Error-based SQLi relies on a bug found in MySQL concerning the GROUP BY statement (see here and here).

To trigger the bug one must follow the following rules:

1. Use an aggregate function.
2. GROUP BY a column that has two identical values on different rows.
3. The output of the rand() function must appear in the column of point 2 above.

The string

or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--

is injected in a WHERE clause, so or 1 (which is equivalent to or true) is used to cancel out the previous conditions and display as many rows as possible. This way, there should be at least two rows with the same value for floor(rand(0)*2)). This takes care of points 2 and 3. We use floor() so that the values returned are just 0 or 1. If we were to use rand directly, it would be almost impossible to satisfy point 2.

We need having min(0) to take care of point 1.

Error-based SQLi relies on a bug found in MySQL concerning the GROUP BY statement (see here and here).

To trigger the bug one must follow the following rules:

1. Use an aggregate function.
2. GROUP BY a column that has two identical values on different rows.
3. The output of the rand() function must appear in the column of point 2 above.

The string

or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--

is injected in a WHERE clause, so or 1 (which is equivalent to or true) is used to cancel out the previous conditions and display as many rows as possible. This way, there should be at least two rows with the same value for floor(rand(0)*2)). This takes care of points 2 and 3. We use floor() so that the values returned are just 0 or 1. If we were to use rand directly, it would be almost impossible to satisfy point 2.

We need having min(0) to take care of point 1.

Also, the instance of or 1 at the end of the query is useless and can be removed.