{"id":13493595,"url":"https://github.com/WangYihang/GitHacker","last_synced_at":"2025-03-28T12:32:00.923Z","repository":{"id":37733025,"uuid":"87573166","full_name":"WangYihang/GitHacker","owner":"WangYihang","description":"🕷️ A `.git` folder exploiting tool that is able to restore the entire Git repository, including stash, common branches and common tags.","archived":false,"fork":false,"pushed_at":"2025-01-15T05:40:13.000Z","size":1917,"stargazers_count":1498,"open_issues_count":8,"forks_count":235,"subscribers_count":13,"default_branch":"master","last_synced_at":"2025-03-22T11:03:14.355Z","etag":null,"topics":["git","githack","web-security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/WangYihang.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-04-07T18:01:15.000Z","updated_at":"2025-03-21T23:03:32.000Z","dependencies_parsed_at":"2022-07-10T15:16:12.741Z","dependency_job_id":"7b97c5d2-399a-4782-8484-1cbe1beea8b0","html_url":"https://github.com/WangYihang/GitHacker","commit_stats":{"total_commits":131,"total_committers":8,"mean_commits":16.375,"dds":"0.17557251908396942","last_synced_commit":"da5dc09e3833a0f7e8108911b7caccd907b4fbfa"},"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WangYihang%2FGitHacker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WangYihang%2FGitHacker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WangYihang%2FGitHacker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WangYihang%2FGitHacker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/WangYihang","download_url":"https://codeload.github.com/WangYihang/GitHacker/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246030545,"owners_count":20712398,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["git","githack","web-security"],"created_at":"2024-07-31T19:01:16.910Z","updated_at":"2025-03-28T12:31:55.901Z","avatar_url":"https://github.com/WangYihang.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# GitHacker\r\n\r\n[![PyPI version](https://badge.fury.io/py/GitHacker.svg)](https://badge.fury.io/py/GitHacker)\r\n[![PyPI download](https://img.shields.io/pypi/dm/githacker.svg)](https://pypistats.org/packages/githacker)\r\n\r\n## Desciption\r\n\r\nThis is a multiple threads tool to exploit the `.git` folder leakage vulnerability. It is able to download the target `.git` folder almost completely. This tool also works when the `DirectoryListings` feature is disabled by brute forcing common `.git` folder files.\r\n\r\nWith GitHacker's help, you can view the developer's commit history, branches, ..., stashes, which makes a better understanding of the target repo, even to find security vulnerabilities.\r\n\r\n## PROCLAMATION (IMPORTANT)\r\n\r\n\u003e Several VULNERABILITIES have been reported recently, if you are using \r\n\u003e GitHacker \u003c= 1.1.0, please update your tool as soon as possible.\r\n\r\nThe remote `.git` folder maybe malicious, so to prevent you from being attacked.\r\nIt's highly recommended that you SHOULD run this tool under a disposable jailed environment \r\n(eg: Docker container).\r\n\r\n## Requirments\r\n\r\n* git \u003e= 2.11.0\r\n* Python 3\r\n\r\n## Usage in Docker (Recommended)\r\n\r\n```bash\r\n# print help info\r\ndocker run wangyihang/githacker --help\r\n# quick start\r\ndocker run -v $(pwd)/results:/tmp/githacker/results wangyihang/githacker --output-folder /tmp/githacker/results --url http://127.0.0.1/.git/\r\n# brute for the name of branchs / tags\r\ndocker run -v $(pwd)/results:/tmp/githacker/results wangyihang/githacker --brute --output-folder /tmp/githacker/results --url http://127.0.0.1/.git/\r\n# exploit multiple websites, one site per line\r\ndocker run -v $(pwd)/results:/tmp/githacker/results wangyihang/githacker --brute --output-folder /tmp/githacker/results --url-file websites.txt \r\n```\r\n\r\n## Usage\r\n\r\n```bash\r\n# install\r\npython3 -m pip install -i https://pypi.org/simple/ GitHacker\r\n# print help info\r\ngithacker --help\r\n# quick start\r\ngithacker --url http://127.0.0.1/.git/ --output-folder result\r\n# brute for the name of branchs / tags\r\ngithacker --brute --url http://127.0.0.1/.git/ --output-folder result\r\n# exploit multiple websites, one site per line\r\ngithacker --brute --url-file websites.txt --output-folder result\r\n```\r\n\r\n## Comparison of other tools\r\n\r\n\u003e 2021-05-25\r\n\r\n### [`DirectoryIndex`](https://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryindex) enabled in Web Server\r\n\r\n|     Tools     |    Source Code     |      Reflogs       |      Stashes       |      Commits       |      Branches      |      Remotes       |        Tags        |\r\n| :-----------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: |\r\n|   GitTools    | :heavy_check_mark: | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         |\r\n|  dvcs-ripper  | :heavy_check_mark: | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         |\r\n|    GitHack    | :heavy_check_mark: |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |\r\n|  git-dumper   | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |\r\n| **GitHacker** | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |\r\n\r\n### [`DirectoryIndex`](https://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryindex) disabled in Web Server\r\n\r\n\u003e :muscle: means brute-forcing.