hi there
I wanna try sql hacking and i have there choices

Metasploitable
De-ice.net
My friend's website

Well, i wanna try all and i'm using Havij program as injector. But i think we need a url like this

www.test.com/index.php?id=123

But how can i find the url for metasploitable or de-ice.

I think i can use google dorks to find the url for my friend's site but how?

I'll be so thankful if you tell me.

Havij is a script kiddie tool just like Pangolin is, except Havij is more widely used by script kiddies especially in the middle east. A pro tool, which can do a lot more, but is also a lot harder to use is sqlmap.

However, using a tool only, without knowing what causes SQL Injection, how to fix it (in the code!) and how to test manually will not teach you anything, and thus you will always be a script kiddie unless you know  the cause, remediation and how to test all types of SQL Injection vulnerabilities manually.

Sometimes the tools simply won't work, and then you have to test manually as a penetration tester.

hmm I would say learn SQL you may not have time but being pen tester I think is about being professional. Trying find a tool that you can just run and hope it works is just so wrong. You going to run a tools that you don't really understand how it works and what is it doing. How do you know it wont break the database.

I not saying you have to be a complete expert at it but least understand the basic behind SQL I don't think learning the basic takes that much time.

I also not sure any of the De-ice disk have SQL injection in them
I would not recommend hitting you mates website

If you want to try SQL DVWA has some in and Webgoat does they are pretty basic to find.

I would agree with MaXE use SQLMAP but this does mean you have to understand SQL its not a click click win tool.