Back to Details

insecure-source-code-management

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SKILL: Insecure Source Code Management

SKILL:不安全的源代码管理

AI LOAD INSTRUCTION: This skill covers detection and recovery of exposed version-control metadata, common backup artifacts, and related misconfigurations. Use only in authorized assessments. Treat recovered credentials and URLs as sensitive; do not exfiltrate real data beyond scope. For broad discovery workflow, cross-load recon-for-sec and recon-and-methodology when those skills exist in the workspace.
AI加载说明:本技能覆盖暴露的版本控制元数据、常见备份工件及相关错误配置的检测和恢复。仅可在授权评估中使用。将恢复得到的凭证和URL视为敏感信息,不得超出范围泄露真实数据。如需大范围发现工作流,当工作区中存在对应技能时,可交叉加载recon-for-secrecon-and-methodology

0. QUICK START

0. 快速开始

High-value paths to probe first (GET or HEAD, respect rate limits):
http
/.git/HEAD
/.git/config
/.svn/entries
/.svn/wc.db
/.hg/requires
/.bzr/README
/.DS_Store
/.env
中文路由提示:快速扫这些路径;若需完整侦察流程,从 
recon-for-sec
recon-and-methodology
技能载入方法论后再深入。
优先探测的高价值路径(使用GET或HEAD请求,遵守速率限制):
http
/.git/HEAD
/.git/config
/.svn/entries
/.svn/wc.db
/.hg/requires
/.bzr/README
/.DS_Store
/.env
中文路由提示:快速扫这些路径;若需完整侦察流程,从 
recon-for-sec
recon-and-methodology
技能载入方法论后再深入。

1. GIT EXPOSURE

1. GIT暴露

Detection

检测

  • /.git/HEAD
     — valid repo often returns plain text like:
text
ref: refs/heads/main
  • /.git/config
     — may expose 
    remote.origin.url
    , user identity, or embedded credentials.
  • /.git/index
    , 
    /.git/objects/
     — partial object store access enables reconstruction with the right tools.
  • /.git/HEAD
     — 有效仓库通常会返回类似如下的纯文本:
text
ref: refs/heads/main
  • /.git/config
     — 可能暴露
    remote.origin.url
    、用户身份或内置凭证。
  • /.git/index
    /.git/objects/
     — 只要能访问部分对象存储,就可以通过合适的工具重建代码。

403 vs 404

403与404的区别

  • 404
     — path likely absent or fully blocked at the edge.
  • 403
    on 
    /.git/
     — directory may exist but listing is denied; still try direct file URLs:
http
/.git/HEAD
/.git/config
/.git/logs/HEAD
/.git/refs/heads/main
A 403 on the directory plus 200 on 
HEAD
 strongly indicates exposure.
  • 404
     — 路径大概率不存在,或在边缘层被完全拦截。
  • /.git/
    返回
    403
     — 目录可能存在,但目录列表被禁止,仍可尝试直接访问文件URL:
http
/.git/HEAD
/.git/config
/.git/logs/HEAD
/.git/refs/heads/main
目录返回403
HEAD
文件返回200强烈表明存在泄露。

Recovery tools (open source)

恢复工具(开源)

  • arthaud/git-dumper
     — dumps reachable 
    .git
    tree when individual files are fetchable.
  • internetwache/GitTools
     — Dumper, Extractor, Finder modules for partial/corrupt dumps.
  • WangYihang/GitHacker
     — alternative recovery when standard dumpers miss edge cases.
  • arthaud/git-dumper
     — 当单个文件可获取时,导出可访问的
    .git
    目录树。
  • internetwache/GitTools
     — 包含用于处理部分/损坏导出内容的导出器、提取器、查找器模块。
  • WangYihang/GitHacker
     — 当标准导出工具无法覆盖边缘场景时的替代恢复工具。

Key files to prioritize

需要优先关注的关键文件

PathWhy it matters
.git/config
Remotes, credentials, hooks paths
.git/logs/HEAD
Commit history, reflog-style leakage
.git/refs/heads/*
Branch tips, commit SHAs
.git/packed-refs
Packed branch/tag refs
.git/objects/**
Object blobs for reconstruction
路径重要性原因
.git/config
远程仓库地址、凭证、钩子路径
.git/logs/HEAD
提交历史、引用日志类泄露
.git/refs/heads/*
分支尖端、提交SHA值
.git/packed-refs
打包的分支/标签引用
.git/objects/**
用于重建代码的对象blob

2. SVN EXPOSURE

2. SVN暴露

Detection

检测

  • SVN before 1.7: 
    /.svn/entries
     — XML or text metadata listing paths and revisions.
  • SVN ≥ 1.7: 
    /.svn/wc.db
     — SQLite working copy database (
    PRAGMA table_info
    after download).
Example probe:
http
GET /.svn/entries HTTP/1.1
GET /.svn/wc.db HTTP/1.1
  • 1.7版本之前的SVN
    /.svn/entries
     — 列出路径和版本号的XML或纯文本元数据。
  • 1.7及以上版本的SVN
    /.svn/wc.db
     — SQLite格式的工作副本数据库(下载后可执行
    PRAGMA table_info
    查看结构)。
探测示例:
http
GET /.svn/entries HTTP/1.1
GET /.svn/wc.db HTTP/1.1

