automatic import of python-githacker

3 files changed, 622 insertions, 0 deletions

diff --git a/.gitignore b/.gitignore
index e69de29..036444c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
+/GitHacker-1.1.7.tar.gz
diff --git a/python-githacker.spec b/python-githacker.spec
new file mode 100644
index 0000000..d9b020c
--- /dev/null
+++ b/python-githacker.spec
@@ -0,0 +1,620 @@
+%global _empty_manifest_terminate_build 0
+Name:		python-GitHacker
+Version:	1.1.7
+Release:	1
+Summary:	A multiple threads tool to download the `.git` folder and rebuild git repository locally.
+License:	GNU Lesser General Public License v3 (LGPLv3)
+URL:		https://github.com/WangYihang/GitHacker
+Source0:	https://mirrors.nju.edu.cn/pypi/web/packages/c4/60/d052b7a968bb8d3fa2373fc5df2f4f59052a227b63b57c09bcea74277724/GitHacker-1.1.7.tar.gz
+BuildArch:	noarch
+
+Requires:	python3-GitPython
+Requires:	python3-beautifulsoup4
+Requires:	python3-coloredlogs
+Requires:	python3-requests
+Requires:	python3-semver
+
+%description
+# GitHacker
+
+## Desciption
+
+This is a multiple threads tool to exploit the `.git` folder leakage vulnerability. It is able to download the target `.git` folder almost completely. This tool also works when the `DirectoryListings` feature is disabled by brute forcing common `.git` folder files.
+
+With GitHacker's help, you can view the developer's commit history, branches, ..., stashes, which makes a better understanding of the target repo, even to find security vulnerabilities.
+
+## PROCLAMATION (IMPORTANT)
+
+> Several VULNERABILITIES have been reported recently, if you are using 
+> GitHacker <= 1.1.0, please update your tool as soon as possible.
+
+The remote `.git` folder maybe malicious, so to prevent you from being attacked.
+It's highly recommended that you SHOULD run this tool under a disposable jailed environment 
+(eg: Docker container).
+
+## Requirments
+
+* git >= 2.11.0
+* Python 3
+
+## Usage in Docker (Recommended)
+
+```bash
+# print help info
+docker run wangyihang/githacker --help
+# quick start
+docker run -v $(pwd)/results:/tmp/githacker/results wangyihang/githacker --output-folder /tmp/githacker/results --url http://127.0.0.1/.git/
+# brute for the name of branchs / tags
+docker run -v $(pwd)/results:/tmp/githacker/results wangyihang/githacker --brute --output-folder /tmp/githacker/results --url http://127.0.0.1/.git/
+# exploit multiple websites, one site per line
+docker run -v $(pwd)/results:/tmp/githacker/results wangyihang/githacker --brute --output-folder /tmp/githacker/results --url-file websites.txt 
+```
+
+## Usage
+
+```bash
+# install
+python3 -m pip install -i https://pypi.org/simple/ GitHacker
+# print help info
+githacker --help
+# quick start
+githacker --url http://127.0.0.1/.git/ --output-folder result
+# brute for the name of branchs / tags
+githacker --brute --url http://127.0.0.1/.git/ --output-folder result
+# exploit multiple websites, one site per line
+githacker --brute --url-file websites.txt --output-folder result
+```
+
+## Comparison of other tools
+
+> 2021-05-25
+
+|     Tools     |       Index        |    Source Code     |      Reflogs       |      Stashes       |      Commits       |      Branches      |      Remotes       |        Tags        |
+| :-----------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: |
+|   GitTools    | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         |
+|  dvcs-ripper  | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         |
+|    GitHack    | :heavy_check_mark: | :heavy_check_mark: |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |
+|  git-dumper   | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| **GitHacker** | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+|   GitTools    |        :x:         | :heavy_check_mark: | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         |
