Hazards caused by improper configuration of version control systems such as SVN and GIT

Version control is essential in the development of a project. The following describes the world's most famous version control system and how to use it for penetration.
CVS
 
Although CVS is simple, you can still use backup files.
 
SVN
 
Subversion is the most widely used version control system today.
 
GIT
 
It was created by Linus Torvals and is mainly characterized by a decentralized Code view.
 
Mercurial
 
It is very similar to GIT, but it is faster and simpler.
 
Bazaar
 
Similar to Git and Mercurial, but easier.
 
In this article, we will see what information can be obtained by accessing different version control systems through http and https. Most version control systems can be configured to access proprietary protocols, such as SSH and HTTP. Under normal circumstances, the information of the version control system is accessible only after authorization.
Obtain available information from the svn Repository
If we search for keywords in images by google". Svn" intitle: "index ",The accessed svn version control system is displayed. If you search by using. svn, some irrelevant results are obtained.

 
In the image above, we can see that two SVN systems can be publicly accessed by searching and querying:
 
Http://neo-layout.org/.svn/
 
Http://trafficbonus.com/.svn/
 
If we try to access these links, the SVN directory displayed to us is shown in:
 

 
In use. standard svn files and folders can be found in the svn/directory. generally, the web page is a part of the svn repository, including folders ,. svn/directory does not have proper permission protection. the svn directory contains the information of each resource in the project directory. Therefore, once leaked, the consequences are very serious.
You can use the wget command to download all files to the local device.

# Wget-m-I. svn checkout-al neo-layout.org/# ls-al neo-layout.org/total 56drwxr-xr-x 3 eleanor 4096 Oct 2. drwxr-xr-x 75 eleanor 36864 Oct 2 16:18 .. drwxr-xr-x 6 eleanor 4096 Oct 2 16: 18. svn-rw-r -- 1 eleanor 5155 Jul 15 2011 index.html-rw-r -- 1 eleanor 61 Jul 15 2011 robots.txt restart.
Then, you can use cd to enter the working directory and run the svn status Command to view the working status of the project file. For details about svn commands, refer to the article.
Http://www.cnblogs.com/orez88/articles/1973303.html

After executing the svn status command, you can see the specific state of the file.
You can also run svn info to obtain more information .:

You can see the author, the last modified version number, modification date, and other information.
Obtain sensitive information from the git Repository
Search by google". Git" intitle: "Index ",The sensitive information of the git version control system is listed.







Take a website as an example. You can also use the wget command to download it to your local device.
# Wget-m-I. git http://www.claytonking.com/.git/
You can then use the git command to perform local operations to obtain more sensitive information. For details about the git command, refer to this article:
Http://www.cnblogs.com/1-2-3/archive/2010/07/18/git-commands.html
If a website project uses the svn or git version control system and does not have the corresponding permission settings, attackers can easily obtain sensitive information, database account passwords, and so on, this will cause more information leakage on the website. other version control systems can also use the above method. so protection. svn and. it is very important to disable the search engine and user access in the git directory. htaccess is used to protect the svn and git version control system libraries.

Link: http://resources.infosecinstitute.com/hacking-svn-git-and-mercuri