Recovery

恢复

  • anantshri/svn-extractor
     — automated extraction from exposed 
    .svn
    .
  • Manual: download 
    wc.db
    , query with 
    sqlite3
    for file paths and checksums, then request 
    /.svn/pristine/
     blobs if exposed.
  • anantshri/svn-extractor
     — 从暴露的
    .svn
    自动提取内容。
  • 手动方式:下载
    wc.db
    ,使用
    sqlite3
    查询文件路径和校验和,如果暴露的话再请求**
    /.svn/pristine/
    **下的blob文件。

3. MERCURIAL EXPOSURE

3. MERCURIAL暴露

Detection

检测

  • /.hg/requires
     — small text file listing repository features; confirms Mercurial metadata.
http
GET /.hg/requires HTTP/1.1
GET /.hg/store/ HTTP/1.1
  • /.hg/requires
     — 列出仓库特性的小型纯文本文件,可用于确认存在Mercurial元数据。
http
GET /.hg/requires HTTP/1.1
GET /.hg/store/ HTTP/1.1

Recovery

恢复

  • sahildhar/mercurial_source_code_dumper
     — dumps repository when store paths are reachable.
  • sahildhar/mercurial_source_code_dumper
     — 当存储路径可访问时导出仓库内容。

4. OTHER LEAKS

4. 其他泄露

Bazaar (Bzr)

Bazaar (Bzr)

  • Probe 
    /.bzr/README
     and 
    /.bzr/branch-format
     for Bazaar metadata.
  • 探测**
    /.bzr/README
    /.bzr/branch-format
    **确认是否存在Bazaar元数据。

macOS 
.DS_Store

macOS 
.DS_Store

  • /.DS_Store
     can encode directory and filename listings.
  • Tools: 
    gehaxelt/ds-store
    , 
    lijiejie/ds_store_exp
     — parse 
    .DS_Store
    offline.
  • /.DS_Store
     可能包含目录和文件名列表信息。
  • 工具:
    gehaxelt/ds-store
    lijiejie/ds_store_exp
     — 离线解析
    .DS_Store
    文件。

Backup and config artifacts

备份和配置工件

Probe (adjust for app root and naming conventions):
text
/.env
/backup.zip
/backup.tar.gz
/wwwroot.rar
/backup.sql
/config.php.bak
/.config.php.swp
探测路径(可根据应用根目录和命名规范调整):
text
/.env
/backup.zip
/backup.tar.gz
/wwwroot.rar
/backup.sql
/config.php.bak
/.config.php.swp

Web server misconfiguration signal (example: NGINX)

Web服务器配置错误信号(示例:NGINX)

  • location /.git { deny all; }
     — may return 403 for 
    /.git/
    while still allowing or denying specific subpaths depending on rules.
  • 403 on a protected location can confirm the route exists; always distinguish from 404 on non-existent paths.
  • location /.git { deny all; }
     — 可能会对
    /.git/
    返回403,但根据规则仍可能允许或拒绝特定子路径的访问。
  • 受保护位置返回403可确认路由存在,注意要和不存在路径返回的404区分开。

5. DECISION TREE

5. 决策树

  1. Probe 
    /.git/HEAD
    ref: refs/heads/
    pattern? → run git-dumper / GitTools / GitHacker; review 
    config
    and 
    logs/HEAD
    for secrets.
  2. Else probe 
    /.svn/wc.db
    or 
    entries
     → success? → svn-extractor or manual 
    wc.db
    + pristine recovery.
  3. Else probe 
    /.hg/requires
     → success? → mercurial dumper.
  4. Else probe 
    /.bzr/README
     → Bazaar tooling or manual path walk.
  5. Parallel: fetch 
    /.DS_Store
    , 
    /.env
    , common backup extensions on app root and parent paths.
  6. Interpret status codes: 403 on directory + 200 on specific files → treat as high priority for file-by-file extraction.
  1. 探测
    /.git/HEAD
     → 是否存在
    ref: refs/heads/
    格式?→ 运行git-dumper / GitTools / GitHacker;检查
    config
    logs/HEAD
    中的机密信息。
  2. 否则探测
    /.svn/wc.db
    entries
     → 成功?→ 使用svn-extractor或手动
    wc.db
    +原始文件恢复。
  3. 否则探测
    /.hg/requires
     → 成功?→ 使用mercurial导出工具
  4. 否则探测
    /.bzr/README
     → 使用Bazaar工具或手动路径遍历。
  5. 并行操作:获取应用根目录和父路径下的**
    /.DS_Store
    /.env
    、常见后缀的备份文件**。
  6. 解释状态码目录返回403 + 特定文件返回200 → 视为高优先级,逐文件提取。

6. RELATED ROUTING

6. 相关联动

  • From recon-for-sec — scope-safe discovery, crawling, and fingerprinting before deep VCS tests.
  • From recon-and-methodology — structured methodology and evidence handling.
中文:与侦察类技能联动——先定范围与速率,再针对 VCS/备份做定向验证。
  • 来自 recon-for-sec — 在深入VCS测试之前的范围安全发现、爬虫和指纹识别。
  • 来自 recon-and-methodology — 结构化方法论和证据处理。
中文:与侦察类技能联动——先定范围与速率,再针对VCS/备份做定向验证。