+|  dvcs-ripper  |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |
+|    GitHack    |        :x:         | :heavy_check_mark: |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |
+|  git-dumper   |        :x:         | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         |
+| **GitHacker** |        :x:         | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |      :muscle:      | :heavy_check_mark: |      :muscle:      |
+
+## Example
+
+![Demo](./figure/demo.gif)
+
+## TODO
+
+- [x] ~~Download packed files firstly~~ (Unsolvable via [StackOverflow](https://stackoverflow.com/questions/27789484/how-does-git-know-the-sha1-name-of-the-pack-files))
+- [x] Fix infinit downloading 404 files, #25
+- [x] Fix error when `master` branch not exists, #18
+- [x] Extract branch names from `.git/logs/HEAD`, #18
+- [x] Publish Docker image to hub.docker.com
+- [x] Add Dockerfile
+- [x] Fix stash files missing due to the fix of #21, #23, #24 (`git clone` can't download stash files)
+- [x] Use python f'string in `test.py`
+- [x] Download tags and branches when Index enabled
+- [x] Try common tags and branches when Index disabled
+- [x] [find packed refs](https://github.com/WangYihang/GitHacker/issues/1#issuecomment-487135667)
+
+## Test
+
+### Setup Development Environment
+
+```
+# Install docker and docker-compose
+apt install docker-desktop
+apt install docker-compose
+
+# Download GitHacker
+git clone https://github.com/WangYihang/GitHacker
+cd GitHacker
+python -m venv venv
+source venv/bin/activate
+pip install -r requirements.txt
+```
+
+### Run tests
+
+```
+# Generate testing repo
+python utils/gen.py
+
+# Run testcases
+sudo su
+source venv/bin/activate
+pip install -r requirements.txt
+python utils/test.py
+exit
+
+# Diff results
+python utils/diff.py
+```
+
+## Check report
+
+See `test/report/YYYY-MM-DD/index.html`
+
+## Videos
+### asciinema
+
+[![asciicast](https://asciinema.org/a/xgRmZ9dNvzhe3T2XRYDJe15Rj.png)](https://asciinema.org/a/xgRmZ9dNvzhe3T2XRYDJe15Rj)
+
+### YouTube
+* [【.git/ folder attack】Comparison of attack tools (Part I)](https://www.youtube.com/watch?v=Bs3QpVGf2uk)
+* [【.git/ folder attack】Comparison of attack tools (Part II)](https://www.youtube.com/watch?v=Xzg4kQt4qEo)
+
+## Security Issues
+
+#### 2021-08-01 [Fixed](https://github.com/WangYihang/GitHacker/commit/e105b5c04329e9c4b8080029976bc73d12b1f23f): Malicious .git folder maybe harmful to the user of this tool (Reported by [Driver Tom](https://drivertom.blogspot.com))
+
+* [别想偷我源码：通用的针对源码泄露利用程序的反制（常见工具集体沦陷）](https://drivertom.blogspot.com/2021/08/git.html)
+
+#### 2022-03-01 [Fixed](https://github.com/WangYihang/GitHacker/commit/806095e807d20e06d5f192928f1f525510a34688): Arbitrary file write via recursive file downloader (Reported by [Justin Steven](https://twitter.com/justinsteven))
+
+* To be released
+
+#### 2022-03-01 [Fixed](https://github.com/WangYihang/GitHacker/commit/f97710c2cf0351308fc81666448e00004b7d14f9): Remote Code Execution via malicious `.git/config` and `.git/hooks/*` files (Reported by [Justin Steven](https://twitter.com/justinsteven))
+
+* To be released
+
+## References
+
+* [Git Repository Layout](https://mirrors.edge.kernel.org/pub/software/scm/git/docs/gitrepository-layout.html)
+* [Git Documents](https://git-scm.com/docs)
+* [Git Pack filename](https://stackoverflow.com/questions/27789484/how-does-git-know-the-sha1-name-of-the-pack-files)
+
+## Acknowledgement
+
+- [@Justin Steven](https://twitter.com/justinsteven)
+- [@Driver Tom](https://drivertom.blogspot.com)
+- [@lesion1999](https://github.com/lesion1999)
+- [@shashade250](https://github.com/shashade250)
+
+## Licsence
+```
+THE DRINKWARE LICENSE
+
+<wangyihanger@gmail.com> wrote this file. As long as 
+you retain this :x:tice you can do whatever you want 
+with this stuff. If we meet some day, and you think 
+this stuff is worth it, you can buy me the following
+drink(s) in return.
