firebase

Exploiting vulnerable/misconfigured Firebase databases

Disclaimer: The provided software is meant for educational purposes only. Use this at your own discretion, the creator cannot be held responsible for any damages caused. Please, use responsibly!

Prerequisites

Non-standard python modules:

• dnsdumpster
• bs4
• requests

Installation

If the following commands run successfully, you are ready to use the script:

git clone https://github.com/Turr0n/firebase.git
cd firebase
pip install -r requirements.txt

Usage

python3 firebase.py [-h] [--dnsdumpster] [-d /path/to/file.htm] [-o results.json] [-l /path/to/file] [-c 100] [-p 4]

Arguments:

    -h      Show the help message
    -d      Absolute path to the downloaded HTML file.
    -o      Output file name. Default: results.json
    -c      Crawl for domains in the top-1m by Alexa. Set how many domains to crawl, for example: 100. Up to 1000000
    -p      How many processes to execute. Default: 1
    -l      Path to a file containing the DBs to crawl. One DB name per line. This option can't be used with -d or -c
    --dnsdumpster       Use the DNSDumpster API to gather DBs
    --just-v    Ignore "non-vulnerable" DBs
    --amass Path of the output file of an amass scan ([-o] argument)

Example: python3 firebase.py -p 4 -f results_1.json -c 150 --dnsdumpster This will lookup the first 150 domains in the Alexa file aswell as the DBs provided by DNSDumpster. The results will be saved to results_1.json and the whole script will execute using 4 parallel processes

The script will create a json file containing the gathered vulnerable databases and their dumped contents. Each database has a status:

• -2: it's not vulnerable
• -1: DB doesn't exists
• 0: further explotation may be possible
• 1: vulnerable

For a better results head to pentest-tools.com and in its subdomain scanner introduce the following domain: firebaseio.com. Once the scan has finished, save the page HTML(CRL+S) and use the -d [path] argument, this will allow the script to analyze the subdomains discovered by that service. Further subdomain crawlers might get supported.

Now we support the amass scanner by @caffix! By running any desired scann with that tool against firebaseio.com using the -o argument, the script will be able to digest the output file and crawl for the discovered DBs.

Firebase DBs work using this structure: https://[DB name].firebaseio.com/. If you are using the -l [path] argument, the supplied file needs to contain a [DB name] per line, for example:

airbnb
twitter
microsoft

Using that file will check for these DBs: https://airbnb.firebaseio.com/.json, https://twitter.firebaseio.com/.json, https://microsoft.firebaseio.com/.json

Credits

This script is heavily based on the work by the Mobile Threat Team from appthority. All credits for the reasearch belong to them.

To download the domains from the Alexa's 1 million top domains file, the script by @evilpacket is used.