A multi-threaded .git folder exploitation tool. Reconstructs the
target repository in full — source code, commit history, branches,
stashes, remotes, tags — even when DirectoryListings is disabled, by
brute-forcing well-known refs.
The accompanying research site at https://githacker.pages.dev publishes:
- A reproducible Benchmark against six other pillagers (GitTools, dvcs-ripper, GitHack, git-dumper, dumpall, rbozburun/git-hacker) across five web-server scenarios.
- An adversarial Security suite that runs every tool against malicious
.git/directories and tracks coordinated disclosure of findings. - Methodology and Reproduce pages with every detail needed to re-run the harness locally.
The remote .git you are downloading may be malicious. Published
research demonstrates code execution, arbitrary file write, and SSRF
against pillagers via crafted .git/config, hooks, submodules, LFS
objects, and HTTP redirects. Run GitHacker in a disposable
container:
docker run -v $(pwd)/results:/tmp/githacker/results \
wangyihang/githacker \
--url http://target/.git/ \
--output-folder /tmp/githacker/resultsThe Security page tracks both GitHacker's own hardening history and pre-disclosure findings against other pillagers.
# Help
docker run wangyihang/githacker --help
# Single target
docker run -v $(pwd)/results:/tmp/githacker/results \
wangyihang/githacker \
--url http://target/.git/ \
--output-folder /tmp/githacker/results
# Brute-force branch and tag names (use when directory listing is off)
docker run -v $(pwd)/results:/tmp/githacker/results \
wangyihang/githacker --brute \
--url http://target/.git/ \
--output-folder /tmp/githacker/results
# Multiple targets, one URL per line
docker run -v $(pwd)/results:/tmp/githacker/results \
-v $(pwd)/websites.txt:/websites.txt \
wangyihang/githacker --brute \
--url-file /websites.txt \
--output-folder /tmp/githacker/resultspip install GitHacker
githacker --help
githacker --url http://target/.git/ --output-folder result
githacker --brute --url http://target/.git/ --output-folder result
githacker --brute --url-file websites.txt --output-folder resultRequirements: git >= 2.11.0, Python 3.10+.
Side-by-side results live on the dashboard so the table doesn't drift out of sync with reality: https://githacker.pages.dev/benchmark.
The benchmark regenerates on every benchmark run (weekly via GitHub Actions, and on demand). At the time of writing, GitHacker is the only tool that recovers 100% of artifacts across all five web-server scenarios and 100% PASS on the published adversarial corpus.
Set up:
git clone https://github.com/WangYihang/GitHacker
cd GitHacker
uv sync --group devRun unit tests:
uv run pytestRun the full benchmark / security harnesses (needs Docker):
python -m benchmark run # 7 tools × 5 web-server scenarios
python -m benchmark security # adversarial corpusBoth write JSON into docs/public/data/; the docs site picks them up
on its next build. Full harness design:
https://githacker.pages.dev/methodology.
- .git/ folder attack — comparison of attack tools, Part I
- .git/ folder attack — comparison of attack tools, Part II
- asciinema cast
- Git Repository Layout
- Git Documentation
- Justin Steven, Various abuses of
core.fsmonitorin a directory's.git/config, 2022 — https://github.com/justinsteven/advisories - Driver Tom, 别想偷我源码:通用的针对源码泄露利用程序的反制, 2021 — https://drivertom.blogspot.com/2021/08/git.html
- Git project security advisories
- Justin Steven — original
core.fsmonitor/ recursive-downloader advisories (2022). - Driver Tom — generic counter-attacks against source-code pillagers (2021).
- Zac Wang (@7a6163) — path-traversal in
add_head_file_tasks/add_hashes_parsed(CVE pending; folded into the single-trust-gate fix at5f2a8ba). - lesion1999 — contributor.
- shashade250 — contributor.
THE DRINKWARE LICENSE
<wangyihanger@gmail.com> wrote this file. As long as
you retain this notice you can do whatever you want
with this stuff. If we meet some day, and you think
this stuff is worth it, you can buy me the following
drink(s) in return.
Red Bull
JDB
Coffee
Sprite
Cola
Harbin Beer
etc
Wang Yihang