Scripts to extract files from SCM directories left on web servers.
The scripts were written due to finding web servers where the designers had used an SCM as part of their release mechanism. Using an SCM (like SVN or git) often stores metadata in the contents of a local cache.
The contents are often a local copy of the contents of the repo. Not only does this reveal source code, which can then be analysed for other flaws, it can often include the configuration files (such as web.config) which can reveal passwords.
Current scripts:
- svn-grab, will extract all files from the pristine directory of the SVN repo
- hg-grab, will extract files from a Mercurial repo
- git-grab, will extract files from a git repo.
git-grab has been ported to Python and has a better user interface that means that you can list files and supply a glob to only download important files.
It just uses standard Python3 libraries so shouldn't need anything special installed.
usage: git-grab [-h] [--cache [CACHE]] [--verbose] [--outdir OUTDIR]
--url url action [files [files ...]]
Abuse .git repos on web servers
positional arguments:
action Action to perform: ls, download, view, scan, discover, logs
files list of file globs
optional arguments:
-h, --help show this help message and exit
--cache [CACHE] Directory to cache downloaded files
--verbose Be verbose
--outdir OUTDIR Directory to store output
--url URL URL of site (method option)
--verison VERS Retrieve version VERS of file
The default for the cache directory is ./.gitgrab and outdir is the domain part of the url.
Examples:
git-grab --url vulnerablesite.com ls
git-grab --url https://vulnerablesite.com/ download \*.php \*.conf
git-grab --url https://vulnerablesite.com/ view config.php
git-grab --url vulnerablesite.com scan
The various commands do various things with various levels of stealth:
This will attempt to scan the git directory for common flaws, such as a WordPress configuration file or whether .git/config contains stuff like passwords.
This will list all files, where multiple versions are provided they will be listed by index and that version's hash.
For example:
config/settings.php
Version 0: 7b64f0f207214f9894a2f4d08a95e57f3c773e72
Version 1: c19ecf55be45f0b0154c8b937abde5066cf1757c
These are very similar - the only difference is that view will dump the file to standard out whilst download will download the resourse and save it outdir.
These can take a number of globs after the command, to say, download all globs.
If --version is used then only that version will be attempted to be accessed. If not all versions will be outputed.
This will attempt to follow the commit path and recover all possible versions of a file that can be discovered in the archive.
This is very noisy and will cause a lot of traffic on the network, and may take a long time to run (depending on the size of the archive. Add --verbose to make yourself comfortable it hasn't crashed.
git-grab --url vulnerablesite.com discover
This will perform a diff between two versions of a file using Python's difflib.
git-grab --url vulnerablesite.com diff admin.php 0 1
Discover will need to be run first so that git-grab can try and discover any different versions in place in the archive.
This will dump the logs, showing commit comments and the users doing the commit. A future enhancement will tie this into discovery.