alien Posted August 9, 2012 Report Posted August 9, 2012 When you pentest a website an it's ok to "make a lot of noise" you can use the nmap script at http-enum.nse , that basicaly uses another script http-fingerprints.lua to find any common folders on a system, bruteforce but works. This most of the time returs folders like admin, tmp and others, but the one in particular we will discuss right now is the /.git folder.Now we need to get the /.git folder. Using git clone to download the sources will fail, so since directory listing is turned on we can download it using wget.$ mkdir git-test$ cd git-test$ wget --mirror --include-directories=/.git http://www.target.com/.gitThat'll take some time, depending on the size of the repository. When it's all done, go into the folder that wget created and use git --reset:$ cd www.site.com$ git reset --hardHEAD is now at [...]Then look around - you have their entire codebase!$ lsdb doc robots.txt scripts testBrowse this for interesting scripts (like test scripts?), passwords, configuration details, deployment, addresses, and more! You just turned your blackbox pentest into a whitebox one, and maybe you got some passwords in the deal! You can also use "git log" to get commit messages, "git remote" to get a list of interesting servers, "git branch -a" to get a list of branches, etc.Why does this happen?When you clone a git repository, it creates a folder for git's metadata - .git - in the folder where you check it out. This is what lets you do a simple "git pull" to get new versions of your files, and can make deployment/upgrades a breeze.There are a few ways to prevent this:Remove the .git folder after you check it outUse a .htaccess file (or apache configuration file) to block access to .gitKeep the .git folder one level up - in a folder that's not available to the Web serverUse a framework - like Rails or .NET - where you don't give users access to the filesystemFinding this in an automated wayYou can quickly scan an entire network by using a command like:nmap -sS -PS80,81,443,8080,8081 -p80,81,443,8080,8081 --script=http-git <target>The output for an affected host will look something like:PORT STATE SERVICE80/tcp open http| http-git:| Potential Git repository found at 206.220.193.152:80/.git/ (found 5 of 6expected files)| Repository description: Unnamed repository; edit this file 'description' to namethe...| Remote: https://github.com/skullspace/skullspace.ca.git|_ -> Source might be at https://github.com/skullspace/skullspace.caCredits: SkullSecurity ? Blog Archive ? Using "Git Clone" to get Pwn3D 1 Quote