+
+Red Bull
+JDB
+Coffee
+Sprite
+Cola
+Harbin Beer
+etc
+
+Wang Yihang
+```
+
+
+
+
+%package -n python3-GitHacker
+Summary:	A multiple threads tool to download the `.git` folder and rebuild git repository locally.
+Provides:	python-GitHacker
+BuildRequires:	python3-devel
+BuildRequires:	python3-setuptools
+BuildRequires:	python3-pip
+%description -n python3-GitHacker
+# GitHacker
+
+## Desciption
+
+This is a multiple threads tool to exploit the `.git` folder leakage vulnerability. It is able to download the target `.git` folder almost completely. This tool also works when the `DirectoryListings` feature is disabled by brute forcing common `.git` folder files.
+
+With GitHacker's help, you can view the developer's commit history, branches, ..., stashes, which makes a better understanding of the target repo, even to find security vulnerabilities.
+
+## PROCLAMATION (IMPORTANT)
+
+> Several VULNERABILITIES have been reported recently, if you are using 
+> GitHacker <= 1.1.0, please update your tool as soon as possible.
+
+The remote `.git` folder maybe malicious, so to prevent you from being attacked.
+It's highly recommended that you SHOULD run this tool under a disposable jailed environment 
+(eg: Docker container).
+
+## Requirments
+
+* git >= 2.11.0
+* Python 3
+
+## Usage in Docker (Recommended)
+
+```bash
+# print help info
+docker run wangyihang/githacker --help
+# quick start
+docker run -v $(pwd)/results:/tmp/githacker/results wangyihang/githacker --output-folder /tmp/githacker/results --url http://127.0.0.1/.git/
+# brute for the name of branchs / tags
+docker run -v $(pwd)/results:/tmp/githacker/results wangyihang/githacker --brute --output-folder /tmp/githacker/results --url http://127.0.0.1/.git/
+# exploit multiple websites, one site per line
+docker run -v $(pwd)/results:/tmp/githacker/results wangyihang/githacker --brute --output-folder /tmp/githacker/results --url-file websites.txt 
+```
+
+## Usage
+
+```bash
+# install
+python3 -m pip install -i https://pypi.org/simple/ GitHacker
+# print help info
+githacker --help
+# quick start
+githacker --url http://127.0.0.1/.git/ --output-folder result
+# brute for the name of branchs / tags
+githacker --brute --url http://127.0.0.1/.git/ --output-folder result
+# exploit multiple websites, one site per line
+githacker --brute --url-file websites.txt --output-folder result
+```
+
+## Comparison of other tools
+
+> 2021-05-25
+
+|     Tools     |       Index        |    Source Code     |      Reflogs       |      Stashes       |      Commits       |      Branches      |      Remotes       |        Tags        |
+| :-----------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: |
+|   GitTools    | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         |
+|  dvcs-ripper  | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         |
+|    GitHack    | :heavy_check_mark: | :heavy_check_mark: |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |
+|  git-dumper   | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| **GitHacker** | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+|   GitTools    |        :x:         | :heavy_check_mark: | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         |
+|  dvcs-ripper  |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |
+|    GitHack    |        :x:         | :heavy_check_mark: |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |
+|  git-dumper   |        :x:         | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         |
+| **GitHacker** |        :x:         | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |      :muscle:      | :heavy_check_mark: |      :muscle:      |
+
+## Example
+
+![Demo](./figure/demo.gif)
+
+## TODO
+
+- [x] ~~Download packed files firstly~~ (Unsolvable via [StackOverflow](https://stackoverflow.com/questions/27789484/how-does-git-know-the-sha1-name-of-the-pack-files))
+- [x] Fix infinit downloading 404 files, #25
+- [x] Fix error when `master` branch not exists, #18
+- [x] Extract branch names from `.git/logs/HEAD`, #18
