Finding firebase databases that are exposed to the internet

spuqe · September 6, 2020, 9:45pm

Firebase

Short video of the tool to everyone who doesn’t want to read full post https://youtu.be/YsaPEnOPe7k

Script can be found at: https://github.com/spuqe/firebase

How does it work?

Firebase does that when u first time create a database it will ask with small and long text that

This is an test database and your security rules are defined as public… Click x to not see this again

The text is a lot longer and that’s why not many people even read it. The font is also very small so you easily just ignore it. The text will never appear again to your screen.

fun thing is that all test databases are public to the internet long as you have the URL.

This small script just basicly searches for firebase databases. It can scan tons of databases in couple minutes and we have already founded over 1k of databases public to the internet. We found them in couple hours using our wordlist that wont be shared so don’t even ask for it!

Does google know about this script?

yes they know about it damn well but their little patch didn’t really do anything. Now those “test” databases just automaticly get closed after 30 days and that really doesn’t change much when there’s tons of those made and used daily. You can still easily find tons of databases. This script was made before the patch (ofc what did u think lol) and i didn’t want to share it to many people before some kind of patch but seems like google didn’t give a shit so i feel like it’s just good to share it here!

How to use? Firebase.py

Define wich worldlist you want to use (you can define it at the source or line 17) Just run the script after adding words to wordlist.txt Add the words like this 1 2 3 4 or it will not work!

When the database is founded you can see the name at /database/ and type the database name to your url bar like this: https://databasename.firebaseio.com/.json

How to use our word list generator?

First of all if u want a lot results you should make the word list your self!

WSL is a word list generator

usage:

scraper.py -h] [-chr CHARS] [-min MIN_LENGTH] [-max MAX_LENGTH] [-out OUTPUT] wgen.py -h, --help show this help message with all commands.

for example

python3 scraper.py -chr=abc -min=1 -max=4 -out=output/wordlist.txt

Have fun!

system · January 6, 2021, 1:55pm

This topic was automatically closed after 121 days. New replies are no longer allowed.