根据 .git 目录下的文件,各司其职,了解下流程;

D:\Go0s\git\LFIboomCTF\.git (master)
λ ls
COMMIT_EDITMSG  config  description  HEAD  hooks/  index  info/  logs/  objects/  packed-refs  refs/

D:\Go0s\git\LFIboomCTF\.git (master)
λ cat HEAD
ref: refs/heads/master

D:\Go0s\git\LFIboomCTF\.git (master)
λ cat refs\heads\master
84cf1a5a0e4013ac6c352c189aa468ef5d35e3e2

D:\Go0s\git\LFIboomCTF\.git (master)
λ git cat-file -p 84cf1a5a0e4013ac6c352c189aa468ef5d35e3e2
tree 4edbb6f8a3546e264937eb33679157bfff6cf47c
parent c6054602dc1523fcde34fc7002925bbbafa901de
author Go0s <[email protected]> 1493186117 +0800
committer Go0s <[email protected]> 1493186117 +0800

update

D:\Go0s\git\LFIboomCTF\.git (master)
λ git cat-file -p 4edbb6f8a3546e264937eb33679157bfff6cf47c
100644 blob 6201d97e2ef03fbe844273acfa8aa4d5b0beb5f4    README.md
040000 tree 17a13f24ef4dfcfdbbf89ad089c54b6ab8084089    data
040000 tree 9feec057106e7ee846e47281ed1eb7b4571b941d    filter
040000 tree aca2e7e65ff4157a1ed25f2c6c6103bc3ed741d4    input1
040000 tree 803f28d97b29635db91b392c1c6d865a54c1e827    input2
040000 tree 984cc41eda51185cc66d656f9b5541e9bc943bb7    phar1
040000 tree 4ac072dd5b59f28c00f1ced8eeb32feae955a2f7    phar2

D:\Go0s\git\LFIboomCTF\.git (master)
λ git cat-file -p 17a13f24ef4dfcfdbbf89ad089c54b6ab8084089
100644 blob f30aee5e1a1df2476a6e518bb71c9f1bb7631777    index.php

D:\Go0s\git\LFIboomCTF\.git (master)
λ git cat-file -p f30aee5e1a1df2476a6e518bb71c9f1bb7631777
<?php
$user=$_GET['user'];
#echo $user;
if(isset($user)&&(file_get_contents($user,'r')==='the user is admin')){
    echo "flag{xxxxxxxxxxxxx}";
}
else{
    echo "you are not admin ! ";
}
?>

当然也可以不按tree来读取文件,直接使用git ls-files --stage

D:\Go0s\git\LFIboomCTF\.git (master)
λ git ls-files --stage
100644 6201d97e2ef03fbe844273acfa8aa4d5b0beb5f4 0       README.md
100644 f30aee5e1a1df2476a6e518bb71c9f1bb7631777 0       data/index.php
100644 e8bb8fdb04d138611b712afcb6481c8570b9f8cb 0       filter/index.php
100644 4f1bd335085bd715b1e6bc40ed982a0d5a347548 0       filter/show.php
100644 00c4204d44a9cb75c0afa3bbefef1aebadac168b 0       filter/tips.php
100644 58ca19706fe1c957aa8556c78328e981017d665b 0       input1/index.html
100644 56785efe0e60d6a5b375779026cec773545dcb63 0       input1/index.php
100644 f01ba9f24c725fa5dc8ab80aa81e12c0af635102 0       input1/index.php.bak
100644 68e3ba7af4b070091bce2f6ead20bc3be7dd1733 0       input2/flag.php
100644 55925083e57f392107113d02708d2751f9714f8b 0       input2/index.php
100644 f801e56b787895e337e51d12165527c24a299508 0       input2/phpinfo.php
100644 3f59978418ff175a33f8620135c2d92c04eedba4 0       phar1/include.php
100644 c01bb19e47c472a22d5037f5da0db1ca15f42112 0       phar1/index.html
100644 2bb535d9a2b3679943bc8558dff070e30f352f10 0       phar1/upload.php
100644 a76bec157eaaa34037f37e200daa8b005b0f6892 0       phar1/upload/1.jpg
100644 02f2029027cfdc7522f5c6c89c35e5f0f50339e2 0       phar2/flag.txt
100644 b2d5394b830bda89e7a07b2006c434241a20842a 0       phar2/index.php

解决方法

将 .git 目录放置于网站根目录的上层,在创建 git 仓库的时候就直接在网站根目录的上层去创建;

这就将 .git 目录限制在了客户端不能访问到的位置;

利用工具

效果一个比一个好;

  1. https://github.com/lijiejie/GitHack
  2. https://github.com/kost/dvcs-ripper
  3. https://github.com/internetwache/GitTools