GitHacker

Desciption

This is a multiple threads tool to exploit the .git folder leakage vulnerability. It is able to download the target .git folder almost completely. This tool also works when the DirectoryListings feature is disabled by brute forcing common .git folder files.

With GitHacker's help, you can view the developer's commit history, branches, ..., stashes, which makes a better understanding of the target repo, even to find security vulnerabilities.

PROCLAMATION (IMPORTANT)

Several VULNERABILITIES have been reported recently, if you are using GitHacker <= 1.1.0, please update your tool as soon as possible.

The remote .git folder maybe malicious, so to prevent you from being attacked. It's highly recommended that you SHOULD run this tool under a disposable jailed environment (eg: Docker container).

Requirments

• git >= 2.11.0
• Python 3

Usage in Docker (Recommended)

# print help info
docker run wangyihang/githacker --help
# quick start
docker run -v $(pwd)/results:/tmp/githacker/results wangyihang/githacker --output-folder /tmp/githacker/results --url http://127.0.0.1/.git/
# brute for the name of branchs / tags
docker run -v $(pwd)/results:/tmp/githacker/results wangyihang/githacker --brute --output-folder /tmp/githacker/results --url http://127.0.0.1/.git/
# exploit multiple websites, one site per line
docker run -v $(pwd)/results:/tmp/githacker/results wangyihang/githacker --brute --output-folder /tmp/githacker/results --url-file websites.txt 

Usage

# install
python3 -m pip install -i https://pypi.org/simple/ GitHacker
# print help info
githacker --help
# quick start
githacker --url http://127.0.0.1/.git/ --output-folder result
# brute for the name of branchs / tags
githacker --brute --url http://127.0.0.1/.git/ --output-folder result
# exploit multiple websites, one site per line
githacker --brute --url-file websites.txt --output-folder result

Comparison of other tools

2021-05-25

Example

TODO

• [x] ~~Download packed files firstly~~ (Unsolvable via StackOverflow)
• [x] Fix infinit downloading 404 files, #25
• [x] Fix error when master branch not exists, #18
• [x] Extract branch names from .git/logs/HEAD, #18
• [x] Publish Docker image to hub.docker.com
• [x] Add Dockerfile
• [x] Fix stash files missing due to the fix of #21, #23, #24 (git clone can't download stash files)
• [x] Use python f'string in test.py
• [x] Download tags and branches when Index enabled
• [x] Try common tags and branches when Index disabled
• [x] find packed refs

Videos

asciinema

YouTube

• 【.git/ folder attack】Comparison of attack tools (Part I)
• 【.git/ folder attack】Comparison of attack tools (Part II)

Security Issues

2021-08-01 Fixed: Malicious .git folder maybe harmful to the user of this tool (Reported by Driver Tom)

• 别想偷我源码：通用的针对源码泄露利用程序的反制（常见工具集体沦陷）

2022-03-01 Fixed: Arbitrary file write via recursive file downloader (Reported by Justin Steven)

• To be released

2022-03-01 Fixed: Remote Code Execution via malicious .git/config and .git/hooks/* files (Reported by Justin Steven)

• To be released

References

• Git Repository Layout
• Git Documents
• Git Pack filename

Acknowledgement

• @Justin Steven
• @Driver Tom
• @lesion1999
• @shashade250

Licsence

THE DRINKWARE LICENSE

<[email protected]> wrote this file. As long as 
you retain this :x:tice you can do whatever you want 
with this stuff. If we meet some day, and you think 
this stuff is worth it, you can buy me the following
drink(s) in return.

Red Bull
JDB
Coffee
Sprite
Cola
Harbin Beer
etc

Wang Yihang