Summary of php brute-force path

1. A single quotation mark (spofs) is directly added to the URL. The spofs are not filtered (gpcoff) and the server returns an error message by default. Www. xxxx. comnews. php? Id149 '2. Change the parameter to be submitted to the path of the error parameter to an error, for example,-1. Try to filter out single quotes. Www. xxxx. comresearcharchive. php? Id

1. The single quotation mark (single quotation mark) is directly added to the URL. The single quotation mark is not filtered (gpc = off) and the server returns an error message by default. Www.xxxx.com/news. php? Id = 149 '2. Change the parameter to be submitted to the path of the error parameter to an error, for example,-1. Try to filter out single quotes. Www.xxxx.com/researcharchive. php? Id =

1. Single quotes

Add single quotation marks directly behind the URL. The single quotation marks must not be filtered (gpc = off) and the server returns an error message by default.

Www.xxxx.com/news. php? Id = 149 ′

2. Path of incorrect parameter values

Change the parameter value to be submitted to an error value, for example,-1. Try to filter out single quotes.

Www.xxxx.com/researcharchive. php? Id =-1

3. Google's explosive path

Search for the webpage snapshot of the error page by combining the keyword and site syntax. Common keywords include warning and fatal error. Note: If the target site is a second-level domain name, the site is connected to its corresponding top-level domain name, resulting in much more information.

Site: xxxx.com warning

Site: xxxx.com "fatal error"

4. Test File explosion path

Many websites have test files in the root directory, and the script code is usually phpinfo ().

Www.xxxx.com/test. php

Www.xxxx.com/ceshi. php

Www.xxxx.com/info. php

Www.xxxx.com phpinfo. php

Www.xxxx.com/php_info.php

Www.xxxx.com/1.php

5. phpmyadmin burst path

Once you find the phpmyadmin Management page and access some specific files in the directory, the physical path may pop up. For phpmyadmin addresses, you can use tools such as wwwscan or google. PS: Some BT websites are written as phpMyAdmin.

Www.xxxx.com/phpmyadmin/themes/darkblue_orange/layout. inc. php

Www.xxxx.com/phpmyadmin/libraries/select_lang.lib.php

Www.xxxx.com/phpmyadmin/index. php? Lang [] = 1

6. Find the path of the configuration file

If the injection point has the file read permission, you can manually load_file or the tool to read the configuration file, and then find the path information (usually at the end of the file ). The default paths of Web servers and PHP configuration files on various platforms can be checked online.

Windows:

C: \ windows \ php. ini php configuration file

C: \ windows \ system32 \ inetsrv \ MetaBase. xml IIS Virtual Host Configuration File

Linux:

/Etc/php. ini php configuration file

/Etc/httpd/conf. d/php. conf

/Etc/httpd/conf/httpd. conf Apache configuration file

/Usr/local/apache/conf/httpd. conf

/Usr/local/apache2/conf/httpd. conf

/Usr/local/apache/conf/extra/httpd-vhosts.conf virtual directory configuration file

7. nginx file type error parsing burst path

This was accidentally discovered yesterday. Of course, the Web server is required to be nginx and there is a file type Parsing Vulnerability. Sometimes/x. php is added after the image address. This image will not only be executed as a php file, but may also expose the physical path.

Www.xxxx.com/top.jpg/x. php

8. Others

Others are full-Site program brute-force path vulnerabilities such as dedecms and phpwind, which are complicated and less universal.