DVWA SQLi to OS Shell Lab 2026 — File Write to Remote Code Execution | Hacking Lab23

📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.

🧪 DVWA LAB SERIES

FREE

Part of the DVWA Lab Series — 30 Labs

Lab 23 of 30 · 76.7% complete

⚠️ Authorised Lab Use Only: This lab demonstrates SQL injection escalation to OS remote code execution. Practice exclusively on DVWA running in your own local environment (VirtualBox, VMware, Docker, XAMPP). Never attempt these techniques against any system you do not own. The SELECT INTO OUTFILE technique and webshell deployment demonstrated here are criminal offences when used without explicit authorisation.

Twenty minutes. That’s how long it took me on a real engagement to go from finding a SQL injection in a report field to having a shell on the application server. The client called it an “internal tool” — network-accessible only from the corporate LAN, not exposed to the internet. They assumed internal meant safe. It didn’t.

The SQLi to OS shell chain is why SQL injection is rated Critical, not just High. The headline finding isn’t “attacker reads database records.” It’s “attacker runs OS commands as the web server process.” From there it’s a short path to reading application config files, finding credential reuse, and elevating further. The chain is three technical conditions. Understand each one and you understand why this attack path is so devastating — and exactly what breaks it.

Lab 23 walks the complete sequence: injection confirmation → FILE privilege verification → server file read → webshell write → RCE. Run it once end to end and you’ll never document SQL injection as anything less than Critical when the conditions are met.

🎯 What You’ll Master in Lab 23

Verify MySQL FILE privilege via SQL injection — the prerequisite for file write
Use LOAD_FILE() to read server files and confirm web root path
Deploy a PHP webshell via SELECT INTO OUTFILE through SQL injection
Execute OS commands through the deployed webshell for full RCE
Understand secure_file_priv and the three-layer defence that breaks this chain

⏱️ 45 min · 3 Kali Terminal exercises · DVWA required #### How far have you escalated SQL injection before? Data extraction only — SELECT from tables File read with LOAD_FILE — not file write Full OS shell via SQLi — done it before This is my first time seeing this attack chain

📋 DVWA SQLi to OS Shell — Lab 23 Contents

1. Prerequisites — Three Conditions Required
2. Step 1 — Confirm SQL Injection and FILE Privilege
3. Step 2 — Read Server Files with LOAD_FILE()
4. Step 3 — Write Webshell via SELECT INTO OUTFILE
5. Step 4 — Execute OS Commands via Webshell
6. Defence — Breaking Each Link in the Chain

DVWA SQLi to OS Shell — Three Conditions Required

Before you run the first query, know what you’re working toward. The SQLi to OS shell chain requires three conditions simultaneously. Break any one of them and the chain stops. Understanding each condition also reveals where defenders should place controls.

Condition 1 — Exploitable SQL injection. You need an actual injectable parameter with no parameterisation. In DVWA Low security, the User ID parameter is directly concatenated into the SQL query — the foundation of this lab.

Condition 2 — MySQL FILE privilege. The database user running the queries needs FILE privilege. This is what enables LOAD_FILE() file reads and SELECT INTO OUTFILE using the permissions of the mysql OS process.

Condition 3 — MySQL write access to the web root. The mysql OS process needs write permission to the document root. In DVWA’s default configuration, this is intentionally misconfigured to allow the lab to function. In production, this should never be the case.

securityelites.com

SQLi to OS Shell — Attack Chain Overview

ENTRY
SQL Injection → UNION SELECT injection in user ID parameter

↓ requires: FILE privilege on MySQL user

ESCALATION
LOAD_FILE() reads /etc/passwd, Apache config → confirms web root path

↓ requires: write permission to /var/www/html/

PERSISTENCE
SELECT INTO OUTFILE writes PHP webshell to /var/www/html/dvwa/shell.php

↓

RCE
shell.php?cmd=whoami → www-data · Full OS command execution

📸 SQLi to OS shell attack chain with prerequisites at each step. The chain illustrates why defence in depth matters: three separate controls must all fail simultaneously for this attack to succeed. Parameterised queries eliminate the SQLi entry point. Removing FILE privilege stops escalation even if SQLi exists. Filesystem permissions break the webshell write even if FILE privilege is present. All three controls are required — patching only one leaves the others exposed.

Step 1 — Confirm SQL Injection and FILE Privilege

Don’t jump to the FILE operations yet. Confirm two things first: that the injection is UNION-based with the right column count, and that the MySQL user actually has FILE privilege. FILE privilege verification requires querying the MySQL user table — something only possible through SQL injection if the application database user has access to mysql.user, which in DVWA’s default configuration it does.

STEP 1 — INJECTION CONFIRMATION AND FILE PRIVILEGE CHECKCopy

DVWA URL: http://localhost/dvwa/vulnerabilities/sqli/

Security level: LOW

1a. Confirm basic injection

?id=1′ OR ‘1’=’1&Submit=Submit

Returns all users → injection confirmed

---

📖 Read the complete guide on SecurityElites

This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →

---

This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.