Source code disclosure via exposed .git

Your vote is:
5.00 of 7 votes

Git Icon

This is my write-up on a misconfigured .git repo I found during my day off and how the potential exploitation of this vulnerability can amount to source-code disclosure.

During my day off I took a brief look at a particular vendor my employer was in the process of procuring a new service from. I quickly identified what appeared to be an exposed .git repo which I was able to provisionally validate over HTTP. Whilst I wasn't able to view the .git folder itself because public read access is disabled on the server, I was able to confirm the repository contents were accessible.

Example #1:

Screenshot of git config

Example #2:

Screenshot of git logs

Here I will walkthrough how we can extract the contents of a repository like this to help identify the impact of a vulnerability such as source code disclosure with a clear PoC.

To dump this repository locally for analysis and to help quantify the number of objects within it, we can use the dumper tool from GitTools.

git clone

cd GitTools/Dumper

./ https://[TARGET]/.git/ ~/target

Git tools dumper

To view a summary of the file tree:

cd target
tree -a .git/objects

Tree view objects

The files within the repository are identified by their corresponding hash values, though the full hash string for these actually includes the first two characters of each corresponding subfolder within the tree. This means we need to add these to the file name to complete the 40 character hash string.

Tree view objects start of hashes

We can pull these 40 character hashes by concatenating the subfolder name with the filename by using find and then piping the results into the format we want using awk

find .git/objects -type f | awk -F/ '{print $3$4}'

Concatenate hashes to subfolder.png

We can use a for loop to identify the type of all files within the objects directory:

for i in $(find .git/objects -type f | awk -F/ '{print $3$4}'); git cat-file -t $i

Here we can see these objects consist of a number of trees, commits, and blobs (binary large objects).

Use awk command to view file types

In this example, I actually have a calculated total of:

1,276 trees
910 commits
923 blobs

By default, git stores objects in .git/objects as their original contents, which are compressed using the zlib library. This means we cannot view objects within a text-editor as-is, and must instead rely on alternative options such as git cat-file

We can check the type for each of these files individually using their identified hashes:

git cat-file -t [FULL FILE HASH]

Check individual hash file types

We can preview the contents of each of these files individually using their identified hashes:

git cat-file -p [FULL FILE HASH] | head

Print individual hash file contents

In my last example, we can see this particular blob contains PHP code. As PHP is a server-side scripting language (almost like a blueprint to backend functionality), this can be used to evidence that server-side source code is exposed within this repository. The impact of this can vary depending on the functionality purpose and volume of code, but in my experience often results in the exposure of backend configuration settings, hardcoded credentials (such as usernames and passwords), API tokens, and other endpoints. If this is a repository upon which any proprietary software components rely, then source code disclosure of this type can also present a number of issues relating to theft of intellectual property.

This finding was duly reported to the affected vendor within 24 hours of being identified.


Jacob Riggs

Jacob Riggs is the founder of Deadswitch. He is a Security Specialist based in the UK with over a decade of experience working to improve the cyber security of media and third sector organisations. His contributions focus on expanding encryption tools, promoting crypto-anarchist philosophy, and pioneering projects centred on leveraging cryptography to protect the privacy and political freedoms of others.

E3FE 4B44 56F5 69BE 76C1 E169 E3C7 0A52 9AEF DB6F

Subscribe to my Blog

Get my latest posts delivered straight to your inbox.