More and more public web sites contain personal private data and usually store them in an associated database. Web site security becomes important day by day, because once the web site has been compromised numerous private data potentially leak out, threatening to personal privacy. According to Open Web Application Security Project (OWASP) 2013 research, the injection is the first threat of the top 10. Injections contain SQL injection, OS injection and LDAP injection, where the SQL injection is the most threatening among them. This research proposed a penetration testing system aiming at effective and fast detection on website threat of SQL injection. The system has two options: static scanning and dynamic scanning, whose initial target Uniform Resource Locators (URLs) are given by manual setting or popular search engines, respectively. The proposed scheduler can adjust the priority of target URLs according to the degree of suspicion derived from the similarity to URLs of well-known leaks, and accelerate the whole SQL penetration process. Experiments show that both precision and speed of the proposed system are better than a free web penetration tool Paros. Website developers and administrators can quickly and effectively find potential information leaks with this system.