• Stars
    star
    1,408
  • Rank 33,405 (Top 0.7 %)
  • Language
    Python
  • Created over 7 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

🕷️ A `.git` folder exploiting tool that is able to restore the entire Git repository, including stash, common branches and common tags.

GitHacker

PyPI version PyPI download

Desciption

This is a multiple threads tool to exploit the .git folder leakage vulnerability. It is able to download the target .git folder almost completely. This tool also works when the DirectoryListings feature is disabled by brute forcing common .git folder files.

With GitHacker's help, you can view the developer's commit history, branches, ..., stashes, which makes a better understanding of the target repo, even to find security vulnerabilities.

PROCLAMATION (IMPORTANT)

Several VULNERABILITIES have been reported recently, if you are using GitHacker <= 1.1.0, please update your tool as soon as possible.

The remote .git folder maybe malicious, so to prevent you from being attacked. It's highly recommended that you SHOULD run this tool under a disposable jailed environment (eg: Docker container).

Requirments

  • git >= 2.11.0
  • Python 3

Usage in Docker (Recommended)

# print help info
docker run wangyihang/githacker --help
# quick start
docker run -v $(pwd)/results:/tmp/githacker/results wangyihang/githacker --output-folder /tmp/githacker/results --url http://127.0.0.1/.git/
# brute for the name of branchs / tags
docker run -v $(pwd)/results:/tmp/githacker/results wangyihang/githacker --brute --output-folder /tmp/githacker/results --url http://127.0.0.1/.git/
# exploit multiple websites, one site per line
docker run -v $(pwd)/results:/tmp/githacker/results wangyihang/githacker --brute --output-folder /tmp/githacker/results --url-file websites.txt 

Usage

# install
python3 -m pip install -i https://pypi.org/simple/ GitHacker
# print help info
githacker --help
# quick start
githacker --url http://127.0.0.1/.git/ --output-folder result
# brute for the name of branchs / tags
githacker --brute --url http://127.0.0.1/.git/ --output-folder result
# exploit multiple websites, one site per line
githacker --brute --url-file websites.txt --output-folder result

Comparison of other tools

2021-05-25

DirectoryIndex enabled in Web Server

Tools Source Code Reflogs Stashes Commits Branches Remotes Tags
GitTools ✔️ ✔️ ✔️ ✔️
dvcs-ripper ✔️ ✔️ ✔️ ✔️
GitHack ✔️
git-dumper ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✔️
GitHacker ✔️ ✔️ ✔️ ✔️ ✔️ ✔️ ✔️

DirectoryIndex disabled in Web Server

💪 means brute-forcing.

Tools Source Code Reflogs Stashes Commits Branches Remotes Tags
GitTools ✔️ ✔️ ✔️ ✔️
dvcs-ripper
GitHack ✔️
git-dumper ✔️ ✔️ ✔️ ✔️ ✔️
GitHacker ✔️ ✔️ ✔️ ✔️ 💪 ✔️ 💪

Example

Demo

TODO

  • Download packed files firstly (Unsolvable via StackOverflow)
  • Fix infinit downloading 404 files, #25
  • Fix error when master branch not exists, #18
  • Extract branch names from .git/logs/HEAD, #18
  • Publish Docker image to hub.docker.com
  • Add Dockerfile
  • Fix stash files missing due to the fix of #21, #23, #24 (git clone can't download stash files)
  • Use python f'string in test.py
  • Download tags and branches when Index enabled
  • Try common tags and branches when Index disabled
  • find packed refs

Test

Setup Development Environment

# Install docker and docker-compose
apt install docker-desktop
apt install docker-compose

# Download GitHacker
git clone https://github.com/WangYihang/GitHacker
cd GitHacker
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt

Run tests

# Generate testing repo
python utils/gen.py

# Run testcases
sudo su
source venv/bin/activate
pip install -r requirements.txt
python utils/test.py
exit

# Diff results
python utils/diff.py

Check report

See test/report/YYYY-MM-DD/index.html

Videos

asciinema

asciicast

YouTube

Security Issues

2021-08-01 Fixed: Malicious .git folder maybe harmful to the user of this tool (Reported by Driver Tom)

2022-03-01 Fixed: Arbitrary file write via recursive file downloader (Reported by Justin Steven)

  • To be released

2022-03-01 Fixed: Remote Code Execution via malicious .git/config and .git/hooks/* files (Reported by Justin Steven)

  • To be released

References

Acknowledgement

Licsence

THE DRINKWARE LICENSE

<[email protected]> wrote this file. As long as 
you retain this :x:tice you can do whatever you want 
with this stuff. If we meet some day, and you think 
this stuff is worth it, you can buy me the following
drink(s) in return.

