GitDump – A Pentesting Tool That Dumps The Source Code From .Git Even When The Directory Traversal Is Disabled

GitDump 3 poc

GitDump dumps the source code from .git when the directory traversal is disabled

Requirements

  • Python3

Tested on

  • Windows
  • Kali Linux

What it does

  • Dump source code from website/.git directory when directory traversal is disabled.

How it works

  • Fetch all common files (.git/index, .git/HEAD, .git/ORIG_HEAD, etc.).
  • Find as many objects (sha1) as possible by analyzing .git/packed-refs, .git/index, etc.
  • Download idx and pack files.
  • Now you can run git checkout — . to retrieve source code.

How to Use

  • python3 git-dump.py https://website.com/.git/
  • Create the output directory and dump all the .git files in it.
  • After running above script type: cd output && git checkout -- .
  • It will recover all source code.

TODO

  • Search through git repository for secrets by digging deep into commit history and branches.

Credits Sean B. Palmer for his index file parser. (https://github.com/sbp/gin)

Download GitDump

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source