Hey there! Awesome that you're prepping a hands-on demo on SQL injection—nothing drives the concept home like a working example. Below are completely free, open-source vulnerable applications you can deploy locally for your presentation, no external links required to get started:

• DVWA (Damn Vulnerable Web Application)

  • This is a classic go-to for web security demos, with dedicated SQL injection modules spanning basic to advanced techniques. It’s fully open-source and built explicitly for educational testing.
  • Setup steps:
    1. Clone or download the official repository (search for "DVWA" on Git hosting platforms to find the public repo and get the clone URL or download ZIP).
    2. Set up a local web server stack like XAMPP or WAMP (includes Apache, PHP, and MySQL—all free to install).
    3. Move the DVWA files into your server’s web root directory (e.g., htdocs for XAMPP).
    4. Open config/config.inc.php and update the MySQL username/password to match your local setup (default is usually root with no password).
    5. Access the app via http://localhost/DVWA in your browser, run the setup wizard, and set the security level to Low to enable straightforward SQL injection testing.

• OWASP Juice Shop

  • A modern, realistic e-commerce-style app maintained by OWASP, packed with SQL injection scenarios (plus other common web vulnerabilities). It’s incredibly easy to deploy, especially with Docker.
  • Setup options:
    • Docker (simplest route): Run these commands in your terminal (Docker is free to download and install):

      docker pull bkimminich/juice-shop
      docker run -d -p 3000:3000 bkimminich/juice-shop
      

      Then open http://localhost:3000 in your browser—you’ll find SQL injection challenges clearly marked in the app’s interactive "Score Board".
    • Manual setup: Download the ZIP package, install Node.js (free), then run npm install and npm start from the app directory to launch it locally.

• SQLi Labs

  • Built exclusively for teaching SQL injection, this target breaks down different attack types into individual "levels" (e.g., union-based injection, error-based injection, blind injection). It’s perfect for walking your audience through each technique step-by-step.
  • Setup steps:
    1. Download the project files and place them in your local web root.
    2. Import the included SQL database file into your local MySQL server (use phpMyAdmin if you’re using XAMPP/WAMP).
    3. Update the database credentials in the app’s config files to match your local setup.
    4. Access the app via your browser—each level will present a specific SQL injection scenario to exploit.

Key Tips for Your Demo #

• Keep it local: All these apps are intentionally vulnerable—never deploy them to a public server, as they can be exploited by attackers.
• Use helper tools: Pair your demo with Burp Suite Community Edition (free) to show how to intercept and manipulate HTTP requests, making it easier to demonstrate how SQL injection payloads work.
• Start simple: Begin with basic error-based injection (e.g., adding a single quote ' to a URL parameter to trigger a database error) before moving to more complex techniques like union queries or blind injection.

Hope these options give you everything you need for a clear, engaging demo. If you hit any snags during setup, feel free to ask for more help!

内容的提问来源于stack exchange，提问作者ali shark