JA3G3R/agneyastra

Installation Usage

# agneyastra - Firebase 错误配置检测工具包 Firebase 是 Google 推出的多功能平台，凭借其实时数据库、身份验证、云存储和托管等一套广泛的服务，为无数的 Web 和移动应用程序提供支持。它的普及性和易用性使其成为开发人员的热门选择，但同时也使其成为可能导致重大安全漏洞的错误配置的主要目标。 Agneyastra（阿格尼亚斯特拉）是一把由 Agni（火）Dev（神）赐予的神话武器，是一种与火元素相关的神圣武器。在此为您介绍 Agneyastra，这是一款尖端工具，旨在为漏洞赏金猎人和安全专业人员赋能，使其在检测 Firebase 错误配置时具备无与伦比的精确度。凭借其涵盖所有 Firebase 服务的全面检查、关联引擎与 Secret 提取以及自动报告生成功能，Agneyastra 确保没有任何漏洞会被遗漏，从而为您扭转局势。 ## 🚀 功能 - 🔍 **自动化 Firebase 错误配置扫描** - 检查以下项目中的**读取**、**写入**和**删除**权限： - Firestore - Realtime Database - Storage Buckets - 🧠 **感知凭证的访问模拟** - 按权限递增的顺序使用凭证，以模拟真实世界的访问模式。 - 从未经身份验证（公开）的访问开始，以检测完全暴露的 endpoint。 - 🧩 **关联引擎** - 可选但功能强大的模块，用于确定某个 Firebase 实例是否可能与您的目标相关联。 - 接受子域名、收购信息、团队成员个人资料等输入。 - 生成置信度评分以帮助确定目标的优先级。 - 🛠️ **概念验证生成（即将推出）** - 自动创建 PoC 和修复步骤，用于负责任的披露或内部报告。 ## 🏗️ 安装 ``` go install github.com/JA3G3R/agneyastra/cmd/agneyastra@latest ``` 对于 Nix 或 NixOS，提供了一个预打包的模块。最新版本通常存在于 `unstable` 频道中。 ``` $ nix-env -iA nixos.agneyastra ``` ## ⚙️ 用法 基础扫描： ``` agneyastra --key -all ``` 特定服务扫描（不尝试 auth）： ``` agneyastra bucket -a --key ``` 特定服务扫描（带 auth）： ``` agneyastra bucket -a --key --auth all ``` 使用关联引擎： ``` agneyastra --key -all --pentest-data ``` 使用 Secret 提取： ``` agneyastra --key -all --secrets-extract ``` 使用 Asset 提取： ``` agneyastra --key -all --assets-extract ``` 显示所有选项： ``` agneyastra --help ``` ## 文件格式 ### config.yaml 此文件位于 `~/.config/agneyastra/config.yaml` 路径下，内容如下： ``` general: debug: false services: auth: send-link: email: "" custom-token: token: "" signup: email: "" password: "" bucket: upload: filename: "" ``` 您可以编辑此文件，也可以使用 `--config` 标志提供一个您选择的文件。 ### template.html 此文件位于 `~/.config/agneyastra/template.html` 路径下，用于生成 HTML 报告。要创建自定义模板，请确保您使用相同的变量作为占位符。您可以编辑此文件，也可以使用 `--template-file` 标志提供您自己的文件。 ## 🧩 支持的服务 | Firebase 服务 | 读取 | 写入 | 删除 | |----------------------|------|-------|--------| | Firestore | ✅ | ✅ | ✅ | | Realtime Database | ✅ | ✅ | ✅ | | Storage Buckets | ✅ | ✅ | ✅ | ## 🔐 身份验证策略 该工具使用以下身份验证方法获取身份验证 token： 1. **公开（无身份验证）** 2. **匿名身份验证** 3. **新用户注册** 4. **登录凭证** *（如果由用户提供）* 5. **自定义 JWT** *（如果由用户提供）* 该工具还会检查项目中是否启用了发送登录链接的选项。 这使得真实的权限提升和漏洞识别成为可能。 ## 📊 报告 支持的输出格式： - JSON - HTML 报告包含： - 漏洞摘要 - 关联置信度（如果启用） - 修复建议 *（计划中）* ## 📦 依赖要求 - Golang (1.22.0+) ## 🛡️ 免责声明 Agneyastra **仅严格用于道德测试、教育用途或您拥有明确测试权限的环境中**。未经授权扫描 Firebase endpoint 可能是非法且不道德的。请负责任地使用。 ## 🧑‍💻 贡献 欢迎贡献！请提交 issue 或 pull request 来讨论想法或报告 bug。 ## 💬 联系方式 ## 由 [Bhavarth Karmarkar](https://github.com/JA3G3R) 创建 如有疑问或合作意向，请联系：bhavarth1905kr@gmail.com ## 🧪 示例输出 ``` ./agneyastra --key AIzaSyBv_y636JW_LYBcUQ7rN0b9Wukzop_gVEI --all 2024/11/22 23:17:40 Checking all services for misconfigurations 2024/11/22 23:17:42 Sign-in link sent to email: bhavarth1905kr@gmail.com 2024/11/22 23:17:44 Checking public read access. Dump directory: 2024/11/22 23:17:50 Running all firebase firestore misconfiguration checks 2024/11/22 23:18:00 Running all firebase rtdb misconfiguration checks Final Report: { "api_keys": [ { "api_key": "AIzaSyBv_y636JW_LYBcUQ7rN0b9Wukzop_gVEI", "correlation_score": 0, "auth": { "anon-auth": { "Vulnerable": "vulnerable:true", "Error": "", "AuthType": "", "VulnConfig": "", "Remedy": "Disable Anonymous Authentication", "Details": { "expiresIn": "3600", "idToken": "redacted", "localId": "3S1VMdFs2PVoISOrNxr8zL4akhs2", "refreshToken": "redacted" } }, "custom-token-login": { "Vulnerable": "error", "Error": "failed to log in with custom token, status code: 400", "AuthType": "", "VulnConfig": "", "Remedy": "", "Details": null }, "send-signin-link": { "Vulnerable": "vulnerable:true", "Error": "", "AuthType": "", "VulnConfig": "Send Sign in Link enabled in Firebase project.", "Remedy": "Disable Send Sign in Link from Firebase Console", "Details": { "email": "bhavarth1905kr@gmail.com" } }, "signup": { "Vulnerable": "error", "Error": "failed to sign up with email/password, status code: 400", "AuthType": "", "VulnConfig": "", "Remedy": "", "Details": null } }, "services": { "bucket": { "delete": { "104159166443": { "Vulnerable": "vulnerable:true", "Error": "", "AuthType": "", "VulnConfig": "allow delete: if true; // Allows public delete access to storage objects.", "Remedy": "Disable public delete access: 'allow delete: if false;'.", "Details": { "status_code": "" } }, "agneyastra-testing2": { "Vulnerable": "vulnerable:true", "Error": "", "AuthType": "anon", "VulnConfig": "allow delete: if request.auth == null; // Permits unauthenticated users to delete storage objects.", "Remedy": "Restrict deletes to authenticated users: 'allow delete: if request.auth != null;'.", "Details": { "status_code": "404" } } }, "read": { "104159166443": { "Vulnerable": "vulnerable:false", "Error": "", "AuthType": "public", "VulnConfig": "", "Remedy": "", "Details": { "Contents": { "prefixes": null, "items": null } } }, "agneyastra-testing2": { "Vulnerable": "vulnerable:true", "Error": "", "AuthType": "anon", "VulnConfig": "allow read: if request.auth == null; // Allows unauthenticated access to storage objects.", "Remedy": "Restrict to authenticated users: 'allow read: if request.auth != null;'.", "Details": { "Contents": { "prefixes": { "testing/": { "prefixes": { "testing/inner-folder/": { "prefixes": {}, "items": [ { "name": "testing/inner-folder/burpcert.der", "bucket": "agneyastra-testing2.appspot.com" } ] } }, "items": [ { "name": "testing/2", "bucket": "agneyastra-testing2.appspot.com" } ] } }, "items": [ { "name": "1", "bucket": "agneyastra-testing2.appspot.com" }, { "name": "firebase.html", "bucket": "agneyastra-testing2.appspot.com" }, { "name": "poc.txt", "bucket": "agneyastra-testing2.appspot.com" } ] } } } }, "write": { "104159166443": { "Vulnerable": "vulnerable:unknown", "Error": "", "AuthType": "", "VulnConfig": "", "Remedy": "", "Details": { "status_code": "404" } }, "agneyastra-testing2": { "Vulnerable": "vulnerable:true", "Error": "", "AuthType": "anon", "VulnConfig": "allow write: if request.auth == null; // Allows unauthenticated access to write storage objects.", "Remedy": "Restrict to authenticated users: 'allow write: if request.auth != null;'.", "Details": { "status_code": "200" } } } }, "firestore": { "delete": { "104159166443": { "Vulnerable": "error", "Error": "bad request error in 2nd request", "AuthType": "", "VulnConfig": "", "Remedy": "", "Details": null }, "agneyastra-testing2": { "Vulnerable": "vulnerable:true", "Error": "", "AuthType": "anon", "VulnConfig": "allow delete: if request.auth == null; // Permits unauthenticated users to delete storage objects.", "Remedy": "Restrict deletes to authenticated users: 'allow delete: if request.auth != null;'.", "Details": null } }, "read": { "104159166443": { "Vulnerable": "error", "Error": "bad request error in 2nd request", "AuthType": "", "VulnConfig": "", "Remedy": "", "Details": null }, "agneyastra-testing2": { "Vulnerable": "vulnerable:false", "Error": "", "AuthType": "", "VulnConfig": "", "Remedy": "", "Details": null } }, "write": { "104159166443": { "Vulnerable": "error", "Error": "bad request error in 2nd request", "AuthType": "", "VulnConfig": "", "Remedy": "", "Details": null }, "agneyastra-testing2": { "Vulnerable": "vulnerable:true", "Error": "", "AuthType": "anon", "VulnConfig": "allow write: if request.auth == null; // Allows unauthenticated access to write storage objects.", "Remedy": "Restrict to authenticated users: 'allow write: if request.auth != null;'.", "Details": null } } }, "rtdb": { "delete": { "104159166443": { "Vulnerable": "vulnerable:true", "Error": "", "AuthType": "anon", "VulnConfig": "allow delete: if request.auth == null; // Permits unauthenticated users to delete storage objects.", "Remedy": "Restrict deletes to authenticated users: 'allow delete: if request.auth != null;'.", "Details": { "rtdb_url": "https://104159166443-default-rtdb.firebaseio.com/agneyastrapocBui7Cl.json", "status_code": "404" } }, "agneyastra-testing2": { "Vulnerable": "vulnerable:false", "Error": "", "AuthType": "", "VulnConfig": "", "Remedy": "", "Details": { "rtdb_url": "https://agneyastra-testing2-default-rtdb.firebaseio.com/agneyastrapocBui7Cl.json", "status_code": "401" } } }, "read": { "agneyastra-testing2": { "Vulnerable": "vulnerable:false", "Error": "", "AuthType": "", "VulnConfig": "", "Remedy": "", "Details": { "rtdb_url": "https://agneyastra-testing2-default-rtdb.firebaseio.com/.json", "status_code": "" } } }, "write": { "agneyastra-testing2": { "Vulnerable": "vulnerable:false", "Error": "", "AuthType": "", "VulnConfig": "", "Remedy": "", "Details": { "rtdb_url": "https://agneyastra-testing2-default-rtdb.firebaseio.com/agneyastrapoc5WGiNY.json", "status_code": "" } } } } }, "secrets": null } ] } ```

标签：BlackHat, Bug Bounty, CISA项目, EVTX分析, Firebase, Firestore, Google Firebase, Go语言, URL发现, Web安全, 凭证提取, 反取证, 可自定义解析器, 存储桶, 安全检测, 安全评估, 实时数据库, 开源安全工具, 数据泄露, 日志审计, 未授权访问, 权限测试, 目录枚举, 移动安全, 程序破解, 自动化报告, 蓝队分析, 逆向工程平台