Collect and sort PHP absolute paths

1. Single quotes

Note:

Add single quotation marks directly behind the URL. The single quotation marks must not be filtered (gpc = off) and the server returns an error message by default.

Eg:

Www.xxx.com/news.php? Id = 149 ′

2. Path of incorrect parameter values

Note:

Change the parameter value to be submitted to an error value, for example,-1. Try to filter out single quotes.

Eg:

Www.xxx.com/researcharchive.php? Id =-1

3. Google's explosive path

Note:

Search for the webpage snapshot of the error page by combining the keyword and site syntax. Common keywords include warning and fatal error. Note: If the target site is a second-level domain name, the site is connected to its corresponding top-level domain name, resulting in much more information.
Eg:

Site: xxx.edu.tw warning

Site: xxx.com.tw "fatal error"

4. Test File explosion path

Note:

Many websites have test files in the root directory, and the script code is usually phpinfo ().

Eg:

Www.xxx.com/test.php
Www.xxx.com/ceshi.php
Www.xxx.com/info.php
Www.xxx.com/phpinfo.php
Www.xxx.com/php_info.php
Www.xxx.com/1.php

5. phpmyadmin burst path

Note:

Once you find the phpmyadmin Management page and access some specific files in the directory, the physical path may pop up. For phpmyadmin addresses, you can use tools such as wwwscan or google. PS: Some BT websites are written as phpMyAdmin.

Eg:

Www.xxx.cn/phpmyadmin/themes/darkblue_orange/layout.inc.php
Www.xxx.cn/phpmyadmin/libraries/select_lang.lib.php
Www.xxx.cn/phpmyadmin/index.php? Lang [] = 1

6. Find the path of the configuration file

Note:

If the injection point has the file read permission, you can manually load_file or the tool to read the configuration file, and then find the path information (usually at the end of the file ). The default paths of Web servers and PHP configuration files on various platforms can be checked online.

Eg:

Windows:

C: \ windows \ php. ini php configuration file
C: \ windows \ system32 \ inetsrv \ MetaBase. xml IIS Virtual Host Configuration File

Linux:
/Etc/php. ini php configuration file

/Etc/httpd/conf. d/php. conf
/Etc/httpd/conf/httpd. conf Apache configuration file
/Usr/local/apache/conf/httpd. conf

/Usr/local/apache2/conf/httpd. conf

/Usr/local/apache/conf/extra/httpd-vhosts.conf virtual directory configuration file

7. nginx file type error parsing burst path

Note:
This was accidentally discovered yesterday. Of course, the Web server is required to be nginx and there is a file type Parsing Vulnerability. Sometimes/x. php is added after the image address. This image will not only be executed as a php file, but may also expose the physical path.
Eg:

Www.xxx.com/top.jpg/x.php

8. Others

Others are full-Site program brute-force path vulnerabilities such as dedecms and phpwind, which are complicated and less universal. You can report such vulnerabilities in the reply, so I will sort them out.