A cloud database is a convenient thing: consider that all the work on deploying and configuring the server has already been done for you, you just have to use it! It relaxes admins so much that such databases often remain unprotected and are searched for with the help of search engines. One caveat – this search engine cannot be Google!
All information is provided for informational purposes only. The author and the editors are not responsible for any possible harm caused by using the information from this article.
Firebase is a cloud platform that was developed by Envolve in 2011. It was originally a database for chat applications, but later became a favorite among developers of massively multiplayer online games. This prompted the founders to split Firebase into two parts: a chat module and a game framework module.
Two years later, in 2014, Google acquired Firebase and continued to develop. There are programming interfaces for this database for a variety of platforms and programming languages.
From a technical point of view, Firebase is cool and handy. It seems that there is no need to twist and finish anything here. But a secure configuration of the cloud base is still needed, and many owners forget about it, being too relaxed. So much so that they forget about the simplest thing – authentication.
We will look for insecure unprotected databases
It turns out that there are a lot of non-password-protected databases on the Internet, and this is easy prey for cybercriminals. Only now you won’t be able to google them, because Google decided that this problem can be solved by simply excluding these databases from the search results. Cleverly! But extremely unreliable.
What can you do next after finding domains with vulnerable databases? We open any link – for example,
https://… Information about it is useless, but if you remove the table name from the link
topstories and leave only
., then you can check whether the base is protected or not. In this case, the result looks like this:
“error” : “Permission denied”
That’s right, I personally would be notably surprised if the owners of this site made such a blatant oversight. But some do allow it. Ten minutes of searching the links, and the search will be crowned with success.
I found something more interesting – accounts with password hashes. It is not difficult to select them from a file with a simple Python script or утилитой jq.
With help of HashID determine the type of hashes (it was MD5) and drive it into hashcat… If you do not have enough powerful hardware, you can use the online service – tools FindMyHash automatically picks them up. All of these utilities are preinstalled with Kali Linux.
We are waiting for ten minutes, and before us are logins and passwords in plain text.
Sitting around, changing search engines and going through all the URLs manually is very tedious. Too often you see “error: Permission denied”. So it’s time to automate! However, programming is not required, because it has already been done before us. Take for example script developed by Francesco Herrera.
The script picks up the URL itself and looks for vulnerable databases.
Download it and install dependencies:
git clone https://github.com/Turr0n/firebase.git
pip install -r requirements.txt
python3 firebase.py -p 4 -c 150 –dnsdumpster
p– indicates the number of threads (default 1, maximum 4);
dnsdumpster— генерирует URL самостоятельно;
с– how many domains to generate.
Yes, the script can generate links on its own. More precisely, he does not do it himself, but turns to the DNSdumpster utility for help.
The result shows that from the found bases:
- 37 urls “broken” or no longer exist;
- 171 the base is authenticated when accessing data and is protected;
- one base with suspected vulnerability;
- 25 bases are unprotected or vulnerable.
ProApk on Telegram – https://t.me/proapk_in
ProApk on Google News – https://news.google.com/publications/CAAqBwgKMP_S9AowhYDbAg
ProApk on Twitter – https://twitter.com/xdapirates
ProApk on Facebook – https://facebook.com/www.proapk.in