Posted on Friday, October 4th, 2013 by David Lodge.
For those who have heard of me in the past, it is possible that you may have read a couple of my clever and well-written articles on cirt.net about abusing various revision and version control systems when they are being used to manage content on web servers. You may even have seen me presenting at the East Midlands OWASP chapter meeting in May.
I promised then that the next step would be Git. That promise is now delivered as I've found a real world web server being managed through Git.
Git was originally designed by Linus Torvalds (you may recognise that name) as a replacement for BitKeeper.
It is becoming more and more popular for a lot of open source projects and is used for such worthy products as the Linux kernel, Android and the Nikto web scanner.
Like SVN or mercurcial, Git stores its metadata files in a "hidden" directory: .git. This directory has several files and directories that can be used to gather information:
.git/config is a text file that tells the system the branch of the code and the source server and username used to check out the data. This is useful for information gathering but doesn't help us further.
.git/index is an index of all files in the repository which will allow us to extract the filenames present. This is a binary file, but the format is easy to work out and a custom tool can easily be written.
.git/objects and .git/pack contain the complete objects or a packed version on them, depending on internal magical gubbins: I've seen Git repositories with every object in objects/. and I've seen repositories with no objects in object/. The important bit here is that files are stored by their SHA1 hash with no file extension.
So, we find a web server where somebody has used Git as their release mechanism and left the .git file around; what can we do?
First off we extract .git/index, this gives us a list of filenames and their hashes:
[dave@xxxxxxxxxx git-decode]$ ./git-decode.pl index
Now we can try and extract each file by seeing whether 93/640e83ded965b7a76f6dde906361bbf7b566d9 exists. If it does we can download it, decompress it and read whatever contents it has.
Now, I'm lazy, so there's a perl script that will do this for you. I've put in a drop-down at the bottom there, labelled “GIT-GRAB”.The syntax for calling it is simply:
- Check security of release processes
- Don’t checkout into web directory
- Evaluate hidden files