PHP explosion absolute path method
- 2020-05-24 05:15:21
- OfStack
1. Path of single quote explosion
Description:
Put a single quote directly after URL, requiring that the single quote is not filtered (gpc=off) and that the server returns an error message by default.
Eg:
www. xxx. com/news php? id = 149 '
2, error parameter value burst path
Description:
Change the value of the parameter to be submitted to an error value, such as -1. Try it when the single quote is filtered.
Eg:
www.xxx.com/researcharchive.php?id=-1
3. Explosion path of Google
Description:
Common keywords are warning and fatal error when combined with the site syntax to search for page snapshots of error pages. Note that if the target site is a level 2 domain, site is connected to its corresponding top-level domain, which gives much more information.
Eg:
Site:xxx.edu.tw warning
Site: xxx. com. tw "fatal error"
4. Test file burst path
Description:
Many sites have test files in the root directory, and the script code is usually phpinfo().
Eg:
www.xxx.com/test.php
www.xxx.com/ceshi.php
www.xxx.com/info.php
www.xxx.com/phpinfo.php
www.xxx.com/php_info.php
www.xxx.com/1.php
5. phpmyadmin explosion path
Description:
Once you find the administration page of phpmyadmin and then access certain files in the directory, it is very likely that the physical path will be broken. As for the phpmyadmin address, you can use a tool like wwwscan to scan it, or you can choose google. PS: some BT sites write phpMyAdmin.
Eg:
www.xxx.cn/phpmyadmin/themes/darkblue_orange/layout.inc.php
www.xxx.cn/phpmyadmin/libraries/select_lang.lib.php
www.xxx.cn/phpmyadmin/index.php?lang[]=1
6. Find the path to the configuration file
Description:
If the injection point has file read permissions, you can manually read the configuration file by load_file or the tool and find the path information from it (1 is usually at the end of the file). The default path of the configuration files of Web server and PHP under each platform can be checked online. Here are a few common ones.
Eg:
Windows:
c:\windows\ php.ini php configuration file
c:\windows\system32\inetsrv\ MetaBase.xml IIS virtual host configuration file
Linux:
/etc/ php.ini php configuration file
/etc/httpd/conf.d/php.conf
/ etc/httpd/conf/httpd conf Apache configuration file
/usr/local/apache/conf/httpd.conf
/usr/local/apache2/conf/httpd.conf
/ usr/local/apache/conf/extra/httpd - vhosts. conf virtual directory configuration file
7, nginx file type error analysis burst path
Description:
This was a method that I stumbled across yesterday, but of course requires the Web server to be nginx and has a file type resolution vulnerability. Sometimes you add/x.php after the image's address, and the image is not only executed as an php file, but may also be exposed to the physical path.
Eg:
www.xxx.com/top.jpg/x.php
8, other
Other is like dedecms, phpwind and so on the whole station procedures burst path vulnerability, more miscellaneous, universality is not strong. This kind of vulnerability can be reported in the reply, and I will sort it out.
Description:
Put a single quote directly after URL, requiring that the single quote is not filtered (gpc=off) and that the server returns an error message by default.
Eg:
www. xxx. com/news php? id = 149 '
2, error parameter value burst path
Description:
Change the value of the parameter to be submitted to an error value, such as -1. Try it when the single quote is filtered.
Eg:
www.xxx.com/researcharchive.php?id=-1
3. Explosion path of Google
Description:
Common keywords are warning and fatal error when combined with the site syntax to search for page snapshots of error pages. Note that if the target site is a level 2 domain, site is connected to its corresponding top-level domain, which gives much more information.
Eg:
Site:xxx.edu.tw warning
Site: xxx. com. tw "fatal error"
4. Test file burst path
Description:
Many sites have test files in the root directory, and the script code is usually phpinfo().
Eg:
www.xxx.com/test.php
www.xxx.com/ceshi.php
www.xxx.com/info.php
www.xxx.com/phpinfo.php
www.xxx.com/php_info.php
www.xxx.com/1.php
5. phpmyadmin explosion path
Description:
Once you find the administration page of phpmyadmin and then access certain files in the directory, it is very likely that the physical path will be broken. As for the phpmyadmin address, you can use a tool like wwwscan to scan it, or you can choose google. PS: some BT sites write phpMyAdmin.
Eg:
www.xxx.cn/phpmyadmin/themes/darkblue_orange/layout.inc.php
www.xxx.cn/phpmyadmin/libraries/select_lang.lib.php
www.xxx.cn/phpmyadmin/index.php?lang[]=1
6. Find the path to the configuration file
Description:
If the injection point has file read permissions, you can manually read the configuration file by load_file or the tool and find the path information from it (1 is usually at the end of the file). The default path of the configuration files of Web server and PHP under each platform can be checked online. Here are a few common ones.
Eg:
Windows:
c:\windows\ php.ini php configuration file
c:\windows\system32\inetsrv\ MetaBase.xml IIS virtual host configuration file
Linux:
/etc/ php.ini php configuration file
/etc/httpd/conf.d/php.conf
/ etc/httpd/conf/httpd conf Apache configuration file
/usr/local/apache/conf/httpd.conf
/usr/local/apache2/conf/httpd.conf
/ usr/local/apache/conf/extra/httpd - vhosts. conf virtual directory configuration file
7, nginx file type error analysis burst path
Description:
This was a method that I stumbled across yesterday, but of course requires the Web server to be nginx and has a file type resolution vulnerability. Sometimes you add/x.php after the image's address, and the image is not only executed as an php file, but may also be exposed to the physical path.
Eg:
www.xxx.com/top.jpg/x.php
8, other
Other is like dedecms, phpwind and so on the whole station procedures burst path vulnerability, more miscellaneous, universality is not strong. This kind of vulnerability can be reported in the reply, and I will sort it out.