Git
A version control system often saving lots of information about how files were changes
Last updated
A version control system often saving lots of information about how files were changes
Last updated
Git is a version control system that allows you to save the state of files. It is often used with source code and published on . There are a few keywords that Git uses you need to know to understand the terminology:
Repositories: The entirety of your git system, with the files, history, and information. Can be created using git init
Commits: "Save states" of the files in your repository. Whenever you change something and you are happy with the change, you can commit it so it's saved as a snapshot that you can later go back to. Can be created using git commit -m "message"
Branches: Parallel to your main repository, branches are sidesteps to slowly work on a new feature for example, and then later in time merge it into the main branch. Can be created using git checkout -b newfeature
All the information about your Git repository gets saved in a .git
directory that is at the root of your repository. The git
command interacts with this directory and lots of tools can get information from it. So if you ever find a .git
directory you'll know the current directory is a Git repository.
To find everything in a repository without having to think of every command, you can use a tool like to explore the repository visually. Just open the directory in that tool and you can see a timeline of what commits and branches were made.
In some cases, you'll find that the website you're testing uses Git by finding a .git
directory. Normally this should be hidden by a 403 Forbidden for example, but this is not always the case. Sometimes you can see a list of files, or you can directly access .git/HEAD
instead.
When you visit the .git
directory on the website, and you can see a list of files relating to git, you know that directory listing is on. This makes it really easy to download everything at once recursively and then examine the repository on your own machine.
When a website disables directory listing, but the .git
directory can still be found with something like .git/HEAD
, you might be able to use on it to extract all the files without having the need for directory listing. This tool understands the Git file structure and can find all the related files:
Then use the source code to perform more targeted attacks, or look for secrets, even in history:
Git is a very flexible system, allowing many settings to be changed to decide how CLI tools interact with the repository. These configuration variables can allow executing arbitrary commands however when certain git commands are executed. The core.fsmonitor
variable in .git/config
is a common one that can be set to a bash command to execute:
This same config variable can be set via environment variables:
There is another feature called "hooks" that allow you to run bash scripts when a certain action happens with the repository. When a git commit
is executed, for example, the pre-commit
hook gets triggered. If you can write these hooks you can let whoever runs the git commit
execute arbitrary commands.
You can find these hooks in the .git/hooks
directory. If you are able to write a pre-commit
file here, you can put any executable file in its place and it will be run on commit:
Then just make sure the file is actually executable with chmod
:
If you're running a git repository, you might need some complicated actions from time to time. This is a collection of some common actions as commands to quickly copy and paste.
The tool can also be useful for large repositories where manually searching would take too long. It has a few built-in formats for credentials like private keys or AWS secrets. Run it locally on a cloned repository like this:
Many shell extensions like use git
to get the current repository and are vulnerable to this, as well as (now only with Trusted Mode). To find such issues, you can create a malicious repository with as many landmines as possible that trigger on different commands. This creates an empty repository with most known ways to execute commands:
.git/config
and hooks
GIT landmines (lib/payload
= payload)