One of them "ConfigSpy", but to use this tool you already have to be in the system / host target.
Let's try another way.
In this case, I will exploit a bug LFD (Local File Disclosure) which published by our friends NoGay (NoGe Is Gay).
http://[site]/[path]/e107_plugins/my_gallery/image.php?file=[LFI]it's Bug
Before using his first identify the web application is used.
My point here is that we first seek to know the path or the location where config files which set the connection to the database. Why? As performed by "ConfigSpy", which took the login database to try to log into the ftp.
As you know that frequent carelessness in giving the login database, where the log is equal to log into the ftp and ssh.
Well
In the existing applications on top of the e107 cms, his path to config found on the main path to the application with the name e107_config.php