Set up A Lab Environment for SQL Injection

In this tutorial, we will be going to set up a Lab Environment to test our skills in the path of SQL injection. The lab we are going to set up here is SQLi-labs.

SQLi-Labs was created by a security researcher named Audi-1. SQLi Labs is a collection of PHP files and a script to populate several get and post scenarios, they are been listed in this tree.

The main purpose of this lab is to hone our SQL injection skills both manually and automatically.

Let’s have a look at its installation step. 

Setting Up on Windows VM

You can easily setup it up on any platform. But I suggest you, never try to install it on your native system, install it within Virtual Box.

If you have previously tried to set up this lab and got this error, which means the running PHP server might be 7.0 or higher. 

So, our first priority is to download the proper version of the apache server which supports PHP 5.0.

Firstly, I have to uninstall the latest XAMPP server. 

Now, we have to download the old build XAMPP server from below link:

XAMPP 5.6.39 Download page

Once the old build is downloaded, install it. 

This process is quite similar to the previous installation steps. So keep waiting till the installation is finished:

Once the installation is finished, click on Finish to launch the XAMPP control Panel:

XAMPP control panel is launched. Now, we have to add the file to C:\xampp\htdocs\.

  • Download the file from the below GitHub Link.

Click to Download

  • Once downloaded, move the downloaded file to C:\xampp\htdocsand extract it.

Now go back to XAMPP Control and Start Apache Server and MySQL server.

Let’s go back to the browser and access its content by navigating the following URL on your browser. 

Now our first priority is to set up the Database. Click on Setup/Reset Database

As you can notice the database was created.

Now, we are ready to test the SQL Injection attack.

If you want to access it from any other Virtual Machine i.e. Kali Linux, then first you have to identify your IP address using the command prompt. Before that Always remember to check whether the Attack machine and Attacker Machine are connected to the same Network:

Here I am using Host-only Adapter on both sides:

Now run the following command to identify the IP address of the Attacker Machine (windows-PC).

Microsoft Windows [Version 10.0.18363.476]
(c) Microsoft Corporation. All rights reserved.


Windows IP Configuration

Ethernet adapter Ethernet:
   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::19f1:ecd7:5033:31af%7
   IPv4 Address. . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   Default Gateway . . . . . . . . . :


The IP address is Just navigate it through the browser. 

  • If you got any connection error, then check whether your network adapter might not the same.

As you can notice, we have successfully accessed SQLi-labs from our Kali Linux machine.

Setting Up on Linux

The steps are similar to those previously used in windows. Instead of Windows, download XAMPP 5.6.39 for Linux.

XAMPP Linux 5.6.39

Once downloaded, install it.

user@Linux:~$ cd Downloads/
user@Linux:~/Downloads$ ls
user@Linux:~/Downloads$ sudo ./

Once the installer command is executed it will automatically start the installation process graphically:

Once the installation is complete, start Apache and MySQL services.

The rest steps are the same as windows. So try them in your own way.

Post a Comment

If you have any doubts or any queries you can specify here.

Previous Post Next Post