How does a hacker reach a back-end file to exploit it?

"Hackers" don't really do (or need to do) what you are describing. In some cases, a misconfiguration may allow for a remote user to view the text content of a PHP script file (e.g. maybe a backup file with a file extension not normally executed by the PHP interpreter, or some arbitrary read vulnerability), but this is not required to construct a working exploit.

In general, I'd say there are at least two ways an attacker may find vulnerabilities without reading the source off the server:

1. The application is a well-known open source product (e.g. WordPress), and the attacker downloaded the source and found a vulnerability that way, or they found an existing vulnerability that applies to the version on the target server.
2. Certain design patterns immediately raise red flags to the trained eye. If I see in the URL something like /?file=store.html, this looks like it could be used for directory traversal/LFI/RFI (e.g. maybe replace the file parameter with ../../../../etc/passwd to test). Or, if the website lets me directly or indirectly run system commands (e.g. "Enter an IP address to ping"), it may be worth attempting shell escapes (8.8.8.8$(cat /etc/passwd)) to see if there is a command injection vulnerability. These type of blind attacks are often more of an art than science, as it can take quite a bit of intuition and assumption on the attacker's part to figure out how the system works and where a vulnerability may exist.