I've found a stacked SQLi that sqlmap is not capable to find. The injection is quite simple but the tool do not use the same payload to avoid the single quote escaping.

The payload is:

1;DECLARE @x char(9);SET @x=0x303a303a34;WAITFOR DELAY @x

Where 0x303a303a34 is 0:0:4. Alternatively it's possible to use the char(X) encoding.

1;DECLARE @x char(9);SET @x=char(48)%2bchar(58)%2bchar(48)%2bchar(58)%2bchar(52);WAITFOR DELAY @x

Describe the solution you'd like
Introduce some checks for stacked queries injection using the above payload (or similar).

Describe alternatives you've considered
Create a tamper script to convert the payload for WAIT FOR, XP_CMDSHELL, XP_DIRTREE using the above "encoding".