Two of the biggest problems with SQL-injection vulnerabilities are that the tools that detect them have a rate of false positives which is non-negligible or sometimes just too high, and, when a tool detects a vulnerability, it will provide little or no information to developers and testers, hence, it becomes difficult for these to assess the impact of the vulnerability in the security posture of the web application. We introduce a methodology and an implementation of this methodology into a black-box tool that solves the two problems. Using it, one can verify with 100% certainty that a potential SQL injection vulnerability is exploitable, and at the same time assess the impact of the vulnerability. Explicitly, if our tool detects a vulnerability, it provides an interface to execute arbitrary SQL code through them; this would confirm the vulnerability and give the developers an easy way to assess the impact of the vulnerability. Using a combination of heuristics and syntax analysis, our tool constructs a "channel" for each vulnerability that will encode SQL queries to the webapp and their answers solving problems related to encoding of for the tester. The core of this talk is in examining the difficulties that appear while trying to expose vulnerabilities and how to setup a process that will automatically turn them into a black-box query console.