Exploit Notes

Git GitHub Pentesting

Last modified: 2023-02-25

Git Reconnaissance

Git is software for tracking changes in any sets of files. It’s also used with GitHub usually.

Git Commands for the Repository Investigation

Check Information

# Basic information
git show
git show <branch-name>
git show <commit-id>
git show <tag-name>
git --git-dir /path/to/.git show

# Configuration
git config --list

# Commit history
git log
git log --stat
git --git-dir /path/to/.git log --stat

# Compare the two commits
git diff
git diff --staged
git diff --cached

# Working tree status
git status

Back to the Previous Commits

# You can get the "commit-id" by 'git log'
git checkout <commit-id>
git --git-dir /path/to/.git checkout <commit-id>

# Return the recent commit
git checkout master
git checkout main

Search the Other Branches

For getting all branches.

git branch -a

Btw, for creating a new branch.

git branch new-branch

Clone the Repository

git clone https://github.com/username/repo.git

# via SSH
git clone ssh://git-user@10.0.0.1/path/to/repo
git clone ssh://git-user@10.0.0.1/path/to/repo.git

Find Tags

# List tags
git tag
git tag -l

# Show the contents of the specific tag
git show <tag-name>

Restore Deleted Files

First off, check deleted files.

git status

Then restore them.

git restore <a-deleted-file>

GitHub Dorks

Search Target Repository

You may be able to get the desired repository by searching in the Google.

The searching word is like " github".

Find Sensitive Data in the Repository

If you can access to the GitHub repository, research files and find the sensitive information. For example:

  • Hard-coded contents
  • Past commits
  • Deleted files in past commits
  • Commit messages
  • Email address which may leak sensitive information about personal accounts
  • Different branches

For more details, see the github-dorks.

Find Email Address

  1. Click the target repository.

  2. Move to the commit history.

  3. Click the commit and add “.patch” to the URL. For example:

    https://github.com/<username>/<repository>/commit/d4...ff54.patch

  4. Check the “From” section in the page. You should find the email address of the commiter.