\r\n\r\n|     Tools     |    Source Code     |      Reflogs       |      Stashes       |      Commits       |      Branches      |      Remotes       |        Tags        |\r\n| :-----------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: |\r\n|   GitTools    | :heavy_check_mark: | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         |\r\n|  dvcs-ripper  |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |\r\n|    GitHack    | :heavy_check_mark: |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |\r\n|  git-dumper   | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         |\r\n| **GitHacker** | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |      :muscle:      | :heavy_check_mark: |      :muscle:      |\r\n\r\n## Example\r\n\r\n![Demo](./figure/demo.gif)\r\n\r\n## TODO\r\n\r\n- [x] ~~Download packed files firstly~~ (Unsolvable via [StackOverflow](https://stackoverflow.com/questions/27789484/how-does-git-know-the-sha1-name-of-the-pack-files))\r\n- [x] Fix infinit downloading 404 files, #25\r\n- [x] Fix error when `master` branch not exists, #18\r\n- [x] Extract branch names from `.git/logs/HEAD`, #18\r\n- [x] Publish Docker image to hub.docker.com\r\n- [x] Add Dockerfile\r\n- [x] Fix stash files missing due to the fix of #21, #23, #24 (`git clone` can't download stash files)\r\n- [x] Use python f'string in `test.py`\r\n- [x] Download tags and branches when Index enabled\r\n- [x] Try common tags and branches when Index disabled\r\n- [x] [find packed refs](https://github.com/WangYihang/GitHacker/issues/1#issuecomment-487135667)\r\n\r\n## Test\r\n\r\n### Setup Development Environment\r\n\r\n```\r\n# Install docker and docker-compose\r\napt install docker-desktop\r\napt install docker-compose\r\n\r\n# Download GitHacker\r\ngit clone https://github.com/WangYihang/GitHacker\r\ncd GitHacker\r\npython -m venv venv\r\nsource venv/bin/activate\r\npip install -r requirements.txt\r\n```\r\n\r\n### Run tests\r\n\r\n```\r\n# Generate testing repo\r\npython utils/gen.py\r\n\r\n# Run testcases\r\nsudo su\r\nsource venv/bin/activate\r\npip install -r requirements.txt\r\npython utils/test.py\r\nexit\r\n\r\n# Diff results\r\npython utils/diff.py\r\n```\r\n\r\n## Check report\r\n\r\nSee `test/report/YYYY-MM-DD/index.html`\r\n\r\n## Videos\r\n### asciinema\r\n\r\n[![asciicast](https://asciinema.org/a/xgRmZ9dNvzhe3T2XRYDJe15Rj.png)](https://asciinema.org/a/xgRmZ9dNvzhe3T2XRYDJe15Rj)\r\n\r\n### YouTube\r\n* [【.git/ folder attack】Comparison of attack tools (Part I)](https://www.youtube.com/watch?v=Bs3QpVGf2uk)\r\n* [【.git/ folder attack】Comparison of attack tools (Part II)](https://www.youtube.com/watch?v=Xzg4kQt4qEo)\r\n\r\n## Security Issues\r\n\r\n#### 2021-08-01 [Fixed](https://github.com/WangYihang/GitHacker/commit/e105b5c04329e9c4b8080029976bc73d12b1f23f): Malicious .git folder maybe harmful to the user of this tool (Reported by [Driver Tom](https://drivertom.blogspot.com))\r\n\r\n* [别想偷我源码：通用的针对源码泄露利用程序的反制（常见工具集体沦陷）](https://drivertom.blogspot.com/2021/08/git.html)\r\n\r\n#### 2022-03-01 [Fixed](https://github.com/WangYihang/GitHacker/commit/806095e807d20e06d5f192928f1f525510a34688): Arbitrary file write via recursive file downloader (Reported by [Justin Steven](https://twitter.com/justinsteven))\r\n\r\n* To be released\r\n\r\n#### 2022-03-01 [Fixed](https://github.com/WangYihang/GitHacker/commit/f97710c2cf0351308fc81666448e00004b7d14f9): Remote Code Execution via malicious `.git/config` and `.git/hooks/*` files (Reported by [Justin Steven](https://twitter.com/justinsteven))\r\n\r\n* To be released\r\n\r\n## References\r\n\r\n* [Git Repository Layout](https://mirrors.edge.kernel.org/pub/software/scm/git/docs/gitrepository-layout.html)\r\n* [Git Documents](https://git-scm.com/docs)\r\n* [Git Pack filename](https://stackoverflow.com/questions/27789484/how-does-git-know-the-sha1-name-of-the-pack-files)\r\n\r\n## Acknowledgement\r\n\r\n- [@Justin Steven](https://twitter.com/justinsteven)\r\n- [@Driver Tom](https://drivertom.blogspot.com)\r\n- [@lesion1999](https://github.com/lesion1999)\r\n- [@shashade250](https://github.com/shashade250)\r\n\r\n## Licsence\r\n```\r\nTHE DRINKWARE LICENSE\r\n\r\n\u003cwangyihanger@gmail.com\u003e wrote this file. As long as \r\nyou retain this :x:tice you can do whatever you want \r\nwith this stuff. If we meet some day, and you think \r\nthis stuff is worth it, you can buy me the following\r\ndrink(s) in return.\r\n\r\nRed Bull\r\nJDB\r\nCoffee\r\nSprite\r\nCola\r\nHarbin Beer\r\netc\r\n\r\nWang Yihang\r\n```\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FWangYihang%2FGitHacker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FWangYihang%2FGitHacker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FWangYihang%2FGitHacker/lists"}