Skip to content

Commit

Permalink
GITBOOK-618: No subject
Browse files Browse the repository at this point in the history
  • Loading branch information
@carlospolop @gitbook-bot
carlospolop authored and gitbook-bot committed May 31, 2024
1 parent 9e1974f commit e00ba58
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 2 deletions.
18 changes: 17 additions & 1 deletion pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-bigquery-privesc.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ However, **using the cli `bq`** you need some more: **`bigquery.rowAccessPolicie

{% code overflow="wrap" %}
```bash
bq query --nouse_legacy_sql 'CREATE OR REPLACE ROW ACCESS POLICY <filter_id> ON `<proj>.<dataset-name>.<table-name>` GRANT TO ("user:[email protected]") FILTER USING (term = "Cfba");' # A example filter was used
bq query --nouse_legacy_sql 'CREATE OR REPLACE ROW ACCESS POLICY <filter_id> ON `<proj>.<dataset-name>.<table-name>` GRANT TO ("<user:[email protected]>") FILTER USING (term = "Cfba");' # A example filter was used
```
{% endcode %}

Expand All @@ -116,6 +116,22 @@ It's possible to find the filter ID in the output of the row policies enumeratio
apac_filter term = "Cfba" user:[email protected] 21 Jan 23:32:09 21 Jan 23:32:09
```

If you have **`bigquery.rowAccessPolicies.delete`** instead of `bigquery.rowAccessPolicies.update` you could also just delete the policy:

{% code overflow="wrap" %}
```bash
# Remove one
bq query --nouse_legacy_sql 'DROP ALL ROW ACCESS POLICY <policy_id> ON `<proj>.<dataset-name>.<table-name>`;'

# Remove all (if it's the last row policy you need to use this
bq query --nouse_legacy_sql 'DROP ALL ROW ACCESS POLICIES ON `<proj>.<dataset-name>.<table-name>`;'
```
{% endcode %}

{% hint style="danger" %}
Another potential option to bypass row access policies would be to just change the value of the restricted data. If you can only see when `term` is `Cfba`, just modify all the records of the table to have `term = "Cfba"`. However this is prevented by bigquery.
{% endhint %}

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Expand Down
2 changes: 1 addition & 1 deletion pentesting-cloud/gcp-security/gcp-services/gcp-bigquery-enum.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -165,7 +165,7 @@ gcloud data-catalog taxonomies get-iam-policy <taxonomi-ID> --location=<location

# Get jobs executed
bq ls --jobs=true --all=true
bq --location=<location> show --format=prettyjson --job=true <job-id>
bq show --location=<location> show --format=prettyjson --job=true <job-id>

# Misc
bq show --encryption_service_account # Get encryption service account
Expand Down

0 comments on commit e00ba58

Please sign in to comment.