TLS SNI does not match custom Host header when targeting IP

[abbasudo]

Describe the bug
When targeting an HTTPS endpoint using its direct IP address in the URL (-u https://<IP>/) and specifying a custom Host header via --headers="Host: <hostname>" or --host="<hostname>", sqlmap does not set the TLS Server Name Indication (SNI) extension to match the custom Host header. This results in a 421 Misdirected Request error from servers that require the TLS SNI to match the HTTP Host header.
I'm targeting the direct IP to avoid CDN, but the web server needs a host header to resolve the correct application.

To Reproduce

1. Run a command targeting an IP but forcing a domain Host header:
   python sqlmap.py -u https://127.0.0.1/users?name=abbas --headers="Host: tryhackme.com" -v 6
   or python sqlmap.py -u https://127.0.0.1/users?name=abbas --host="tryhackme.com" -v 6
2. Observe the traffic output. The TLS handshake occurs with the IP address (or blank) as the SNI, while the HTTP request sends Host: tryhackme.com.
3. See error: 421 Misdirected Request.

Expected behavior
Sqlmap should either automatically use the value of a user-supplied Host header for the TLS SNI extension during the handshake, or provide an explicit command-line flag (e.g., --sni="tryhackme.com") to allow users to set the SNI manually, similar to modern curl implementations or Postman.

Screenshots
N/A - Console output provided below.

Running environment:

• sqlmap version: 1.10.2.14#dev
• Installation method: git clone
• Operating system: Ubuntu 22.04
• Python version: 3.13.3

Target details:

• DBMS: Unknown (connection blocked before reaching the application)
• SQLi techniques found by sqlmap: N/A
• WAF/IPS: Cloudflare
• Relevant console output:

[05:15:27] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[05:15:27] [PAYLOAD] AX');WAITFOR DELAY '0:0:5'--
[05:15:27] [TRAFFIC OUT] HTTP request [#37]:
GET /users?name=AX%27%29%3BWAITFOR%20DELAY%20%270%3A0%3A5%27-- HTTP/1.1
Host: tryhackme.com
Authorization: Basic 
User-Agent: sqlmap/1.10.2.14#dev (https://sqlmap.org)
Accept: */*
Accept-Encoding: gzip,deflate
Connection: close

[05:15:27] [TRAFFIC IN] HTTP response [#37] (421 Misdirected Request):
Date: Wed, 11 Mar 2026 04:15:26 GMT
Server: Apache
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Length: 362
Connection: close
Content-Type: text/html; charset=iso-8859-1
URI: https://127.0.0.1/users?name=AX%27%29%3BWAITFOR%20DELAY%20%270%3A0%3A5%27--

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<title>421 Misdirected Request</title>
</head><body>
<h1>Misdirected Request</h1>
<p>The client needs a new connection for this
request as the requested host name does not match
the Server Name Indication (SNI) in use for this
connection.</p>
</body></html>

[05:15:27] [DEBUG] got HTTP error code: 421 ('Misdirected Request')