How I found 30+ Websites Source Code Disclosure via Exposed .git Folder using Google Dorks
I have found more than 30+ Websites of Source Code Disclosure via the Exposed .git Folder just by using Google Dorks as shown below
Google Dorks:
“index of” inurl:.git
Google Dorks:
allintext:index filetype:git
I have found an exposed .git with some sensitive source code on one of the Indian government websites and reported the same to NCIIPC India (National Critical Information Infrastructure Protection Centre (NCIIPC) is an organisation of the Government of India created under Sec 70A of the Information Technology Act, 2000 (amended 2008), through a gazette notification on 16th Jan 2014 Based in New Delhi, India, it is designated as the National Nodal Agency in respect of Critical Information Infrastructure Protection.) and received an Acknowledgement from them as shown below.
Impact: Any Malicious User can download the exposed .git data into their local system using the git dumper tools and retrieve all the recent commits that happened in their git folder.
Please refer below articles for more details on how this process can be achieved and how attackers can gain confidential data using this method.
Resources:
1) https://jacobriggs.io/blog/posts/source-code-disclosure-via-exposed-git-29.html
2) https://iosentrix.com/blog/git-source-code-disclosure-vulnerability/
3) https://captainnoob.medium.com/source-code-disclosure-via-exposed-git-folder-d22919c590a2
Thank you guys for Reading this Post — Happy Hunting 🐞
If you like this post, don’t forget to give me a clap 👏
Resources: Google
Support me: If you like to support me, buy me a cup of Coffee☕
Follow me: Satya Prakash | LinkedIn | Twitter