Finding exposed .git repositories
Developers use git
to version control their source code. We all do, in fact,
this blog is currently versioned by git
. However, we not only use git
to version control, but also to deploy applications. Usually we push new code to
a remote server, where the server takes care of testing the code and then
deploying the application. There are different ways of deploying an application,
but this is one of them.
Some developers/sys-admins simply clone the respository to their server, then
simply point their web-server to that directory. Most of the VCS keep a hidden
directory at the root of the project. git
keeps a .git
directory at the root
of the repository, where all the information of that project is stored, such as
logs, versions, tags, configs, previous revisions and so on.
Not only some developers/sys-admins clone the repository in their server, but they also point their web-server to that directory. Not only that, they also sometimes change the source to set some configurations files with sensitive information (email/password, and so on).
If the web-server is pointing to the git repository and has directory listing
enabled, we could download the .git
using wget=/=curl
recursively, then
simply checkout a master and voilà.
For example, say https://seds.nl/.git exists, containing all the objects of this
blog, we could simply run wget --mirror -I .git https://seds.nl/.git
to
download the repository.
How to find exposed git repositories #
We can simply try out every URL we know by adding /.git
at the end of the TLD.
Just kidding.
An easy way of finding websites which currently expose .git
is using Google
D0rks. If you are not familiar with Google D0rks, it’s basically a few operators
Google offers you to filter out a few queries. Here is a list of some of them.
The one we need is the intext:
operator.
intext:"Index of /.git"
This query makes use of the intext
operator. It allows us to ask Google to
find all the pages that have a specific word in the body somewhere forcing
inclusion on the page (source).
Let’s see.
Holy sh1t. That’s ~89,900 results from Google. Can you imagine how much sensitive information there must be?
How to fix this #
Well, first of all, find a better way to getting your source code to a remote server and simply pointing your web-server to that directory. If you don’t feel like finding a better way, or just want to keep things simple, here is what you need to do.
Nginx #
Add the following telling Nginx to deny any request to a .git
directory:
location ~ /.git/ {
deny all;
}
Apache #
Add the following telling Apache to deny any request to a .git
directory:
<DirectoryMatch "^/.*/\.git/">
Order deny,allow
Deny from all
</Directory>
The only question that remains is: Is there anyway you could extract a .git
from a web-server that has directory listing disabled? I haven’t looked much
into it, but I wonder if there is anyway we could use git
against itself.