Yes, this vulnerability exists because most of the time when using a version-controlled system, developers host their repository in production. This is a very good chance for bounty hunters. Leaving these folders allows a penetration tester to download the entire source code.
After we get the all source code we can analysis this and find vulnerabilities on a web application or website.
To do this we are going to use a tool called dvcs-ripper. This tool is written in pearl and very popular among bug bounty hunters. Using this tool we can rip repositories even the directory browsing is turned off.
This tool is used to rip version-controlled systems such as SVN, Git and Mercurial/hg, Bzr. dvcs-ripper is pretty simple to use. In this article we will discuss how can we use this tool on our Linux system.
First of all we need to clone dvcs-ripper from it's GitHub repository by using following command:
The above command will download dvcs-ripper from GitHub as we can see in the following screenshot:
Then we need to go inside the directory by using following command:
Now before running this tool we need to install some requirements to run the tool. To install all those requirements we need to run following command on our terminal:
This command will add all the requirements on our system to run this tool (some of them may come with Kali Linux pre-installed, If we are using the latest version of Kali Linux).
Now we need to have a target to run this tool. We directly can't attack others properties without proper permission so we assume example.com as our target.
Owning Git repositories and others
dvcs-ripper will gather all the repo, to be clear the files we need a specific output folder for the output files.
We can run the tool using following command to own Git repositories of our target:
To create a new directory and save all the outputs there we can use following command:
If we need to ignore the SSL certification verification we can use -s flag, like following command:
We used rip-git.pl to capture all the .git repositories. Similarly we can use other scripts to own other repositories.
Owning SVN repositories
It supports OLDER and NEWER version of svn client formats. Older is with .svn files in every directory, while newer version have single .svn directory and wc.db in .svn directory. It will automatically detect which format is used on the target.
The following command shows how we can do it.
Like the above examples it can rip Mercurial/HG and Bazaar/bzr in the same way. This will not rip the CVS but it will display useful info.
For other more useful features we can go to the official website of this tool. It also can be run from Docker.
This is how we can rip .git and .svn repositories and got the source code of a website and find loopholes inside it.
Liked our articles? Then make sure to follow our e-mail subscription, then our new articles directly on mail box. We also update our Twitter and GitHub, make sure to follow us there.
For anything comment down in the following comment box. We always reply
Comments