Neat article. But this isn’t so much a generic escalation path from an sql injection to RCE. It’s rather triggering a file inclusion vuln through the result of an sql query, which is prone to an injection.
File inclusion is known to be easily escalated into RCE with php://stream and data: URLs.
Nice one. I especially like the way the author went after determining the number of columns that the DB was spitting out and then figured out to write content there!