from my personal experience, it usually happens by accident. i often just come across vulnerable services and then run some automated scripts i wrote to try and escalate my privileges to access the databases. stuff like Shodan can be really helpful for that. but if you’re like a complete script kiddie, i’d suggest learning the basics first, like what an SQL injection is and how to write some simple Python, etc. etc.. you’ll get the hang of it over time and develop a kind of "intuition" for spotting the most vulnerable parts of a site, just remember not to give up after your first try like a lot of ppl do, yk?