July 13, 2026
Setting Up a SQL Injection Practice Lab with Kali Linux and Metasploitable2
Introduction

By PranayXdefSec
2 min read
Introduction
Our goal is to build practical, hands-on skills by working through common web vulnerabilities one at a time. We're starting with SQL Injection (SQLi).
To practice safely, we need a self-contained lab environment — one that's isolated from any live systems so we can experiment freely without affecting or being affected by anything else. This guide walks through building that environment using two VMs:
- Kali Linux — our attacker/hosting machine
- Metasploitable2 — our vulnerable target server
Step 1: Download Metasploitable2
Download the Metasploitable2 VM image from SourceForge:
https://sourceforge.net/projects/metasploitable/https://sourceforge.net/projects/metasploitable/Load it into VMware following the same import process you used for Kali Linux.
Once the VM boots, log in with the default credentials:
- Username:
msfadmin - Password:
msfadmin
Note:_ Metasploitable2 is entirely CLI-based — there's no GUI, and no mouse cursor. Everything is done via the keyboard._
Step 2: Overview of the Setup Process
Here's the full workflow we'll follow:
- Download the SQLi-Labs project from GitHub
- Move it into the web-hosting directory on Kali Linux
- Start the Apache server to host it locally
- Download the hosted files onto Metasploitable2
- Unzip the downloaded files on Metasploitable2
- Access the lab by browsing to Metasploitable2's IP address
Step 3: Get SQLi-Labs from GitHub
Clone or download the SQLi-Labs repository:
https://github.com/audi-1/sqli-labshttps://github.com/audi-1/sqli-labsStep 4: Host It on Kali Linux
On Linux, the default web-hosting directory is:
/var/www/html/var/www/htmlBefore proceeding, clear out any existing files in this directory to avoid conflicts.
Move the downloaded SQLi-Labs zip file (do not extract it yet) into /var/www/html.
In my case i have changed the zip file name and pasted it into the web hosting directory.
Then start the Apache web server:
service apache2 startservice apache2 startThis makes the zip file accessible over your local network via Kali's IP address.
Step 5: Download the Lab onto Metasploitable2
On the Metasploitable2 machine, use wget to pull the file from Kali Linux:
bash
wget <kali-linux-ip>/sqli-labs.zipwget <kali-linux-ip>/sqli-labs.zipReplace <kali-linux-ip> with your Kali machine's actual IP address and the correct filename.
Step 6: Unzip and Launch the Lab
Once the download completes, unzip the file:
bash
unzip <zip-file-name>unzip <zip-file-name>Finally, open a browser and navigate to the Metasploitable2 machine's IP address to access the SQLi-Labs practice environment.
Conclusion
With this setup, you now have a fully isolated, self-hosted SQL injection lab — safe to break, experiment with, and learn from at your own pace. In the next post, we'll start walking through the actual SQLi-Labs challenges one by one.