From sqli to shell
This is a fun lab which walks through getting admin privileges in a web app through sql injection to upload your own php shell. The shell described is a simple GET request to the PHP cmd function. So lets take it a little further and upload a metasploit php shell.
msfpayload is deprecated so heres the msfvenom for a meterpreter php payload:
set up the exploit/multi/handler in msfconsole with the proper payload and upload the php backdoor. Accessing the script will call back to the handler and start a meterpreter session.