+- [x] Publish Docker image to hub.docker.com
+- [x] Add Dockerfile
+- [x] Fix stash files missing due to the fix of #21, #23, #24 (`git clone` can't download stash files)
+- [x] Use python f'string in `test.py`
+- [x] Download tags and branches when Index enabled
+- [x] Try common tags and branches when Index disabled
+- [x] [find packed refs](https://github.com/WangYihang/GitHacker/issues/1#issuecomment-487135667)
+
+## Test
+
+### Setup Development Environment
+
+```
+# Install docker and docker-compose
+apt install docker-desktop
+apt install docker-compose
+
+# Download GitHacker
+git clone https://github.com/WangYihang/GitHacker
+cd GitHacker
+python -m venv venv
+source venv/bin/activate
+pip install -r requirements.txt
+```
+
+### Run tests
+
+```
+# Generate testing repo
+python utils/gen.py
+
+# Run testcases
+sudo su
+source venv/bin/activate
+pip install -r requirements.txt
+python utils/test.py
+exit
+
+# Diff results
+python utils/diff.py
+```
+
+## Check report
+
+See `test/report/YYYY-MM-DD/index.html`
+
+## Videos
+### asciinema
+
+[![asciicast](https://asciinema.org/a/xgRmZ9dNvzhe3T2XRYDJe15Rj.png)](https://asciinema.org/a/xgRmZ9dNvzhe3T2XRYDJe15Rj)
+
+### YouTube
+* [【.git/ folder attack】Comparison of attack tools (Part I)](https://www.youtube.com/watch?v=Bs3QpVGf2uk)
+* [【.git/ folder attack】Comparison of attack tools (Part II)](https://www.youtube.com/watch?v=Xzg4kQt4qEo)
+
+## Security Issues
+
+#### 2021-08-01 [Fixed](https://github.com/WangYihang/GitHacker/commit/e105b5c04329e9c4b8080029976bc73d12b1f23f): Malicious .git folder maybe harmful to the user of this tool (Reported by [Driver Tom](https://drivertom.blogspot.com))
+
+* [别想偷我源码：通用的针对源码泄露利用程序的反制（常见工具集体沦陷）](https://drivertom.blogspot.com/2021/08/git.html)
+
+#### 2022-03-01 [Fixed](https://github.com/WangYihang/GitHacker/commit/806095e807d20e06d5f192928f1f525510a34688): Arbitrary file write via recursive file downloader (Reported by [Justin Steven](https://twitter.com/justinsteven))
+
+* To be released
+
+#### 2022-03-01 [Fixed](https://github.com/WangYihang/GitHacker/commit/f97710c2cf0351308fc81666448e00004b7d14f9): Remote Code Execution via malicious `.git/config` and `.git/hooks/*` files (Reported by [Justin Steven](https://twitter.com/justinsteven))
+
+* To be released
+
+## References
+
+* [Git Repository Layout](https://mirrors.edge.kernel.org/pub/software/scm/git/docs/gitrepository-layout.html)
+* [Git Documents](https://git-scm.com/docs)
+* [Git Pack filename](https://stackoverflow.com/questions/27789484/how-does-git-know-the-sha1-name-of-the-pack-files)
+
+## Acknowledgement
+
+- [@Justin Steven](https://twitter.com/justinsteven)
+- [@Driver Tom](https://drivertom.blogspot.com)
+- [@lesion1999](https://github.com/lesion1999)
+- [@shashade250](https://github.com/shashade250)
+
+## Licsence
+```
+THE DRINKWARE LICENSE
+
+<wangyihanger@gmail.com> wrote this file. As long as 
+you retain this :x:tice you can do whatever you want 
+with this stuff. If we meet some day, and you think 
+this stuff is worth it, you can buy me the following
+drink(s) in return.
+
+Red Bull
+JDB
+Coffee
+Sprite
+Cola
+Harbin Beer
+etc
+
+Wang Yihang
+```
+
+
+
+
+%package help
+Summary:	Development documents and examples for GitHacker
+Provides:	python3-GitHacker-doc
+%description help
+# GitHacker
+
+## Desciption
+
+This is a multiple threads tool to exploit the `.git` folder leakage vulnerability. It is able to download the target `.git` folder almost completely. This tool also works when the `DirectoryListings` feature is disabled by brute forcing common `.git` folder files.
+
+With GitHacker's help, you can view the developer's commit history, branches, ..., stashes, which makes a better understanding of the target repo, even to find security vulnerabilities.
+
+## PROCLAMATION (IMPORTANT)
+
+> Several VULNERABILITIES have been reported recently, if you are using 
+> GitHacker <= 1.1.0, please update your tool as soon as possible.
+
+The remote `.git` folder maybe malicious, so to prevent you from being attacked.
