Abuse display_errors=on to leak web root directory
A good example of how to leverage the
display_errors misconfiguration is by sending a GET request with arrays injected as parameters. This technique, known as Parameter Pollution or Parameter Tampering relies on the fact that most back-end code does not expect arrays as input data.
Dump PHP Variables
- Create new file
- Curl the output of that file
XDebug and VS Code Remote Debugging
Learn How to Debug PHP with Xdebug and VsCode How to install Xdebug and use it in PHP on Ubuntu?