In my situation, my vulnerable parameter is Referer in the HTTP headers. I am able to enumerate the username and database name manually, but can someone explain or point me to an article that gives details about sqlmap and time-based with mysql? Here is an example of how I was able to enumerate the name. I'm unsure if there's any "custom" way of getting sqlmap work with this.
FYI, I'm testing this on a vulnerable web app hosted by myself. So with the above request, the page sleeps because the first character of the current username is "r", which eventually allows me to change 1,1 to 2,1 and so forth until I figure out that the username is "root."
GET /vulnwebapp/index.php?id=2 HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.79 Safari/537.4
Is there any way to get sqlmap to assist with this type of attack?