+It's highly recommended that you SHOULD run this tool under a disposable jailed environment 
+(eg: Docker container).
+
+## Requirments
+
+* git >= 2.11.0
+* Python 3
+
+## Usage in Docker (Recommended)
+
+```bash
+# print help info
+docker run wangyihang/githacker --help
+# quick start
+docker run -v $(pwd)/results:/tmp/githacker/results wangyihang/githacker --output-folder /tmp/githacker/results --url http://127.0.0.1/.git/
+# brute for the name of branchs / tags
+docker run -v $(pwd)/results:/tmp/githacker/results wangyihang/githacker --brute --output-folder /tmp/githacker/results --url http://127.0.0.1/.git/
+# exploit multiple websites, one site per line
+docker run -v $(pwd)/results:/tmp/githacker/results wangyihang/githacker --brute --output-folder /tmp/githacker/results --url-file websites.txt 
+```
+
+## Usage
+
+```bash
+# install
+python3 -m pip install -i https://pypi.org/simple/ GitHacker
+# print help info
+githacker --help
+# quick start
+githacker --url http://127.0.0.1/.git/ --output-folder result
+# brute for the name of branchs / tags
+githacker --brute --url http://127.0.0.1/.git/ --output-folder result
+# exploit multiple websites, one site per line
+githacker --brute --url-file websites.txt --output-folder result
+```
+
+## Comparison of other tools
+
+> 2021-05-25
+
+|     Tools     |       Index        |    Source Code     |      Reflogs       |      Stashes       |      Commits       |      Branches      |      Remotes       |        Tags        |
+| :-----------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: |
+|   GitTools    | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         |
+|  dvcs-ripper  | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         |
+|    GitHack    | :heavy_check_mark: | :heavy_check_mark: |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |
+|  git-dumper   | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| **GitHacker** | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+|   GitTools    |        :x:         | :heavy_check_mark: | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         |
+|  dvcs-ripper  |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |
+|    GitHack    |        :x:         | :heavy_check_mark: |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |        :x:         |
+|  git-dumper   |        :x:         | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |        :x:         | :heavy_check_mark: |        :x:         |
+| **GitHacker** |        :x:         | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |      :muscle:      | :heavy_check_mark: |      :muscle:      |
+
+## Example
+
+![Demo](./figure/demo.gif)
+
+## TODO
+
+- [x] ~~Download packed files firstly~~ (Unsolvable via [StackOverflow](https://stackoverflow.com/questions/27789484/how-does-git-know-the-sha1-name-of-the-pack-files))
+- [x] Fix infinit downloading 404 files, #25
+- [x] Fix error when `master` branch not exists, #18
+- [x] Extract branch names from `.git/logs/HEAD`, #18
+- [x] Publish Docker image to hub.docker.com
+- [x] Add Dockerfile
+- [x] Fix stash files missing due to the fix of #21, #23, #24 (`git clone` can't download stash files)
+- [x] Use python f'string in `test.py`
+- [x] Download tags and branches when Index enabled
+- [x] Try common tags and branches when Index disabled
+- [x] [find packed refs](https://github.com/WangYihang/GitHacker/issues/1#issuecomment-487135667)
+
+## Test
+
+### Setup Development Environment
+
+```
+# Install docker and docker-compose
+apt install docker-desktop
+apt install docker-compose
+
+# Download GitHacker
+git clone https://github.com/WangYihang/GitHacker
+cd GitHacker
+python -m venv venv
+source venv/bin/activate
+pip install -r requirements.txt
+```
+
