How I could download the source code of an Indian e-commerce website!!

Minali Arora
Sep 9, 2018 · 3 min read

Hey Everyone, I intend to write this one down to express my methodology for this bug that I found in one of the websites which could lead me to download the entire source code.

So as always, I initiated with reconnaissance on this website and got few subdomains with 200 OK response code but I chose the one in dev environment as dev.domain.com. Using dirbuster on the chosen one, I got .git folder in its directory with 403 forbidden error code.

I was curious to check if it is still possible to restore git repositories from this URL. Some developers host their version control repository (.git) in production which can lead an attacker to gain complete access to application’s source code even when .git is 403 Forbidden. Now my intention was to download the code repository for this website. For this, I read the git-internals to understand how git manages the repository. Git mainly has 4 types of objects:

blob: A blob object is the data storage of a single file or the actual source code

tree: Grouping blobs together

commit:A commit object contains the reference to another tree object and some other information(author, committer etc.)

tag: A tag or a tag object is just another reference to a commit object and just makes for easier referencing.

I started accessing some of the standard files in the git repository from the URL on the browser and to my surprise I could access the below files in browser.

  • HEAD
  • objects/info/packs
  • description
  • config
  • COMMIT_EDITMSG
  • index
  • logs/HEAD

After their config files were accessible to me, I wanted to download the code repo now. So using below command, I dumped the code on my local machine:

Now the git folder was created inside the repo and the object files of the code were now downloaded. For analyzing these object files, I used the hash values as below:

We can also find a list of all pack files in .git/objects/info/packs

Lastly, I used git reset — hard command to revert back all the uncommitted changes. But since, this is a potentially dangerous command hence it should be cautiously used.

Thanks for reading!!!

Minali Arora (@AroraMinali)

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Minali Arora

Written by

Security Researcher, Blogger, Orator and a Technology Enthusiast

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade