GCP - Firebase Enum

Firebase

Firebase Realtime Database ni hifadhidata ya NoSQL inayohifadhiwa kwenye wingu ambayo inakuwezesha kuhifadhi na kusawazisha data kati ya watumiaji wako kwa wakati halisi. Jifunze zaidi.

Unauthenticated Enum

Baadhi ya Firebase endpoints zinaweza kupatikana katika maombi ya simu. Inawezekana kwamba endpoint ya Firebase inayotumika ime konfigwa vibaya ikitoa haki za kusoma (na kuandika) kwa kila mtu.

Hii ni mbinu ya kawaida kutafuta na kutumia hifadhidata za Firebase zilizo konfigwa vibaya:

1. Pata APK ya programu unaweza kutumia chombo chochote kupata APK kutoka kwa kifaa kwa ajili ya POC hii. Unaweza kutumia “APK Extractor” https://play.google.com/store/apps/details?id=com.ext.ui&hl=e

2. Decompile APK kwa kutumia apktool, fuata amri iliyo hapa chini kutoa msimbo wa chanzo kutoka kwa APK.

3. Nenda kwenye res/values/strings.xml na angalia hii na tafuta neno “firebase”

4. Unaweza kupata kitu kama hii URL “https://xyz.firebaseio.com/”

5. Kisha, nenda kwenye kivinjari na tembea kwenye URL iliyopatikana: https://xyz.firebaseio.com/.json

6. Aina 2 za majibu zinaweza kuonekana:

7. “Permission Denied”: Hii inamaanisha huwezi kuipata, hivyo imekonfigwa vizuri

8. “null” jibu au kundi la data za JSON: Hii inamaanisha kwamba hifadhidata ni ya umma na angalau una haki za kusoma.

9. Katika kesi hii, unaweza kuangalia haki za kuandika, exploit ya kujaribu haki za kuandika inaweza kupatikana hapa: https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit

Kumbuka ya kuvutia: Wakati wa kuchambua programu ya simu na MobSF, ikiwa inapata hifadhidata ya firebase itakagua ikiwa hii ni inapatikana kwa umma na itaarifu.

Vinginevyo, unaweza kutumia Firebase Scanner, script ya python inayotautomate kazi hapo juu kama ilivyoonyeshwa hapa chini:

python FirebaseScanner.py -f <commaSeperatedFirebaseProjectNames>

Authenticated Enum

Ikiwa una akreditif za kufikia hifadhidata ya Firebase unaweza kutumia chombo kama Baserunner kufikia kwa urahisi zaidi taarifa zilizohifadhiwa. Au script kama ifuatavyo:

#Taken from https://blog.assetnote.io/bug-bounty/2020/02/01/expanding-attack-surface-react-native/
#Install pyrebase: pip install pyrebase4
import pyrebase

config = {
"apiKey": "FIREBASE_API_KEY",
"authDomain": "FIREBASE_AUTH_DOMAIN_ID.firebaseapp.com",
"databaseURL": "https://FIREBASE_AUTH_DOMAIN_ID.firebaseio.com",
"storageBucket": "FIREBASE_AUTH_DOMAIN_ID.appspot.com",
}

firebase = pyrebase.initialize_app(config)

db = firebase.database()

print(db.get())

To test other actions on the database, such as writing to the database, refer to the Pyrebase4 documentation which can be found here.

Access info with APPID and API Key

If you decompile the iOS application and open the file GoogleService-Info.plist and you find the API Key and APP ID:

• API KEY AIzaSyAs1[...]

• APP ID 1:612345678909:ios:c212345678909876

You may be able to access some interesting information

Request

curl -v -X POST "https://firebaseremoteconfig.googleapis.com/v1/projects/612345678909/namespaces/firebase:fetch?key=AIzaSyAs1[...]" -H "Content-Type: application/json" --data '{"appId": "1:612345678909:ios:c212345678909876", "appInstanceId": "PROD"}'

References

• ​https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/​

• ​https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1​