GitHacker
A multi-threaded tool to exploit .git folder leakage vulnerabilities.
It reconstructs the target Git repository — including source code, commit history, branches, stashes, remotes, and tags.
Installation
Docker (Recommended)
docker run \ -v $(pwd)/results:/tmp/githacker/results \ wangyihang/githacker \ --output-folder /tmp/githacker/results \ --url http://target/.git/
pip
pip install GitHacker githacker \ --url http://target/.git/ \ --output-folder result
Add --brute to brute-force branch and tag names when DirectoryListings is disabled.
Capabilities
| Feature | DirectoryIndex On | DirectoryIndex Off |
|---|---|---|
| Source Code Recovery | Supported | Supported |
| Reflogs | Supported | Supported |
| Stashes | Supported | Supported |
| Commit History | Supported | Supported |
| Branches | Supported | Brute-force |
| Remotes | Supported | Supported |
| Tags | Supported | Brute-force |
See the full benchmark comparison against other tools.
Security Advisories
The remote .git folder may be malicious. It is recommended to run this tool
in a disposable environment (e.g., Docker container).
| Date | Vulnerability | Reporter |
|---|---|---|
| 2022-03-01 | RCE via malicious .git/config and .git/hooks/* | Justin Steven |
| 2022-03-01 | Arbitrary file write via recursive file downloader | Justin Steven |
| 2021-08-01 | Malicious .git folder harmful to tool user | Driver Tom |