+### Run tests
+
+```
+# Generate testing repo
+python utils/gen.py
+
+# Run testcases
+sudo su
+source venv/bin/activate
+pip install -r requirements.txt
+python utils/test.py
+exit
+
+# Diff results
+python utils/diff.py
+```
+
+## Check report
+
+See `test/report/YYYY-MM-DD/index.html`
+
+## Videos
+### asciinema
+
+[![asciicast](https://asciinema.org/a/xgRmZ9dNvzhe3T2XRYDJe15Rj.png)](https://asciinema.org/a/xgRmZ9dNvzhe3T2XRYDJe15Rj)
+
+### YouTube
+* [【.git/ folder attack】Comparison of attack tools (Part I)](https://www.youtube.com/watch?v=Bs3QpVGf2uk)
+* [【.git/ folder attack】Comparison of attack tools (Part II)](https://www.youtube.com/watch?v=Xzg4kQt4qEo)
+
+## Security Issues
+
+#### 2021-08-01 [Fixed](https://github.com/WangYihang/GitHacker/commit/e105b5c04329e9c4b8080029976bc73d12b1f23f): Malicious .git folder maybe harmful to the user of this tool (Reported by [Driver Tom](https://drivertom.blogspot.com))
+
+* [别想偷我源码：通用的针对源码泄露利用程序的反制（常见工具集体沦陷）](https://drivertom.blogspot.com/2021/08/git.html)
+
+#### 2022-03-01 [Fixed](https://github.com/WangYihang/GitHacker/commit/806095e807d20e06d5f192928f1f525510a34688): Arbitrary file write via recursive file downloader (Reported by [Justin Steven](https://twitter.com/justinsteven))
+
+* To be released
+
+#### 2022-03-01 [Fixed](https://github.com/WangYihang/GitHacker/commit/f97710c2cf0351308fc81666448e00004b7d14f9): Remote Code Execution via malicious `.git/config` and `.git/hooks/*` files (Reported by [Justin Steven](https://twitter.com/justinsteven))
+
+* To be released
+
+## References
+
+* [Git Repository Layout](https://mirrors.edge.kernel.org/pub/software/scm/git/docs/gitrepository-layout.html)
+* [Git Documents](https://git-scm.com/docs)
+* [Git Pack filename](https://stackoverflow.com/questions/27789484/how-does-git-know-the-sha1-name-of-the-pack-files)
+
+## Acknowledgement
+
+- [@Justin Steven](https://twitter.com/justinsteven)
+- [@Driver Tom](https://drivertom.blogspot.com)
+- [@lesion1999](https://github.com/lesion1999)
+- [@shashade250](https://github.com/shashade250)
+
+## Licsence
+```
+THE DRINKWARE LICENSE
+
+<wangyihanger@gmail.com> wrote this file. As long as 
+you retain this :x:tice you can do whatever you want 
+with this stuff. If we meet some day, and you think 
+this stuff is worth it, you can buy me the following
+drink(s) in return.
+
+Red Bull
+JDB
+Coffee
+Sprite
+Cola
+Harbin Beer
+etc
+
+Wang Yihang
+```
+
+
+
+
+%prep
+%autosetup -n GitHacker-1.1.7
+
+%build
+%py3_build
+
+%install
+%py3_install
+install -d -m755 %{buildroot}/%{_pkgdocdir}
+if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi
+if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi
+if [ -d example ]; then cp -arf example %{buildroot}/%{_pkgdocdir}; fi
+if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi
+pushd %{buildroot}
+if [ -d usr/lib ]; then
+	find usr/lib -type f -printf "/%h/%f\n" >> filelist.lst
+fi
+if [ -d usr/lib64 ]; then
+	find usr/lib64 -type f -printf "/%h/%f\n" >> filelist.lst
+fi
+if [ -d usr/bin ]; then
+	find usr/bin -type f -printf "/%h/%f\n" >> filelist.lst
+fi
+if [ -d usr/sbin ]; then
+	find usr/sbin -type f -printf "/%h/%f\n" >> filelist.lst
+fi
+touch doclist.lst
+if [ -d usr/share/man ]; then
+	find usr/share/man -type f -printf "/%h/%f.gz\n" >> doclist.lst
+fi
+popd
+mv %{buildroot}/filelist.lst .
+mv %{buildroot}/doclist.lst .
+
+%files -n python3-GitHacker -f filelist.lst
+%dir %{python3_sitelib}/*
+
+%files help -f doclist.lst
+%{_docdir}/*
+
+%changelog
+* Wed May 31 2023 Python_Bot <Python_Bot@openeuler.org> - 1.1.7-1
+- Package Spec generated
diff --git a/sources b/sources
new file mode 100644
index 0000000..f34d0e1
--- /dev/null
+++ b/sources
@@ -0,0 +1 @@
+1324086907c7f8005b6b119b23dabd62  GitHacker-1.1.7.tar.gz