I’m just following the Labs and it seems that altoromutual.com changed it’s login since you recorded the session.
I could get the injection working manually for the uid field, but I was not able to identify the injection with sqlmap.
I tried the following command:
sqlmap -u "http://altoromutual.com/doLogin" --data "uid=test&passw=test&btnSubmit=Login" -p uid
Both following or not following the redirect did result in a non injectable result for the parameter uid.
Any ideas what’s wrong? Or maybe some hint why sqlmap is not detecting the possible injection?