source-code-disclosure-via-exposed-git-folder

Source Code Disclosure via Exposed .git Folder

Today i am going to share about `source code disclosure through exposed .git folder in Web Applications / Work environment`, A couple of months ago i participated in a CTF (capture the flag). One challenge i faced was the task of restoring a git repository from a directory listing enabled web server and find the vulnerability to obtain flag. I want you to aware about this exposure vulnerability. Some websites host their version control repository (e.g. .git/) in production. Hackers can use tools to download/restore the repository to gain access to your website’s source code.

Why you should aware about exposed git folders, .git exposure can pay well or not, depending on the assets found. But it is interesting anyway because:

  • It is easy to detect.

What is .git Folder?

The . git folder contains all the information that is necessary for your project in version control and all the information about commits, remote repository address, etc. All of them are present in this folder. It also contains a log that stores your commit history so that you can roll back to history. (Know More)

Why do developers use Git?

Git is an open source version control system. It is being used widely by developers to track changes made to both open source and commercial projects. The developers can further use Git with major operating systems and integrated development environments (IDEs). (Know More)

HTTP error codes and enumeration

  • 404 Error : .git not exists in the server or wrong path

Fun Part : To Exploit

Once you have a solid list of Web applications, use forced browsing to see if a .git folder is accessible on them. If file & directory bruteforce tools are allowed, you can use dirsearch or dirb (with common.txt dictionary). They both check for .git/. If the git directory is exposed, it looks like this

directory listing

To download and restore the git repo , Simply use automated tools like GitHack , GitHackerGitTools .

If the Directory listing is enabled on the production server, we will only have to use one simple command to download all the files.

wget --mirror -I .git example.com/.git/

Once the download is complete, we can view all the status of the entire local changes and compare them with the data we had gotten in the target web server repository

This status search only shows the deleted files since we only have the .git folder downloaded from the web server. That’s not a problem, though. Running the git checkout -- . or git restore . command will reset the repository to the last commit.

There are other way to restore the repositories

How to fix .git Source Code Exposure Vulnerabilities?

To fix this vulnerability, either remove the git folder from your webserver or ensure that you deny all access to the .git folders

it’s easy to deny access to .git folders

Apache ( )

<DirectoryMatch “^/.*/\.git/”> 
Order deny,allow 
Deny from all 
</DirectoryMatch>

Nginx

Put this in the first entry in your server-block in the nginx.conf file.

location ~ /.git/ {
       deny all; 
}

Lighttpd

Put this into your lighttpd.conf.

server.modules += ( "mod_access" )

After that, we can block access to the .git folder

$HTTP["url"] =~ "^/\.git/" {
      url.access-deny = ("") 
}

.