hi community,

real projects usually use Json deserializations like FastJson/Jackson/Gson to convert POST Json payload to specific beans, and then send the beans to SQL execution.

the injection payload cannot be deserialized to such specific beans, so json exception is thrown, and the exception is sent back to client i.e. sqlmap. the payload has not reached SQL execution, so sqlmap cannot really inject the database.

what to do in this case?

sorry i cannot provide any snippet or test environment. it's a business vulnerability test which is over, so testing it now or giving any information is illegal... but i believe the community can understand what i said...