loading
loading
Misconfiguration
Leak git repositories from misconfigured sites and rebuild their contents.
overview
gitjacker targets sites that accidentally deployed their .git directory to a public web root. When that folder is reachable over HTTP, the repository's history, objects, and refs are downloadable, and the original source code can be reconstructed from them. gitjacker automates the whole recovery: it pulls the git internals and rebuilds a working copy from what it finds, so you get the code back rather than a directory of raw blobs.
Its strength is partial recovery. Even when directory listing is disabled, so you cannot browse the folder, gitjacker walks the git object graph by hash and still recovers a significant portion of the repository. That often surfaces credentials, deploy config, and proprietary logic the deployed application never meant to ship.
On Trickest, gitjacker is a Misconfiguration node that takes a target URL and writes a folder containing the reconstructed repository. Run it after a finder flags hosts with a reachable .git, then route the recovered tree into a secret scanner to triage what leaked.
source github.com/liamg/gitjacker
use cases
Point gitjacker at a URL whose .git directory is reachable and it rebuilds the repository, recovering code and config the site never meant to publish.
gitjacker walks git objects by hash, so it still pulls back a large share of the repository even when the server hides the folder contents.
Hand the reconstructed repository to a tool like gitleaks so committed keys, tokens, and passwords in the git history surface as triaged findings.
Confirm the impact of an exposed .git finding by recovering the real source, then report exactly which files, credentials, and internal logic were reachable.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | · | Target URL of the site with an exposed .git directory. |
| verbose | BOOLEAN | --verbose | Enable verbose logging of each retrieval and recovery step. |
Showing key inputs. gitjacker exposes 2 inputs in total.
example
# download and rebuild the repo from an exposed .git directorygitjacker --verbose https://example.com/gitjacker v0.1.0Retrieving .git/config from https://example.com/ ...Walking loose and packed objects by hash...Summary=======Status: partial successObjects retrieved: 318 (repo ~89% recovered)Remote origin: git@github.com:example/webapp.gitSecrets found: .env, config/database.ymlOutput written to: ./example.comguidance
Use gitjacker when a site exposes its .git directory and you want the source code back, not just the file list. It downloads and reconstructs in one step. For the simpler dump-and-extract path use the GitTools family, and follow any recovery with a secret scan.
Downloads an exposed .git directory but does not reconstruct; pair it with the extractor.
Combined dump and recovery from the GitTools project, the closest direct alternative.
Not a downloader; scans the recovered repository for committed secrets.
faq
related
A fast tool to scan for CRLF vulnerabilities, written in Go.
A host header injection vulnerability checker for batches of URLs.
Find files on web servers that should not be public and can pose a security risk.
A Go subdomain takeover tool that scans subdomains concurrently to find hijackable ones.
A target URL feeds gitjacker, which reconstructs the exposed repository and hands it to gitleaks so any committed secrets land as output.
Facts on this page come from the live Trickest tool library.