Article Directory
Git is an open source distributed version control system that can effectively control the software version. Version control is a standard practice for project development and management in the software development process. It can track the entire process of the project from start to end. For the R&D technical team of an enterprise, it is a bridge for team collaboration and helps multi-person team collaboration. Git portal
However, when the code is released, the code may be leaked if the operation is not standardized. At this time, the attacker can use the leaked code information to conduct a white-box code audit and discover the vulnerabilities. Even some code stores the configuration link information of the server, mailbox, and database, so if an attacker attacks the database after obtaining the database user and Nima information in the configuration file, it will cause serious consequences.
".Git" leaks vulnerabilities and hazards
When current developers use Git for software version control, the site is automatically deployed. If the configuration is improper, the ".git" folder may be deployed directly to the online environment. This caused the ".git" leak vulnerability.
An attacker can use this vulnerability to download all the contents in the git folder. If there are sensitive information in the folder, such as site source code, database account password, etc., the attacker may directly control the server.
.git directory
- config-contains some configuration options
- description-description information of the warehouse, mainly used by git hosting systems such as gitweb
- HEAD-specify the current branch, map to ref reference, be able to find the previous hash value of the next commit
- hooks-store hook scripts that can be triggered before and after certain instructions, including some script examples by default
- index-this file is the stage we mentioned earlier, it is a binary file
- info-store information about the warehouse
- objects-stores all Git data objects, the first two digits of the object's SHA1 hash value are the folder name, and the last 38 digits are the object file name
- refs-store the target commits pointed to by each branch
- branches-I haven't found any use yet
Git information disclosure principle
- Restore and rebuild the source code of the project through the files in the leaked .git folder
- Parse the .git/index file and find all (file name, file sha1) in the project
- Go to the .git/objects folder to download the corresponding file
- zlib decompresses the file and writes the source code according to the original directory structure
- (Hazards: penetration testers, attackers, can further code audit, mining: file upload, sql injection and other security vulnerabilities)
How to use GitHack
GitHack is a leaked .git exploit test script that restores and reconstructs the source code of the project through the leaked files. FreeBuf also reported related vulnerabilities before, "Wanda, BBK and other well-known companies were shot" —> Portal .
But this pot github means no back (why do I need to back github if I don’t wear pants?)
working principle:
- Parse the .git/index file and find all the items in the project: (file name, file sha1)
- Go to the .git/objects/ folder to download the corresponding file
- zlib decompresses the file and writes the source code according to the original directory structure
advantage:
- Fast speed, 20 working threads by default
- Try to restore all the source code, the missing files will not affect the script work
- The script does not need to execute additional git commands, all you need is python
- No need to browse directories for scripts
Attachment: There is a case where the file is packaged by gc to git\objects\pack, you can test to see if you can directly obtain and decompress this file, and restore the source code
How to use:GitHack.py http://www.openssl.org/.git/
How to fix
- Control access to the .git directory
- Delete the .git folder after each pull