Skip to content
/ GitDump Public

A pentesting tool that dumps the source code from .git even when the directory traversal is disabled

217 stars 35 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Ebryx/GitDump

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
README.md
README.md
 
 
gin.py
gin.py
 
 
git-dump.py
git-dump.py
 
 
poc.png
poc.png
 
 

Repository files navigation

GitDump

Open Source Love Open Source Love

GitDump dumps the source code from .git when the directory traversal is disabled

Requirements

  • Python3

Tested on

  • Windows
  • Kali Linux

What it does

  • Dump source code from website/.git directory when directory traversal is disabled.

How it works

  • Fetch all common files (.git/index, .git/HEAD, .git/ORIG_HEAD, etc.).
  • Find as many objects (sha1) as possible by analyzing .git/packed-refs, .git/index, etc.
  • Download idx and pack files.
  • Now you can run git checkout -- . to retrieve source code.

How to Use

  • python3 git-dump.py https://website.com/.git/
  • Create the output directory and dump all the .git files in it.
  • After running above script type: cd output && git checkout -- .
  • It will recover all source code.

Screenshot

TODO

  • Search through git repository for secrets by digging deep into commit history and branches.

Credits Sean B. Palmer for his index file parser. (https://github.com/sbp/gin)

About

A pentesting tool that dumps the source code from .git even when the directory traversal is disabled

Resources

Readme
Activity
Custom properties

Stars

217 stars

Watchers

4 watching

Forks

35 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

Languages