In order to extract information from the database, you need to know what to look for: What are the databases? To which of them does our user have access? What tables are there, and what columns do they have? This is the initial information that you need to ask the server in order to be able to query for the data that you wish to obtain:

Using the DVWA example, given that you have only two columns to get the information, start by asking the database name and the user used by the application to connect to the DBMS.

This is done using the database() and user() functions predefined in MySQL:

You can also ask for the list of databases on the server by injecting the following:

2' union SELECT schema_name,2 FROM information_schema.schemata -- '  

information_schema is the database that contains all of the configuration and database definition information for MySQL, so dvwa should be the database corresponding to the target application. Now let's query for the tables contained in that database:

2' union SELECT table_name,2 FROM information_schema.tables WHERE table_schema = 'dvwa' -- '  

As can be seen in the screenshot, we are querying the table name of all of the tables defined in the information_schema.tables table, for which, table_schema (or database name) is 'dvwa'. From there, you get the name of the table containing the information of users and you can also ask for its columns and the type of each column:

2' union SELECT table_name,2 FROM information_schema.tables WHERE table_schema = 'dvwa' and table_name = 'users' --'

You should select one or two pieces of information on each request because you have only two fields to display information. SQL provides the CONCAT function, which concatenates two or more strings. You can use it to put together multiple fields in a single value. You will use CONCAT to extract user ID, first and last names, username, and password in a single query:

2' union select concat(user_id,'-',first_name,' ',last_name),concat(user,':',password) from dvwa.users -- '