SQL Injection CTF with a difference

There are many SQL injection CTFs, but this one is a little different. Once discovered, the vulnerability is easy to exploit. It's not blind; there's no restrictive filter or unusual query syntax. However, the vulnerable input is difficult to discover.

Your challenge is to extract the contents of the flag table. If you get it, email me the code and your Reddit username. You will then get an invite to a private subreddit for successful solvers. I will also publish a list of those successful, unless you opt out. Other than that, I'm afraid there are no prizes.

Most pen testers should be able to find this in a CTF scenario. But most commercial methodologies - at least ones without source code access - would not reliably detect this issue. My purpose in posting this is to have a discussion about how methodologies can be designed to reliably detect this and similar issues. To avoid spoilers, please keep these discussions to the private subreddit.

You are rate limited to 5 requests per second, per IP address.

When you're ready, start the challenge.