Allan Jay Dumanhug

@ajdumanhug

Downloading Source Codes and Other Sensitive Files Through Publicly Visible Git Repository

Nowadays, most Professional Developers uses a Version Control Tool and now considered as a part of the Software Development.

Version Control is a system that records changes to a file or set of files over time so that they can recall specific versions later.

Some developers also includes Git Repository in their staging environment. However, they sometimes neglect removing the Git Repository after uploading the website to the internet or restricting unauthenticated users from accessing it.

By using Google Dork which filters results from Google, it allows other user to identify websites with publicly visible and accessible Git Repository. Like the screenshot of the website with a publicly visible Git Repository below.

Visible and Accessible Git Repository

After locating a target, I started downloading the files in the Git Repository using wget.

wget lets you download files from the internet or even mirror entire websites for offline viewing.
Retrieving the Git Repository

Then, I went to objects folder and randomly chose a folder and checked it.

Objects in the Git Repository

I chose folder 64 and found 2 files inside.

Then I have to concatenate 64(Folder) and 5f8669cf5704ae8d96c938c49d4b26b7466f9e(File) to get the Hash.

Hash = 645f8669cf5704ae8d96c938c49d4b26b7466f9e

Then, I used git cat-file command to show the contents of the hashed file.

git cat-file provides content or type and size information for repository objects
Content of the Hashed File

I found lot of files, directories, and 2 SQL Files(2 Databases). Without further ado, I immediately downloaded an SQL File.

Successfully downloaded the database.

But there’s a problem. The database is so huge and I can’t open it using XAMPP. So, I decided to use my premium hosting on GoDaddy to view the database.

342 Tables but no data inside.

As I mentioned above, you may remove the Git Repository or restrict unauthenticated user from accessing it. Below is one way to deny user’s requests to access the Git Repository.

<Directory ~ “\.git”> 
Order deny,allow
Deny from all
</Directory>

That is all folks! I hope you learned something with this blog post.

Note: This bug has already been reported.

Update: Resolved!

More by Allan Jay Dumanhug

Topics of interest

More Related Stories