GitHacker

May 28, 2026 · View on GitHub

PyPI version PyPI downloads Site

A multi-threaded .git folder exploitation tool. Reconstructs the target repository in full — source code, commit history, branches, stashes, remotes, tags — even when DirectoryListings is disabled, by brute-forcing well-known refs.

The accompanying research site at https://githacker.pages.dev publishes:

  • A reproducible Benchmark against six other pillagers (GitTools, dvcs-ripper, GitHack, git-dumper, dumpall, rbozburun/git-hacker) across five web-server scenarios.
  • An adversarial Security suite that runs every tool against malicious .git/ directories and tracks coordinated disclosure of findings.
  • Methodology and Reproduce pages with every detail needed to re-run the harness locally.

Safety

The remote .git you are downloading may be malicious. Published research demonstrates code execution, arbitrary file write, and SSRF against pillagers via crafted .git/config, hooks, submodules, LFS objects, and HTTP redirects. Run GitHacker in a disposable container:

docker run -v $(pwd)/results:/tmp/githacker/results \
  wangyihang/githacker \
  --url http://target/.git/ \
  --output-folder /tmp/githacker/results

The Security page tracks both GitHacker's own hardening history and pre-disclosure findings against other pillagers.

Quick start

# Help
docker run wangyihang/githacker --help

# Single target
docker run -v $(pwd)/results:/tmp/githacker/results \
  wangyihang/githacker \
  --url http://target/.git/ \
  --output-folder /tmp/githacker/results

# Brute-force branch and tag names (use when directory listing is off)
docker run -v $(pwd)/results:/tmp/githacker/results \
  wangyihang/githacker --brute \
  --url http://target/.git/ \
  --output-folder /tmp/githacker/results

# Multiple targets, one URL per line
docker run -v $(pwd)/results:/tmp/githacker/results \
  -v $(pwd)/websites.txt:/websites.txt \
  wangyihang/githacker --brute \
  --url-file /websites.txt \
  --output-folder /tmp/githacker/results

pip

pip install GitHacker

githacker --help
githacker --url http://target/.git/ --output-folder result
githacker --brute --url http://target/.git/ --output-folder result
githacker --brute --url-file websites.txt --output-folder result

Requirements: git >= 2.11.0, Python 3.10+.

Comparison

Side-by-side results live on the dashboard so the table doesn't drift out of sync with reality: https://githacker.pages.dev/benchmark.

The benchmark regenerates on every benchmark run (weekly via GitHub Actions, and on demand). At the time of writing, GitHacker is the only tool that recovers 100% of artifacts across all five web-server scenarios and 100% PASS on the published adversarial corpus.

Development

Set up:

git clone https://github.com/WangYihang/GitHacker
cd GitHacker
uv sync --group dev

Run unit tests:

uv run pytest

Run the full benchmark / security harnesses (needs Docker):

$\text{bash} \text{python} -\text{m} \text{benchmark} \text{run} # 7 \text{tools} \times 5 \text{web}-\text{server} \text{scenarios} \text{python} -\text{m} \text{benchmark} \text{security} # \text{adversarial} \text{corpus} $

Both write JSON into docs/public/data/; the docs site picks them up on its next build. Full harness design: https://githacker.pages.dev/methodology.

Demo

Demo

References

Acknowledgements

  • Justin Steven — original core.fsmonitor / recursive-downloader advisories (2022).
  • Driver Tom — generic counter-attacks against source-code pillagers (2021).
  • Zac Wang (@7a6163) — path-traversal in add_head_file_tasks / add_hashes_parsed (CVE pending; folded into the single-trust-gate fix at 5f2a8ba).
  • lesion1999 — contributor.
  • shashade250 — contributor.

License

THE DRINKWARE LICENSE

<wangyihanger@gmail.com> wrote this file. As long as
you retain this notice you can do whatever you want
with this stuff. If we meet some day, and you think
this stuff is worth it, you can buy me the following
drink(s) in return.

Red Bull
JDB
Coffee
Sprite
Cola
Harbin Beer
etc

Wang Yihang