Using “Git Clone” to get Pwn3D

Hey everybody!

While I was doing a pentest last month, I discovered an attack I didn't previously know, and I thought I'd share it. This may be a Christopher Columbus moment - discovering something that millions of people already knew about - but I found it pretty cool so now you get to hear about it!

One of the first things I do when I'm looking at a Web app - and it's okay to make a lot of noise - is run the http-enum.nse Nmap script. This script uses the http-fingerprints.lua file to find any common folders on a system (basically brute-force browsing). I'm used to seeing admin folders, tmp folders, and all kinds of other interesting stuff, but one folder in particular caught my eye this time - /.git.

Now, I'll admit that I'm a bit of an idiot when it comes to git. I use it from time to time, but not in any meaningful way. So, I had to hit up my friend @mogigoma. He was on his cellphone, but managed to get me enough info to make this attack work.

First, I tried to use git clone to download the source. That failed, and I didn't understand why, so I gave up that avenue right away.

Next, I wanted to download the /.git folder. Since directory listings were turned on, this was extremely easy:

$ mkdir git-test
$ cd git-test
$ wget --mirror --include-directories=/.git http://www.target.com/.git

That'll take some time, depending on the size of the repository. When it's all done, go into the folder that wget created and use git --reset:

$ cd www.site.com
$ git reset --hard
HEAD is now at [...]

Then look around - you have their entire codebase!

$ ls
db  doc  robots.txt  scripts  test

Browse this for interesting scripts (like test scripts?), passwords, configuration details, deployment, addresses, and more! You just turned your blackbox pentest into a whitebox one, and maybe you got some passwords in the deal! You can also use "git log" to get commit messages, "git remote" to get a list of interesting servers, "git branch -a" to get a list of branches, etc.

Why does this happen?

When you clone a git repository, it creates a folder for git's metadata - .git - in the folder where you check it out. This is what lets you do a simple "git pull" to get new versions of your files, and can make deployment/upgrades a breeze. In fact, I intentionally leave .git folders in some of my sites - like my hackerspace, SkullSpace. You can find this exact code on github, so there's no privacy issue; this only applies to commercial sites where the source isn't available, or where more than just the code is bring stored in source control.

There are a few ways to prevent this:

  • Remove the .git folder after you check it out
  • Use a .htaccess file (or apache configuration file) to block access to .git
  • Keep the .git folder one level up - in a folder that's not available to the Web server
  • Use a framework - like Rails or .NET - where you don't give users access to the filesystem

There may be other ways as well, use what makes sense in your environment!

Finding this in an automated way

A friend of mine - Alex Weber - wrote an Nmap script (his first ever!) to detect this vulnerability and print some useful information about the git repository! This script will run by default when you run nmap -A, or you can specifically request it by running nmap --script=http-git <target>. You can quickly scan an entire network by using a command like:

nmap -sS -PS80,81,443,8080,8081 -p80,81,443,8080,8081 --script=http-git <target>

The output for an affected host will look something like:

PORT     STATE  SERVICE
80/tcp   open   http
| http-git: 
|   Potential Git repository found at 206.220.193.152:80/.git/ (found 5 of 6
expected files)
|   Repository description: Unnamed repository; edit this file 'description' to name 
the...
|   Remote: https://github.com/skullspace/skullspace.ca.git
|_   -> Source might be at https://github.com/skullspace/skullspace.ca

And that's all there is to it! Have fun, and let me know if you have any interesting results so I can post a followup!

10 thoughts on “Using “Git Clone” to get Pwn3D

  1. Reply

    Peter

    nice post, does the script also scan for .svn, .hg (mercurial) etc. folders?

    1. Reply

      Ron Bowes Post author

      Peter - not yet, but he may add that in the future!

  2. Reply

    Adam Baldwin

    Check out the DVCS-Pillage toolkit that can extract git, bzr, and hg (mercurial) repositories found in a webroot, even with directory browsing disabled.

    https://github.com/evilpacket/DVCS-Pillage

    Please fork and contribute :-)

    1. Reply

      Ron Bowes Post author

      Adam - very cool, I'd never heard of that!

  3. Reply

    Matt Gardenghi

    So, what's the Google Dork for this?

  4. Reply

    James Orenthal

    @Matt: https://www.google.com/search?q=%22.git%22+intitle%3A%22Index+of%22

  5. Reply

    Matt Gardenghi

    Most excellent. Looks like fun.

    1. Reply

      Ron Bowes Post author

      Thanks, Matt!

  6. Reply

    Sandro Munda

    Nice post :-) Even if the web server is not directory indexed, you can access to the file directly if you know the fullpath.

    For example:

    http://midexgold.com/.git/logs/HEAD

  7. Reply

    Kost

    I've just uploaded my tool to github which worked for me flawlessly (and pretty fast) for git:
    https://github.com/kost/dvcs-ripper

    You can read more about it here:
    http://k0st.wordpress.com/2012/10/23/rip-or-pillage-dvcs-story-about-git/

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>