search

internetwache / GitTools

A repository with 3 tools for pwn'ing websites with .git repositories available
MIT License
3.87k stars 624 forks source link

/.git/ missing in url #8

Closed noraj closed 7 years ago

noraj commented 7 years ago

For example I found a git repository that is stored under /backup/ but I can't dump it because I get this error:

[-] /.git/ missing in url

This should not be a check.

noraj commented 7 years ago

For me I just edited dumper.sh and removed those lines:

if [[ ! "$BASEURL" =~ /.git/$ ]]; then
    echo -e "\e[31m[-] /.git/ missing in url\e[0m";
    exit 0;
fi

But you may prefer to transform this error into a warning.

gehaxelt commented 7 years ago

Hi @noraj1337 sorry for the late response, but you have a valid point right there.

I think that a --force option might be a better idea, because people usually don't read warnings and then might be confused if the script does not work correctly.

noraj commented 7 years ago

@gehaxelt An even better idea is to check for the /.git/ unless there is a --git-dir option provided, for example --git-dir=backup.

gehaxelt commented 7 years ago

Hey @noraj1337

I've implemented the --git-dir=backup suggestion here https://github.com/internetwache/GitTools/pull/11

Could you please verify that this fixes your issue, so that I can merge the PR?

Thanks

noraj commented 7 years ago

It works but the problem is that you use positional arguments:

$ ~/CTF/tools/GitTools/Dumper/gitdumper.sh --git-dir=backup http://82.202.204.104/backup/ repo                                                                                                                    
###########
# GitDumper is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances.
# Only for educational purposes!
###########

[-] /backup/ missing in url
$ ~/CTF/tools/GitTools/Dumper/gitdumper.sh http://82.202.204.104/backup/ repo --git-dir=backup                                                                                                                    
###########
# GitDumper is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances.
# Only for educational purposes!
###########

[*] Destination folder does not exist
[+] Creating repo/backup/
[+] Downloaded: HEAD
[-] Downloaded: objects/info/packs
[+] Downloaded: description
[+] Downloaded: config
[+] Downloaded: COMMIT_EDITMSG
[+] Downloaded: index
[-] Downloaded: packed-refs
[+] Downloaded: refs/heads/master
[-] Downloaded: refs/remotes/origin/HEAD
[-] Downloaded: refs/stash
[+] Downloaded: logs/HEAD
[+] Downloaded: logs/refs/heads/master
[-] Downloaded: logs/refs/remotes/origin/HEAD
[-] Downloaded: info/refs
[+] Downloaded: info/exclude
[+] Downloaded: objects/9f/848cceeba31da2cbd2c8ecaebb8a8dab17eee4
[-] Downloaded: objects/00/00000000000000000000000000000000000000
[+] Downloaded: objects/bd/55b19e5413ce609d3bc4429c3a6f272341988a
[+] Downloaded: objects/8b/1084b23d869e5dc1ae4ac845589ecfb896c0c3

To se better ways to parse argument in bash you can take a look at https://stackoverflow.com/questions/192249/how-do-i-parse-command-line-arguments-in-bash or search by yourself, there is a lot of stuff to read.

gehaxelt commented 7 years ago

Hi, yeah, I know that this is not the best solution and that there are better ways to implement it. I didn't want to break backward-compatability by removing/fixing the positional arguments.

As far as I see, the change seems to work. So I would go ahead and merge the changes and opening an issue for a rewrite of the argument parsing. Does that seem acceptable to you?

noraj commented 7 years ago

This seems perfectly right. I was about to say the same thing.

gehaxelt commented 7 years ago

Fixed by #11