PROGRAMMING TUTORIAL

Tutorial: Learn the internals of Git by hacking a website

Understanding what one of our favorite tools actually does

Disclaimer: This article is meant for educational purposes only. The author does not condone or encourage hacking, except for permitted white hat hacking.

Most developers that roam this Earth have, at some point or another, come across Git.

Chances are, you probably use it every day.

Now, while it’s easy to reduce Git down to a few memorized commands, like git add, git commit, and git push, there’s actually a lot going on in the background that we don’t often care to understand.

However, understanding a little bit of what happens under the hood could potentially be very useful, and I’ll try to give you some insight into this in a fun way: by teaching you how to exploit a Git-related security vulnerability so you can better secure your own websites.

Remember, you should never try this on anyone’s website without explicit permission. Doing so can constitute a serious crime. I do not take responsibility for anything you choose to do in possession of the knowledge you gain from this article.

A Teeny Tiny Web Server

If you want to skip through file creation and things, feel free to just clone the code from here (using Git :D), and skipping over to this section.

The vulnerability I will discuss here involves having your Git repository or its contents exposed to the web. It affects a whole lot of websites still today and is mostly associated with PHP servers (surprise!), so let’s get ourselves one of those.

No, don’t go away yet! We won’t actually be writing a lot of PHP, but you do need to make sure you have PHP installed in your machine. You can check if it’s already installed by running php -v.

I myself never really used PHP before writing this tutorial, so I assure you this is very simple.

So now, open a terminal window and let’s create a Git directory and add a file to it:

$ mkdir exposed-git