How to Use SQL Injection to Run OS Commands & Get a Shell

One of the ultimate goals in hacking is the ability to obtain shells in order to run system commands and own a target or network. SQL injection is typically only associated with databases and their data, but it can actually be used as a vector to gain a command shell. As a lesson, we'll be exploiting a simple SQL injection flaw to execute commands and ultimately get a reverse shell on the server. We will be using DVWA, an intentionally vulnerable virtual machine, and Kali Linux to carry out our attack. If you're new to Kali, we recommend you follow our guide on getting Kali set up and secured... more