Lucene search
K

HTTP Git Scanner

🗓️ 19 Nov 2015 09:16:32Reported by Nixawk, Jon Hart <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 12 Views

This module detects information disclosure vulnerabilities when a Git repository is exposed over HTTP

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

  def initialize
    super(
      'Name'        => 'HTTP Git Scanner',
      'Description' => %q(
        This module can detect situations where there may be information
        disclosure vulnerabilities that occur when a Git repository is made
        available over HTTP.
      ),
      'Author'      => [
        'Nixawk', # module developer
        'Jon Hart <jon_hart[at]rapid7.com>' # improved metasploit module
      ],
      'References'  => [
        ['URL', 'http://web.archive.org/web/20220609025426/https://github.com/git/git/blob/master/Documentation/technical/index-format.txt']
      ],
      'License'     => MSF_LICENSE
    )

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The test path to .git directory', '/.git/']),
        OptBool.new('GIT_INDEX', [true, 'Check index file in .git directory', true]),
        OptBool.new('GIT_CONFIG', [true, 'Check config file in .git directory', true]),
        OptString.new('UserAgent', [ true, 'The HTTP User-Agent sent in the request', 'git/1.7.9.5' ])
      ]
    )
  end

  def req(filename)
    send_request_cgi(
      'uri' => normalize_uri(target_uri, filename)
    )
  end

  def git_index_parse(resp)
    return if resp.blank? || resp.length < 12 # A 12-byte header
    signature = resp[0, 4]
    return unless signature == 'DIRC'

    version = resp[4, 4].unpack('N')[0].to_i
    entries_count = resp[8, 4].unpack('N')[0].to_i

    return unless version && entries_count
    [version, entries_count]
  end

  def git_index
    res = req('index')
    index_uri = git_uri('index')
    unless res
      vprint_error("#{index_uri} - No response received")
      return
    end
    vprint_status("#{index_uri} - HTTP/#{res.proto} #{res.code} #{res.message}")

    return unless res.code == 200
    version, count = git_index_parse(res.body)
    return unless version && count
    print_good("#{full_uri} - git repo (version #{version}) found with #{count} files")

    report_note(
      host: rhost,
      port: rport,
      proto: 'tcp',
      type: 'git_index_disclosure',
      data: { uri: index_uri, version: version, entries_count: count }
    )
  end

  def git_config
    res = req('config')
    config_uri = git_uri('config')
    unless res
      vprint_error("#{config_uri} - No response received")
      return
    end
    vprint_status("#{config_uri} - HTTP/#{res.proto} #{res.code} #{res.message}")

    return unless res.code == 200 && res.body =~ /\[(?:branch|core|remote)\]/
    print_good("#{config_uri} - git config file found")

    report_note(
      host: rhost,
      port: rport,
      proto: 'tcp',
      type: 'git_config_disclosure',
      data: { uri: config_uri }
    )

    path = store_loot('config', 'text/plain', rhost, res.body, config_uri)
    print_good("Saved file to: #{path}")
  end

  def git_uri(path)
    full_uri =~ %r{/$} ? "#{full_uri}#{path}" : "#{full_uri}/#{path}"
  end

  def run_host(_target_host)
    vprint_status("#{full_uri} - scanning git disclosure")
    git_index if datastore['GIT_INDEX']
    git_config if datastore['GIT_CONFIG']
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

28 Feb 2025 10:30Current
7.1High risk
Vulners AI Score7.1
12