6

I'm pentesting a git server currently, and I'm trying to figure out how to modify pack files. I have my git requests running through Burp proxy, however, I'm unsure how to tamper with the pack files I see being sent to the git-receive-pack endpoint. Are there any good tools for making simple modifications to pack files, such as changing the name and path of the file being uploaded?

I've found lots of documentation on pack file and the commands for manipulating them via the git CLI. The issue, however, is that I want to create pack files that are malformed, which git does not allow. I've also found Dulwich, but the docs don't seem to be great and I can't find any examples anywhere near what I want to do.

Any suggestions on how to modify these pack files would be incredibly useful.

GBleaney
  • 2,096
  • 2
  • 22
  • 40
  • 2
    What are your reasons for wanting to do this? – Code-Apprentice Aug 19 '16 at 22:07
  • @Code-Apprentice, as mentioned in my post, I'm pentesting a git server currently. I suspect that it's trusting the contents of the pack file and not validating where the pack files say to write. I'd like to validate this assumption – GBleaney Aug 19 '16 at 23:58
  • @GBleaney I'm not sure what you mean by "validating where the pack files say to write"... The server probably doesn't write any files based on the paths in the pack files. Do you really want to create a _malformed_ pack file, for fuzzing the server perhaps, or do you want to create a legitimate pack file with your own data in it? These are two very different problems. If the former, then no tool will let you do that and you'll need to build a tool that creates bogus pack files. If the latter, you can use any tool, just feed it your (modified) objects... – Edward Thomson Aug 20 '16 at 00:17
  • What kind of server is this? Are you trying to pentest a git hosting server? If so, it may (and hopefully does) a) validate the paths for legality (in a git repository sense) but it certainly doesn't write any files based on them. But if you're trying to pentest some server that actually checks out files (perhaps due to a deploy) based on a git repository being pushed to it then that's a very different proposition. – Edward Thomson Aug 20 '16 at 00:19
  • @EdwardThomson, it's more of the latter situation. The repository accepts pushes from the CLI as the user updates their local repo, but the repo is also later deployed by another component of the application. What I care about checking is whether that deploy can be attacked with malicious pack files. – GBleaney Aug 27 '16 at 00:55

1 Answers1

3

When it comes to pack examples, you could check out the pack-related tests included with Git, and see if you can derive your own (faulty) packs from them.

For instance:

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250