gcloud-sql-user-options: User Options Flag Enabled in Google Cloud SQL Server Instances

漏洞描述

Checks if the "user options" database flag is configured for Google Cloud SQL Server instances, which can define global defaults for all database users.

PoC代码[已公开]

id: gcloud-sql-user-options

info:
  name: User Options Flag Enabled in Google Cloud SQL Server Instances
  author: princechaddha
  severity: medium
  description: |
    Checks if the "user options" database flag is configured for Google Cloud SQL Server instances, which can define global defaults for all database users.
  impact: |
    Configuring the "user options" database flag can lead to unintended global defaults for all database users, potentially causing performance issues or undesired behavior.
  remediation: |
    Disable the "user options" database flag for your Google Cloud SQL Server instances to avoid global defaults for all database users.
  reference:
    - https://cloud.google.com/sql/docs/sqlserver/configure-database-flags
  tags: cloud,devops,gcp,gcloud,google-cloud-sql,sql-database-flags,gcp-cloud-config

flow: |
  code(1)
  for(let projectId of iterate(template.projectIds)){
    set("projectId", projectId)
    code(2)
    for(let sqlInstance of iterate(template.sqlInstances)){
      set("sqlInstance", sqlInstance)
      code(3)
    }}

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      gcloud projects list --format="json(projectId)"

    extractors:
      - type: json
        name: projectIds
        internal: true
        json:
          - '.[].projectId'

  - engine:
      - sh
      - bash
    source: |
      gcloud sql instances list --project $projectId --filter='DATABASE_VERSION:SQLSERVER*' --format="json(name)"

    extractors:
      - type: json
        name: sqlInstances
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      gcloud sql instances describe $sqlInstance --format=json | jq '.settings.databaseFlags // [] | map(select(.name == "user options")) | .[].value'

    matchers:
      - type: regex
        regex:
          - '^(?:100|[1-9][0-9]?)$'

    extractors:
      - type: dsl
        dsl:
          - '"The user options database flag is enabled for the SQL Server instance " + sqlInstance + " in project " + projectId + "."'
# digest: 490a0046304402203c01857319c55cdc041ae74ddabc606fb98272b5ee6587a17d4650a8a380bc8c02205286226ff88c4459f48beb977f4c2d228b79f3948431dfce05b9aa38fabc68a4:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/gcp/sql/gcloud-sql-user-options.yaml