git .git目录提交_入侵git目录

git .git目录提交

When attacking an application, obtaining the application’s source code can be extremely helpful for constructing an exploit. This is because some bugs, like SQL injections, are way easier to find using static code analysis compared to black-box testing.

在攻击应用程序时，获取应用程序的源代码对于构造漏洞利用程序极为有用。 这是因为与黑盒测试相比，使用静态代码分析更容易发现某些错误(例如SQL注入)。

Obtaining an application's source also often means getting a hold of developer comments, hardcoded API keys, and other sensitive data. So the source code of an application should always be protected from public view.

获取应用程序的来源通常还意味着获得开发人员注释，硬编码的API密钥和其他敏感数据。 因此，应始终保护应用程序的源代码不受公开可见。

查找.git目录信息泄漏 (Finding .git directory information leaks)

A way that applications accidentally expose source code to the public is through an exposed .git directory.

应用程序意外地将源代码公开给公众的一种方式是通过公开的.git目录。

When a developer uses Git to version control a project’s source code, a git directory (located at project.com/.git) is used to store all the version control information of the project, including the commit history of project files. Normally, the .git folder should not be accessible to the public. But sometimes the .git folder is accidentally made available, and this is when information leaks happen.

当开发人员使用Git对项目的源代码进行版本控制时，将使用git目录 (位于project.com/.git )来存储项目的所有版本控制信息，包括项目文件的提交历史记录。 通常，.git文件夹不应为公众访问。 但是有时会偶然使.git文件夹可用，这是信息泄漏发生的时间。

To check if an application’s .git folder is exposed, simply go to the application’s root directory, for example project.com, and add /.git to the URL. There are three possibilities that can happen when you browse to the /.git directory:

要检查应用程序的.git文件夹是否公开，只需转到应用程序的根目录(例如project.com) ，然后将/.git添加到URL。 浏览到/.git目录时，可能会发生三种情况：

• If you get a 404 error, this means that the .git directory of the application is not made available to the public, and you won’t be able to leak information this way.
  如果您收到404错误，则意味着该应用程序的.git目录不会对公众开放，并且您将无法以这种方式泄漏信息。
• If you get a 403 error, the .git directory is available on the server, but you won’t be able to directly access the folder’s root, and therefore will not be able to list all the files contained in the directory.
  如果收到403错误，则.git目录在服务器上可用，但您将无法直接访问该文件夹的根目录，因此将无法列出该目录中包含的所有文件。
• If you don’t get an error and the server responds with the document tree of the .git directory, you can directly browse the folder’s contents and retrieve any information contained in it.
  如果没有错误，并且服务器以.git目录的文档树作为响应，则可以直接浏览该文件夹的内容并检索其中包含的任何信息。

Photo by Luke Chesser on Unsplash

Luke Chesser在 Unsplash上 拍摄的照片

从.git目录重构项目源 (Reconstructing project source from .git directory)

If directory listing is enabled, an attacker can simply browse through the files and retrieve the leaked information. She can also use the wget command in recursive mode (-r) to mass-download the contents of the directory.

如果启用了目录列表，则攻击者可以仅浏览文件并检索泄漏的信息。 她还可以在递归模式(-r)中使用wget命令来批量下载目录的内容。

> wget -r project.com/.git

But if directory listing is not enabled and the directory’s files are not shown, there are still ways for an attacker to reconstruct the entire .git directory. To understand how this is done, we must first understand the structure of .git directories.

但是，如果未启用目录列表并且未显示目录文件，则攻击者仍然可以通过多种方式来重建整个.git目录。 若要了解如何完成此操作，我们必须首先了解.git目录的结构。

.git目录结构 (.git directory structure)

The .git directory is laid out in a specific way. When you execute the command:

.git目录以特定方式进行布局。 执行命令时：

> ls .git

In the command line, you would probably see this:

在命令行中，您可能会看到以下内容：

COMMIT_EDITMSG HEAD branches config description hooks index info logs objects refs

Here are a few standard files and folders in the .git directory that is important in reconstructing the project’s source.

这是.git目录中的一些标准文件和文件夹，这些文件和文件夹对于重建项目的源代码非常重要。

• The /objects folder

  / objects文件夹

The /objects directory is used to store Git objects. This directory contains additional folders that each have two character names. These subdirectories are named after the first two characters of the SHA1 hash of the git objects stored in it.

