My Question is does "url" attribute in the ajax request above take absolute path?
The Same Origin Policy prevents JavaScript from making a request and reading the response unless it is to the same host, port and protocol.
That doesn't stop an attacker from making any HTTP request they like (it is trivial to construct one manually that looks the same as one made via JS) and it doesn't stop an attacker from tricking a user into making any request the attacker likes (it does stop the attacker getting the response to that request though).
There is no need for the attacker to involve PHP or any other server side language to do any of this.
Also, is it possible to break any site by sending such requests?
That depends on how the site is written. You should apply the same security checks on URIs designed for access via JavaScript as those designed for access with a direct request from the browser.