a

src/SUMMARY.md

@@ -425,6 +425,7 @@
     - [Az - Key Vault](pentesting-cloud/azure-security/az-services/az-keyvault.md)
     - [Az - Logic Apps](pentesting-cloud/azure-security/az-services/az-logic-apps.md)
     - [Az - Management Groups, Subscriptions & Resource Groups](pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md)
+    - [Az - Misc](pentesting-cloud/azure-security/az-services/az-misc.md)
     - [Az - Monitoring](pentesting-cloud/azure-security/az-services/az-monitoring.md)
     - [Az - MySQL](pentesting-cloud/azure-security/az-services/az-mysql.md)
     - [Az - PostgreSQL](pentesting-cloud/azure-security/az-services/az-postgresql.md)

src/pentesting-cloud/azure-security/az-services/az-misc.md

@@ -0,0 +1,16 @@
+# Az - Management Groups, Subscriptions & Resource Groups
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Power Apps
+
+Power Apps can connect to on-premises SQL servers, and even if initially unexpected, there is a way to make this conection execute arbitrary SQL queries that could allow attackers to compromise on-prem SQL servers.
+
+This is the recap from the post [https://www.ibm.com/think/x-force/abusing-power-apps-compromise-on-prem-servers](https://www.ibm.com/think/x-force/abusing-power-apps-compromise-on-prem-servers) where you can find a detailed explanation of how to abuse Power Apps to compromise on-prem SQL servers:
+
+- A user creates an application that uses an **on-prem SQL connection and shares it with everyone**, either on purpose or inadvertently.
+- An attacker creates a new flow and adds a **“Transform data with Power Query” action using the existing SQL connection**.
+- If the connected user is a SQL admin or has impersonation privileges, or there are any privileged SQL links or cleartext credentials in databases, or you’ve obtained other privileged cleartext credentials, you can now pivot to an on-premises SQL server.
+
+
+{{#include ../../../banners/hacktricks-training.md}}