Red Bull
JDB
Coffee
Sprite
Cola
Harbin Beer
etc

Wang Yihang

More Repositories

1

Platypus

🔨 A modern multiple reverse shell sessions manager written in go
Go
1,503
star
2

Webshell-Sniper

🔨 Manage your website via terminal
Python
419
star
3

SourceLeakHacker

🐛 A multi threads web application source leak scanner
Python
379
star
4

ccupp

基于社会工程学的弱口令密码字典生成工具
Python
340
star
5

UsbKeyboardDataHacker

USB键盘流量包取证工具 , 用于恢复用户的击键信息
Python
320
star
6

Reverse-Shell-Manager

🔨 A multiple reverse shell session/client manager via terminal
Python
237
star
7

USB-Mouse-Pcap-Visualizer

USB mouse traffic packet forensic tool, mainly used to draw mouse movements and dragging trajectories
JavaScript
233
star
8

Exploit-Framework

🔥 An Exploit framework for Web Vulnerabilities written in Python
Python
170
star
9

Apache-HTTP-Server-Module-Backdoor

👺 A Simple Backdoor For Apache HTTP Server
C
151
star
10

MIT-6.031-Readings-zh-cn

麻省理工大学-18年春季学期-软件构造(6.031)课程阅读中文版
84
star
11

awesome-web-security

📓 Some notes and impressive articles of Web Security
74
star
12

Codiad-Remote-Code-Execute-Exploit

A simple exploit to execute system command on codiad
Python
64
star
13

Find-PHP-Vulnerabilities

🐛 A plug-in of sublime 2/3 which is able to find PHP vulnerabilities
Python
56
star
14

PwnMe

二进制渗透题目汇总
Python
54
star
15

IdiomsSolitaire

成语接龙
Python
48
star
16

sqli-labs

WriteUp of sqli-labs (GitBook : https://www.gitbook.com/book/wangyihang/sqli-labs/details)
39
star
17

12306

12306网站抢票Python脚本
Python
28
star
18

WebShellCracker

WebShell密码爆破工具
Python
19
star
19

LinuxShellScript

LinuxShell编程笔记
Shell
15
star
20

SQL-Hacker

简单SQL注入工具
Python
14
star
21

XorShellcode

Shellcode异或加密工具
Python
12
star
22

Subdomain-Crawler

A program for collecting subdomains of a list of given second-level domains (SLD)
Go
12
star
23

ShellcodeSpider

Shellcode Spider of Exploit-DB
C
12
star
24

HIT-Courses-Calendar

哈尔滨工业大学教务处课表Excel转换iCal脚本
Python
10
star
25

gojob

Go(od) Job is a simple job scheduler that supports task retries, logging, and task sharding.
Go
10
star
26

Proxy-Verifier

A set of tools designed to efficiently and effectively locate publicly available proxy server resources.
Go
9
star
27

PPT-Generator

Generate PPT via a simple summary
Python
9
star
28

tplayer

一个Linux终端播放器 , 使用字符绘制图片/视频 , 并按照帧率播放
Python
8
star
29

Presentations

8
star
30

t3sec-network-flow-analysis

6
star
31

acw-sc-v2.js

`acw_sc__v2` cookie generator
HTML
5
star
32

Docker-Container-Exposer

Expose docker containers to public network
Shell
5
star
33

pickle-pickle

A arbitary python code executer via python pickle
Python
5
star
34

CrackMe

CrackMe 汇总
Python
5
star
35

Platypus-Python

Python
5
star
36

SimpleEncrypter

简单shellcode加密工具(存在 0 字节)
Python
4
star
37

Markdown-URL-to-Title

Python
4
star
38

DBLP-Spider

A spider tool for downloading the DBLP search results into local BibTeX files.
Python
4
star
39

MovieSearcher

电影资源搜索工具
Python
3
star
40

Image-LSB-Stego

Python
3
star
41

http-grab

Go
2
star
42

tranco-go-package

Go
2
star
43

acw-sc-v2-py

Python requests.HTTPAdapter for `acw_sc__v2`
Python
2
star
44

dns-grab

Go
2
star
45

PrintableShellcodeCreator

可打印shellcode生成工具
C
2
star
46

DBAPPSecurity-Unified-Security-Management-Python-Connector

Python Connector for DBAPPSecurity Unified Security Management | 明御®运维审计与风险控制系统(堡垒机)
Python
1
star
47

bgphenet

Go
1
star
48

acw-sc-v2-go

Go
1
star
49

ModifyHeadersForChrome

ModifyHeadersForChrome
JavaScript
1
star
50

ProcessInjector

C
1
star
51

JBrowserWithPulgins

Java实现的一个简单的Web浏览器 , 提供了插件功能 , 目前插件有下载地址分析器
Java
1
star