How I could download the source code of an Indian e-commerce website!!
Hey Everyone, I intend to write this one down to express my methodology for this bug that I found in one of the websites which could lead me to download the entire source code.
So as always, I initiated with reconnaissance on this website and got few subdomains with 200 OK response code but I chose the one in dev environment as dev.domain.com. Using dirbuster on the chosen one, I got .git folder in its directory with 403 forbidden error code.
I was curious to check if it is still possible to restore git repositories from this URL. Some developers host their version control repository (.git) in production which can lead an attacker to gain complete access to application’s source code even when .git is 403 Forbidden. Now my intention was to download the code repository for this website. For this, I read the git-internals to understand how git manages the repository. Git mainly has 4 types of objects:
blob: A blob object is the data storage of a single file or the actual source code
tree: Grouping blobs together
commit:A commit object contains the reference to another tree object and some other information(author, committer etc.)
tag: A tag or a tag object is just another reference to a commit object and just makes for easier referencing.
I started accessing some of the standard files in the git repository from the URL on the browser and to my surprise I could access the below files in browser.
After their config files were accessible to me, I wanted to download the code repo now. So using below command, I dumped the code on my local machine:
Now the git folder was created inside the repo and the object files of the code were now downloaded. For analyzing these object files, I used the hash values as below:
We can also find a list of all pack files in
Lastly, I used git reset — hard command to revert back all the uncommitted changes. But since, this is a potentially dangerous command hence it should be cautiously used.
Thanks for reading!!!
Minali Arora (@AroraMinali)