Skip to content

tautology0/ayfabtu

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

53 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ayfabtu - All Your File Are Belong To Us

Scripts to extract files from SCM directories left on web servers.

The scripts were written due to finding web servers where the designers had used an SCM as part of their release mechanism. Using an SCM (like SVN or git) often stores metadata in the contents of a local cache.

The contents are often a local copy of the contents of the repo. Not only does this reveal source code, which can then be analysed for other flaws, it can often include the configuration files (such as web.config) which can reveal passwords.

Current scripts:

  • svn-grab, will extract all files from the pristine directory of the SVN repo
  • hg-grab, will extract files from a Mercurial repo
  • git-grab, will extract files from a git repo.

git-grab has been ported to Python and has a better user interface that means that you can list files and supply a glob to only download important files.

It just uses standard Python3 libraries so shouldn't need anything special installed.

usage: git-grab [-h] [--cache [CACHE]] [--verbose] [--outdir OUTDIR]
                --url url action [files [files ...]]

Abuse .git repos on web servers

positional arguments:
  action           Action to perform: ls, download, view, scan, discover, logs
  files            list of file globs

optional arguments:
  -h, --help       show this help message and exit
  --cache [CACHE]  Directory to cache downloaded files
  --verbose        Be verbose
  --outdir OUTDIR  Directory to store output
  --url URL        URL of site (method option)
  --verison VERS   Retrieve version VERS of file

The default for the cache directory is ./.gitgrab and outdir is the domain part of the url.

Examples:

git-grab --url vulnerablesite.com ls
git-grab --url https://vulnerablesite.com/ download \*.php \*.conf
git-grab --url https://vulnerablesite.com/ view config.php
git-grab --url vulnerablesite.com scan

Commands

The various commands do various things with various levels of stealth:

scan

This will attempt to scan the git directory for common flaws, such as a WordPress configuration file or whether .git/config contains stuff like passwords.

ls

This will list all files, where multiple versions are provided they will be listed by index and that version's hash.

For example:

config/settings.php
	Version 0: 7b64f0f207214f9894a2f4d08a95e57f3c773e72
	Version 1: c19ecf55be45f0b0154c8b937abde5066cf1757c

view

download

These are very similar - the only difference is that view will dump the file to standard out whilst download will download the resourse and save it outdir.

These can take a number of globs after the command, to say, download all globs.

If --version is used then only that version will be attempted to be accessed. If not all versions will be outputed.

discover

This will attempt to follow the commit path and recover all possible versions of a file that can be discovered in the archive.

This is very noisy and will cause a lot of traffic on the network, and may take a long time to run (depending on the size of the archive. Add --verbose to make yourself comfortable it hasn't crashed.

git-grab --url vulnerablesite.com discover

diff

This will perform a diff between two versions of a file using Python's difflib.

git-grab --url vulnerablesite.com diff admin.php 0 1

Discover will need to be run first so that git-grab can try and discover any different versions in place in the archive.

logs

This will dump the logs, showing commit comments and the users doing the commit. A future enhancement will tie this into discovery.

About

Scripts to extract files from SCM directories left on web servers

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published