/ objects目录用于存储Git对象。 该目录包含其他文件夹，每个文件夹都有两个字符名称。 这些子目录以存储在其中的git对象的SHA1哈希的前两个字符命名。

Within these subdirectories, there are files named after the SHA1 hash of the git object stored in it.

在这些子目录中，存在以git对象的SHA1哈希命名的文件。

For example, the command below will return a list of folders:

例如，下面的命令将返回文件夹列表：

> ls .git/objects00 0a 14 5a 64 6e 82 8c 96 a0 aa b4 be c8 d2 dc e6 f0 fa info pack

And this command will reveal the git objects stored in that particular folder:

并且此命令将显示存储在该特定文件夹中的git对象：

> ls .git/objects/0a082f2656a655c8b0a87956c7bcdc93dfda23f8 4a1ee2f3a3d406411a72e1bea63507560092bd 66452433322af3d319a377415a890c70bbd263 8c20ea4482c6d2b0c9cdaf73d4b05c2c8c44e9 ee44c60c73c5a622bb1733338d3fa964b333f0
0ec99d617a7b78c5466daa1e6317cbd8ee07cc 52113e4f248648117bc4511da04dd4634e6753 72e6850ef963c6aeee4121d38cf9de773865d8 

Git objects are stored in /objects according to the first two characters of their SHA1 hash. For example, the Git object with a hash of 0a082f2656a655c8b0a87956c7bcdc93dfda23f8 will be stored with the file name of 082f2656a655c8b0a87956c7bcdc93dfda23f8 in the directory .git/objects/0a.

Git对象根据其SHA1哈希的前两个字符存储在/ objects中。 例如，具有0a082f2656a655c8b0a87956c7bcdc93dfda23f8的散列的GIT中对象将被存储与082f2656a655c8b0a87956c7bcdc93dfda23f8在目录的.git /对象/ 0A的文件名。

Git stores different types of objects in .git/objects. An object stored here could either be a commit, a tree, a blob, and an annotated tag. You can determine the type of an object by using the command:

Git在.git / objects中存储不同类型的对象。 此处存储的对象可以是提交，树，blob和带注释的标签 。 您可以使用以下命令确定对象的类型：

> git cat-file -t OBJECT-HASH

Commit objects store information about the commit’s directory tree object hash, parent commit, author, committer, date, and message of a commit. Tree objects contain the directory listings for commits. Blob objects contain copies of files that were committed (read: actual source code!). Whereas tag objects contain information about tagged objects and their associated tag names.

提交对象存储有关提交的目录树对象哈希，父提交，作者，提交者，日期和提交消息的信息。 树对象包含提交的目录列表。 Blob对象包含已提交文件的副本(请参阅：实际源代码！)。 而标记对象包含有关标记对象及其关联标记名称的信息。

You can display the file associated with a Git object by using the command:

您可以使用以下命令显示与Git对象关联的文件：

> git cat-file -p OBJECT-HASH

• The /config file is the Git configuration file for the project.

  / config文件是项目的Git配置文件。

• The /HEAD file is a file that contains a reference to the current branch.

  / HEAD文件是包含对当前分支的引用的文件。

> cat .git/HEAD
ref: refs/heads/master

确认文件可访问 (Confirming that files are accessible)

If you are not able to access the .git directory listing, you’ll need to confirm that the folder’s contents are indeed available to the public. You can do this by trying to access the config file of the .git directory.

如果您无法访问.git目录列表，则需要确认该文件夹的内容确实可供公众使用。 您可以通过尝试访问.git目录的配置文件来执行此操作。

> curl https://project.com/.git/config

If this file is accessible, you might be able to download the entire contents of the .git directory.

如果可以访问此文件，则可以下载.git目录的全部内容。

下载文件 (Downloading the files)

If you cannot access the /.git folder’s directory listing, you have to download each file you want instead of recursively downloading from the directory root.

如果无法访问/.git文件夹的目录列表，则必须下载所需的每个文件，而不是从目录根目录递归下载。

But how do you find out which files on the server are available when object files have complex paths such as “.git/objects/0a/72e6850ef963c6aeee4121d38cf9de773865d8”?

