ºÝºÝߣ

ºÝºÝߣShare a Scribd company logo

Ripping web accessible .git files

?Download as ODP, PDF?
?
V
Vlatko Kosturjak

This document discusses how to extract source code from websites that have exposed their .git directories without authorization. It describes finding repositories through tools like Nmap scripts and DVCS-Pillage, but notes limitations in completeness. A new tool called DVCS-rip is presented that can fully clone exposed git repositories over various protocols, including branches, with the goal of getting the full source code when it is not otherwise open source. The talk encourages feedback and contributions to improve upon existing tools.

1 of 13
Downloaded 20 times
#OpenFest Ripping web accessible .git files (or how to get the source when its not open source) Vlatko Kosturjak, Diverto https://twitter.com/k0st
Agenda ¡ñ Introduction ¡ñ Finding repos ¡ñ Cloning them ¡ñ How to get the source when its not open source ¡ñ How to Profit 5 minutes
You found .git?
Want source? ¡ñ Get the repo: mkdir git-test cd git-test wget --mirror --include-directories=/.git http://www.target.com/.git ¡ñ Get files cd www.target.com git reset --hard ¡ñ Profit! http://www.skullsecurity.org/blog/2012/using-git-clone-to-get-pwn3d
Problem Directory browsing disabled
No tool available to detect ¡ñ Most of the web/network scanners will not find this ¡ñ No awareness ¡ñ Tools looks only this ¡ñ .git/ => 403 ¡ñ They should actually look ¡ñ .git/logs/HEAD => 200 ¡ñ .git/config => 200 ¡ñ .git/index => 200 ¡ñ ...
Nmap NSE comes to rescue ¡ñ Have to use latest SVN version ¡ñ Script is not in 6.01 ¡ñ It looks all relevant git files ¡ñ .git/logs/HEAD ¡ñ .git/config ¡ñ ... ¡ñ nmap -sS -PS80,81,443,8080,8081 -p80,81,443,8080,8081 --script=http-git <target> PORT STATE SERVICE 80/tcp open http | http-git: | Potential Git repository found at XX.XX.XX.XX:XX/.git/ (found 5 of 6 expected files)
DVCS-Pillage ¡ñ It will rip the .git files when directory browsing disabled ¡ñ By Adam Baldwin ¡ñ Accessible from URL: ¡ñ https://github.com/evilpacket/DVCS-Pillage ¡ñ Have few problems ¡ñ Hmm...
Problems... ¡ñ Current methods ¡ñ Not complete tree download method ¨C Packed refs ¨C git ls-files ¨Cstage method ¡ñ No support for branches ¡ñ No support for other than http ¡ñ Time to code my own tool ¡ñ Want whole tree ¡ñ Branches ¡ñ Support old protocols
DVCS-rip ¡ñ It will rip the .git files when directory browsing disabled ¡ñ It will rip ALL files and checkout repository for you ¡ñ Not partial ¡ñ git fsck trick ¡ñ Support for ¡ñ Branches ¡ñ Any protocol (http/https/...) ¡ñ Accessible from URL: ¡ñ https://github.com/kost/dvcs-ripper
DVCS-rip ¡ñ How to run? ¡ñ Example run: ¡ñ rip-git.pl -v -u http://www.example.com/.git/ ¡ñ It will automatically do "git checkout -f" ¡ñ Profit!
Evolving Good example of open source collaboration between projects
Questions? Comments? Feedbacks? @k0st This is zero Acknowledgements: Adam Baldwin, Ron Bowes, Alex Weber, ...

More Related Content

Ripping web accessible .git files

  • 1. #OpenFest Ripping web accessible .git files (or how to get the source when its not open source) Vlatko Kosturjak, Diverto https://twitter.com/k0st
  • 2. Agenda ¡ñ Introduction ¡ñ Finding repos ¡ñ Cloning them ¡ñ How to get the source when its not open source ¡ñ How to Profit 5 minutes
  • 4. Want source? ¡ñ Get the repo: mkdir git-test cd git-test wget --mirror --include-directories=/.git http://www.target.com/.git ¡ñ Get files cd www.target.com git reset --hard ¡ñ Profit! http://www.skullsecurity.org/blog/2012/using-git-clone-to-get-pwn3d
  • 6. No tool available to detect ¡ñ Most of the web/network scanners will not find this ¡ñ No awareness ¡ñ Tools looks only this ¡ñ .git/ => 403 ¡ñ They should actually look ¡ñ .git/logs/HEAD => 200 ¡ñ .git/config => 200 ¡ñ .git/index => 200 ¡ñ ...
  • 7. Nmap NSE comes to rescue ¡ñ Have to use latest SVN version ¡ñ Script is not in 6.01 ¡ñ It looks all relevant git files ¡ñ .git/logs/HEAD ¡ñ .git/config ¡ñ ... ¡ñ nmap -sS -PS80,81,443,8080,8081 -p80,81,443,8080,8081 --script=http-git <target> PORT STATE SERVICE 80/tcp open http | http-git: | Potential Git repository found at XX.XX.XX.XX:XX/.git/ (found 5 of 6 expected files)
  • 8. DVCS-Pillage ¡ñ It will rip the .git files when directory browsing disabled ¡ñ By Adam Baldwin ¡ñ Accessible from URL: ¡ñ https://github.com/evilpacket/DVCS-Pillage ¡ñ Have few problems ¡ñ Hmm...
  • 9. Problems... ¡ñ Current methods ¡ñ Not complete tree download method ¨C Packed refs ¨C git ls-files ¨Cstage method ¡ñ No support for branches ¡ñ No support for other than http ¡ñ Time to code my own tool ¡ñ Want whole tree ¡ñ Branches ¡ñ Support old protocols
  • 10. DVCS-rip ¡ñ It will rip the .git files when directory browsing disabled ¡ñ It will rip ALL files and checkout repository for you ¡ñ Not partial ¡ñ git fsck trick ¡ñ Support for ¡ñ Branches ¡ñ Any protocol (http/https/...) ¡ñ Accessible from URL: ¡ñ https://github.com/kost/dvcs-ripper
  • 11. DVCS-rip ¡ñ How to run? ¡ñ Example run: ¡ñ rip-git.pl -v -u http://www.example.com/.git/ ¡ñ It will automatically do "git checkout -f" ¡ñ Profit!
  • 12. Evolving Good example of open source collaboration between projects
  • 13. Questions? Comments? Feedbacks? @k0st This is zero Acknowledgements: Adam Baldwin, Ron Bowes, Alex Weber, ...