Offensive Security Tool: GitHacker

Description

GitHacker by WangYihang is a Git source leak exploit tool that restores the entire Git repository, including data from stash, for whitebox auditing and analysis.

It is a multiple threads tool to detect whether a site has the .git folder leakage vulnerability. It is able to download the target .git folder almost completely. This tool also works when the Directory Listings feature is disabled. It is worth mentioning that this tool will download almost all files of the target git repository and then rebuild them locally, which makes this tool State of the art in this area. For example, tools like [githack] just simply restore the latest version. With GitHacker’s help, you can view the developer’s commit history, which makes a better understanding of the character and psychology of developers, so as to lay the foundation for further code audition.

Source code assessment reveals often times mistakes done by developers that leave behind these traces, and secrets, and this tool will allow you to find them, once you know what to look for, in the program’s pattern’s flow.

Comparison of other tools

Requirements

• git >= 2.11.0
• Python 3

Installation

pip3 install GitHacker

Usage

TODO

•  Publish Docker image to hub.docker.com
•  Add Dockerfile
• Fix stash files missing due to the fix of #21 (git clone can’t download stash files)
•  Fix infinit downloading 404 files
• Use python f’string in test.py
•  Download packed files firstly (Unsolvable via StackOverflow)
•  Download tags and branches when Index enabled
•  Try common tags and branches when Index disabled
•  find packed refs

Videos

YouTube

• 【.git/ folder attack】Comparison of attack tools (Part I)
• 【.git/ folder attack】Comparison of attack tools (Part II)

Download: GitHub Link