1. 7

  2. 1

    Neat article. But this isn’t so much a generic escalation path from an sql injection to RCE. It’s rather triggering a file inclusion vuln through the result of an sql query, which is prone to an injection.

    File inclusion is known to be easily escalated into RCE with php://stream and data: URLs.

    1. 1

      Nice one. I especially like the way the author went after determining the number of columns that the DB was spitting out and then figured out to write content there!