1. Single quote explosion path
Instructions:
Add single quotes directly after the URL, requiring that the single quotes are not filtered (gpc=off) and the server returns an error by default information.
Eg:
www.xxx.com/news.php?id=149′
2. Wrong parameter value explosion path
Instructions:
Change the parameter value to be submitted to an error value, such as -1. Try it when single quotes are filtered.
Eg:
www.xxx.com/researcharchive.php?id=-1
3. Google explosion path
Instructions:
Combine keywords and site syntax to search for web snapshots of error pages. Common keywords include warning and fatal error. Note that if the target site is a second-level domain name and the site is connected to its corresponding top-level domain name, much more information will be obtained.
Eg:
Site:xxx.edu.tw warning
Site:xxx.com.tw “fatal error”
4. Test file explosion Path
Description:
There are test files in the root directory of many websites, and the script code is usually phpinfo().
Eg:
www.xxx.com/test.php
www.xxx.com/ceshi.php
www.xxx.com/info.php
www.xxx.com/phpinfo.php
www.xxx.com/php_info.php
www.xxx.com/1.php
5. phpmyadmin explosion path
Note:
Once you find the management page of phpmyadmin, and then access certain specific files in this directory, it is very likely that the physical path will be exposed. As for the address of phpmyadmin, you can use tools like wwwscan to scan it, or you can choose Google. PS: Some BT websites will be written as phpMyAdmin.
Eg:
www.xxx.cn/phpmyadmin/themes/darkblue_orange/layout.inc.php
www.xxx.cn/phpmyadmin/libraries/select_lang.lib.php
www.xxx.cn/phpmyadmin/index.php?lang[]=1
6. Configuration file search path
Instructions:
If the injection point has file read permission, you can manually load_file or use a tool to read the configuration file, and then find the path information from it (usually at the end of the file). The default paths of the configuration files of the web server and PHP under each platform can be checked online. Here are some common ones.
Eg:
Windows:
c:windowsphp.ini php configuration file
c:windowssystem32inetsrvMetaBase.xml IIS virtual host configuration file
Linux :
/etc/php.ini php configuration file
/etc/httpd/conf.d/php.conf
/etc/httpd/conf/httpd.conf Apache configuration file
/usr/local/apache/conf/httpd.conf
/usr/local/apache2/conf/httpd.conf
/usr/local/apache/conf/extra/httpd-vhosts .conf virtual directory configuration file
7. nginx file type error parsing path
Explanation:
This is a method discovered accidentally yesterday, of course it requires Web The server is nginx, and there is a file type parsing vulnerability. Sometimes /x.php is added after the image address. Not only will the image be executed as a php file, but the physical path may also be exposed.
Eg:
www.xxx.com/top.jpg/x.php
8. Others
Others are like dedecms, Whole-site programs such as phpwind are prone to path vulnerabilities, are complex, and are not very versatile. You can report such loopholes in your reply and I will sort them out.