Skip to content

threatcode/GitHacker

GitHacker

PyPI version PyPI download

Desciption

This is a multiple threads tool to exploit the .git folder leakage vulnerability. It is able to download the target .git folder almost completely. This tool also works when the DirectoryListings feature is disabled by brute forcing common .git folder files.

With GitHacker's help, you can view the developer's commit history, branches, ..., stashes, which makes a better understanding of the target repo, even to find security vulnerabilities.

PROCLAMATION (IMPORTANT)

Several VULNERABILITIES have been reported recently, if you are using GitHacker <= 1.1.0, please update your tool as soon as possible.

The remote .git folder maybe malicious, so to prevent you from being attacked. It's highly recommended that you SHOULD run this tool under a disposable jailed environment (eg: Docker container).

Requirments

  • git >= 2.11.0
  • Python 3

Usage in Docker (Recommended)

# print help info docker run threatcode/githacker --help # quick start docker run -v $(pwd)/results:/tmp/githacker/results threatcode/githacker --output-folder /tmp/githacker/results --url http://127.0.0.1/.git/ # brute for the name of branchs / tags docker run -v $(pwd)/results:/tmp/githacker/results threatcode/githacker --brute --output-folder /tmp/githacker/results --url http://127.0.0.1/.git/ # exploit multiple websites, one site per line docker run -v $(pwd)/results:/tmp/githacker/results threatcode/githacker --brute --output-folder /tmp/githacker/results --url-file websites.txt 

Usage

# install python3 -m pip install -i https://pypi.org/simple/ GitHacker # print help info githacker --help # quick start githacker --url http://127.0.0.1/.git/ --output-folder result # brute for the name of branchs / tags githacker --brute --url http://127.0.0.1/.git/ --output-folder result # exploit multiple websites, one site per line githacker --brute --url-file websites.txt --output-folder result

Comparison of other tools

2021-05-25

Tools Index Source Code Reflogs Stashes Commits Branches Remotes Tags
GitTools ✔️ ✔️ ✔️ ✔️ ✔️
dvcs-ripper ✔️ ✔️ ✔️ ✔️ ✔️
GitHack ✔️ ✔️
git-dumper ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✔️
GitHacker ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✔️
GitTools ✔️ ✔️ ✔️ ✔️
dvcs-ripper
GitHack ✔️
git-dumper ✔️ ✔️ ✔️ ✔️ ✔️
GitHacker ✔️ ✔️ ✔️ ✔️ 💪 ✔️ 💪

Example

Demo

TODO

  • Download packed files firstly (Unsolvable via StackOverflow)
  • Fix infinit downloading 404 files, #25
  • Fix error when master branch not exists, #18
  • Extract branch names from .git/logs/HEAD, #18
  • Publish Docker image to hub.docker.com
  • Add Dockerfile
  • Fix stash files missing due to the fix of #21, #23, #24 (git clone can't download stash files)
  • Use python f'string in test.py
  • Download tags and branches when Index enabled
  • Try common tags and branches when Index disabled
  • find packed refs

Test

Setup Development Environment

# Install docker and docker-compose apt install docker-desktop apt install docker-compose # Download GitHacker git clone https://github.com/ThreatCode/GitHacker cd GitHacker python -m venv venv source venv/bin/activate pip install -r requirements.txt 

Run tests

# Generate testing repo python utils/gen.py # Run testcases sudo su source venv/bin/activate pip install -r requirements.txt python utils/test.py exit # Diff results python utils/diff.py 

Check report

See test/report/YYYY-MM-DD/index.html

Videos

asciinema

asciicast

YouTube

Security Issues

2021-08-01 Fixed: Malicious .git folder maybe harmful to the user of this tool (Reported by Driver Tom)

2022-03-01 Fixed: Arbitrary file write via recursive file downloader (Reported by Justin Steven)

  • To be released

2022-03-01 Fixed: Remote Code Execution via malicious .git/config and .git/hooks/* files (Reported by Justin Steven)

  • To be released

References

Acknowledgement

Licsence

THE DRINKWARE LICENSE <threatcodeer@gmail.com> wrote this file. As long as you retain this :x:tice you can do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me the following drink(s) in return. Red Bull JDB Coffee Sprite Cola Harbin Beer etc Wang Yihang 

About

No description or website provided.

Topics

Resources

Code of conduct

Contributing

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 6