GitDump – A Pentesting Tool That Dumps The Source Code From .Git Even When The Directory Traversal Is Disabled
GitDump dumps the source code from .git when the directory traversal is disabled
Requirements
- Python3
Tested on
- Windows
- Kali Linux
What it does
- Dump source code from website/.git directory when directory traversal is disabled.
How it works
- Fetch all common files (.git/index, .git/HEAD, .git/ORIG_HEAD, etc.).
- Find as many objects (sha1) as possible by analyzing .git/packed-refs, .git/index, etc.
- Download idx and pack files.
- Now you can run git checkout — . to retrieve source code.
How to Use
- python3 git-dump.py https://website.com/.git/
- Create the output directory and dump all the .git files in it.
- After running above script type:
cd output && git checkout -- .
- It will recover all source code.
TODO
- Search through git repository for secrets by digging deep into commit history and branches.
Credits Sean B. Palmer for his index file parser. (https://github.com/sbp/gin)
Download GitDump
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.