payload into SQLMap. The folder containing all the payload files can be found here:\ \ `/usr/share/sqlmap/data/xml/payloads/`\ \ First, add the payload in the attached photo below to your ‘boolean\_blind.xml’ payload file. Since SQLMap can be finnicky, I’ve found that simplifying the custom payload to only its inference is the most reliable method. Then, use the flags ‘prefix’ and ‘suffix’ to construct the rest of the Proof-of-Concept query you’ve found earlier. For example, if your working POC looks like:\ \ `test.php?id=1']+OR+[1=1]);/*`\ \ Then to exploit with your custom payload, your SQLMap command would be:\ \ `sqlmap -u "" --dbs --prefix="']+OR+[" --suffix="]);/*"`\ \ If all goes well, you should have successfully automated SQL Injection using your custom payload!\ {% hint style="info" %} If you find you’re still having trouble or are dealing with connection errors, just proxy through Burp Suite using the ‘proxy’ flag. I’ve found this alone solves a good deal of connection errors. Try the ‘force-ssl’ flag too. {% endhint %} ![](/files/esbhrgMvBoaDBQu9cUvJ) ![](/files/apmM9IEDdlA0iLjB2E1l) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.webhackingtips.com/weekly-tips/week-7-advanced-sqlmap.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.