但是，当目标文件具有复杂的路径(例如“ .git / objects / 0a / 72e6850ef963c6aeee4121d38cf9de773865d8”)时，如何找出服务器上哪些文件可用？

You start with file paths that you already know exist, like “.git/HEAD”! Reading this file will give you a reference to the current branch (for example, .git/refs/heads/master) that you can use to find more files on the system.

从已知的文件路径开始，例如“ .git / HEAD” ！ 阅读此文件将为您提供对当前分支的引用(例如.git / refs / heads / master )，您可以使用该分支在系统上查找更多文件。

> cat .git/HEAD
ref: refs/heads/master
> cat .git/refs/heads/master
0a66452433322af3d319a377415a890c70bbd263
> git cat-file -t 0a66452433322af3d319a377415a890c70bbd263
commit
> git cat-file -p 0a66452433322af3d319a377415a890c70bbd263
tree 0a72e6850ef963c6aeee4121d38cf9de773865d8

The .git/refs/heads/master file will point you to the corresponding object hash that stores the directory tree of the commit. From there, you can see that the object is a commit and is associated with a tree object, 0a72e6850ef963c6aeee4121d38cf9de773865d8.

.git / refs / heads / master文件会将您指向存储提交目录树的相应对象哈希。 从那里，您可以看到该对象是一个提交，并且与树对象0a72e6850ef963c6aeee4121d38cf9de773865d8关联 。

Now when you examine the tree object stored at 0a72e6850ef963c6aeee4121d38cf9de773865d8:

现在，当您检查存储在0a72e6850ef963c6aeee4121d38cf9de773865d8的树对象时：

> git cat-file -p 0a72e6850ef963c6aeee4121d38cf9de773865d8
100644 blob 6ad5fb6b9a351a77c396b5f1163cc3b0abcde895 .gitignore
040000 blob 4b66088945aab8b967da07ddd8d3cf8c47a3f53c source.py
040000 blob 9a3227dca45b3977423bb1296bbc312316c2aa0d README
040000 tree 3b1127d12ee43977423bb1296b8900a316c2ee32 resources

Bingo! You discover some source code files and additional object trees to explore.

答对了！ 您会发现一些源代码文件和其他对象树以进行探索。

On a remote server, your requests to discovering the different files would look more like this:

在远程服务器上，您发现不同文件的请求看起来像这样：

https://project.com/.git/HEAD (to determine the HEAD)https://project.com/.git/refs/heads/master (to find the object stored in that HEAD)https://project.com/.git/objects/0a/72e6850ef963c6aeee4121d38cf9de773865d8 (to access the tree associated with the commit)https://project.com/.git/objects/9a/3227dca45b3977423bb1296bbc312316c2aa0d (to download the source code stored in the README file)

On a remote server like this, you will need to decompress the downloaded object file before you read it. This can be done using Ruby:

在这样的远程服务器上，您需要先解压缩下载的目标文件，然后再读取它。 这可以使用Ruby完成：

ruby -rzlib -e 'print Zlib::Inflate.new.inflate(STDIN.read)' < OBJECT_FILE

寻找有用的信息 (Finding useful information)

After recovering the project’s source code, you can grep for hardcoded credentials, encryption keys and developer comments for quick wins. You should also look for new and deprecated endpoints and record them for further analysis.

恢复项目的源代码后，您可以grep获取硬编码的凭据，加密密钥和开发人员注释，以快速获胜。 您还应该寻找新的和过时的端点，并记录它们以进行进一步分析。

If you have time, you can simply browse through the entire recovered codebase to find potential vulnerabilities. Here’s a guide to reviewing code for security purposes:

如果有时间，您可以简单地浏览整个恢复的代码库以查找潜在的漏洞。 这是出于安全目的而检查代码的指南：

Thanks for reading. And remember: trying this on systems where you don’t have permission to test is illegal. If you’ve found a vulnerability, please disclose it responsibly to the vendor. Help make our Internet a safer place.

谢谢阅读。 请记住：在没有测试许可的系统上尝试这样做是非法的。 如果您发现了漏洞，请以负责任的方式向供应商披露。 帮助使我们的互联网更安全。

翻译自: https://medium.com/swlh/hacking-git-directories-e0e60fa79a36

git .git目录提交