Abuse display_errors=on to leak web root directory
A good example of how to leverage the
display_errors misconfiguration is by sending a GET request with arrays injected as parameters. This technique, known as Parameter Pollution or Parameter Tampering relies on the fact that most back-end code does not expect arrays as input data.
Dump PHP Variables
- Create new file
- Curl the output of that file