Yes, this vulnerability exists because most of the time when using a version-controlled system, developers host their repository in production. This is a very good chance for bounty hunters. Leaving these folders allows a penetration tester to download the entire source code.
After we get the all source code we can analyze this and find vulnerabilities on a web application or website.
To do this we are going to use a tool called dvcs-ripper. This tool is written in pearl and is very popular among bug bounty hunters. Using this tool we can rip repositories even the directory browsing is turned off.
This tool is used to rip version-controlled systems such as SVN, Git, and Mercurial/hg, Bzr. dvcs-ripper is pretty simple to use. In this article, we will discuss how can we use this tool on our Linux system.
First of all, we need to clone dvcs-ripper from its GitHub repository by using the following command:
git clone https://github.com/kost/dvcs-ripperThe above command will download dvcs-ripper from GitHub as we can see in the following screenshot:
Then we need to go inside the directory by using the following command:
cd dvcs-ripperNow before running this tool we need to install some requirements to run the tool. To install all those requirements we need to run the following command on our terminal:
sudo apt-get install perl libio-socket-ssl-perl libdbd-sqlite3-perl libclass-dbi-perl libio-all-lwp-perl libparallel-forkmanager-perl libredis-perl libalgorithm-combinatorics-perl cvs subversion git bzr mercurialThis command will add all the requirements on our system to run this tool (some of them may come with Kali Linux pre-installed If we are using the latest version of Kali Linux).
Now we need to have a target to run this tool. We directly can't attack other properties without proper permission so we assume example.com as our target.
Owning Git repositories and others
dvcs-ripper will gather all the repo, to be clear the files we need a specific output folder for the output files.
We can run the tool using the following command to own Git repositories of our target:
perl rip-git.pl -o /home/kali/Desktop/existing -v -u http://www.example.com/.git/To create a new directory and save all the outputs there we can use the following command:
perl rip-git.pl -m -o /home/kali/Desktop/New -v -u http://www.example.com/.git/If we need to ignore the SSL certification verification we can use the -s flag, like the following command:
perl rip-git.pl -m -o /home/kali/Desktop/New -v -u -s http://www.example.com/.git/We used rip-git.pl to capture all the .git repositories. Similarly, we can use other scripts to own other repositories.
Owning SVN repositories
It supports the OLDER and NEWER versions of svn client formats. Older is with .svn files in every directory, while newer version have single .svn directory and wc.db in .svn directory. It will automatically detect which format is used on the target.
The following command shows how we can do it.
perl rip-svn.pl -m -o /home/kali/Desktop/New -v -u http://www.example.com/.svn/Like the above examples, it can rip Mercurial/HG and Bazaar/bzr in the same way. This will not rip the CVS but it will display useful info.
For other more useful features, we can go to the official website of this tool. It also can be run from Docker.
This is how we can rip .git and .svn repositories and get the source code of a website and find loopholes inside it.
Comments