gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-30 22:50:43 -08:00
Code Issues Packages Projects Releases Wiki Activity

app services

Browse Source
This commit is contained in:
Carlos Polop
2025-01-03 12:21:52 +01:00
parent b340bf8ada
commit 9eec79f700
3 changed files with 255 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files

133
src/pentesting-cloud/azure-security/az-services/az-app-service.md
View File

@@ -12,7 +12,46 @@ Each app runs inside a sandbox but isolation depends upon App Service plans
- Apps in Standard and Premium tiers run on dedicated VMs
> [!WARNING]
> Note that **none** of those isolations **prevents** other common **web vulnerabilities** (such as file upload, or injections). And if a **management identity** is used, it could be able to **esalate privileges to them**.
> Note that **none** of those isolations **prevents** other common **web vulnerabilities** (such as file upload, or injections). And if a **management identity** is used, it could be able to **escalate privileges to them**.
Apps have some interesting configurations:
- **Always On**: Ensures that the app is always running. If not enabled, the app will stop running after 20 minutes of inactivity and will start again when a request is received.
- This is essential if you have a webjob that needs to run continuously as the webjob will stop if the app stops.
- **SSH**: If enabled, a user with enough permissions can connect to the app using SSH.
- **Debugging**: If enabled, a user with enough permissions can debug the app. However, this is disabled automatically every 48h.
- **Web App + Database**: The web console allows to create an App with a database. In this case it's possible to select the database to use (SQLAzure, PostgreSQL, MySQL, MongoDB) and it also allows you to create an Azure Cache for Redis.
- The URL containing the credentials for the database and Redis will be stored in the **appsettings**.
## Basic Authentication
When creating a web app (and a Azure function usually) it's possible to indicate if you want Basic Authentication to be enabled. This basically **enables SCM and FTP** for the application so it'll be possible to deploy the application using those technologies.\
Moreover in order to connect to them, Azure provides an **API that allows to get the username, password and URL** to connect to the SCM and FTP servers.
It's possible to connect to the SCM using a web browser in `https://<SMC-URL>/BasicAuth` and check all files and deployments in there.
### Kudu
Kudu is a **deployment engine and management platform for Azure App Service and Function Apps**, providing Git-based deployments, remote debugging, and file management capabilities for web applications. It's accessible through the SCM URL of the web app.
Note that the Kudu versions used by App Services and by Function Apps are different, being the version of the Function apps much more limited.
## Webjobs
Azure WebJobs are **background tasks that run in the Azure App Service environment**. They allow developers to execute scripts or programs alongside their web applications, making it easier to handle asynchronous or time-intensive operations such as file processing, data handling, or scheduled tasks.
There are 2 types of web jobs:
- **Continuous**: Runs indefinitely in a loop and its triggered as soon as its created. Its ideal for tasks that require constant processing. However, if the app stops running because Always On is disabled and it hasnt received a request in the last 20mins, the web job will also stop.
- **Triggered**: Runs on-demand or based on a schedule. Its best suited for periodic tasks, such as batch data updates or maintenance routines.
Webjobs are very interesting from an attackers perspective as they could be used to **execute code** in the environment and **escalate privileges** to the attached managed identities.
Moreover, it's always interesting to check the **logs** generated by the Webjobs as they could contain **sensitive information**.
### Slots
Azure App Service Slots are used to **deploy different versions of the application** to the same App Service. This allows developers to test new features or changes in a separate environment before deploying them to the production environment.
Moreover, it's possible to route a **percentage of the traffic** to a specific slot, which is useful for **A/B testing**, and for backdoor purposes.
### Azure Function Apps
@@ -20,18 +59,6 @@ Basically **Azure Function apps are a subset of Azure App Service** in the web a
Actually some of the **security related features** App services use (`webapp` in the az cli), are **also used by Function apps**.
## Basic Authentication
When creating a web app (and a Azure function usually) it's possible to indicate if you want Basic Authentication to be enabled. This basically **enables SCM and FTP** for the application so it'll be possible to deploy the application using those technologies.\
Moreover in order to connect to them, Azure provides an **API that allows to get the username, password and URL** to connect to the SCM and FTP servers.
- Authentication: az webapp auth show --name lol --resource-group lol_group
SSH
Always On
Debugging
### Enumeration
@@ -41,9 +68,10 @@ Debugging
```bash
# List webapps
az webapp list
## Less information
az webapp list --query "[].{hostName: defaultHostName, state: state, name: name, resourcegroup: resourceGroup}"
az webapp list --query "[].{hostName: defaultHostName, state: state, name: name, resourcegroup: resourceGroup}" -o table
## Get SCM URL of each webapp
az webapp list | grep '"name"' | grep "\.scm\." | awk '{print $2}' | sed 's/"//g'
# Get info about 1 app
az webapp show --name <name> --resource-group <res-group>
@@ -52,18 +80,24 @@ az webapp show --name <name> --resource-group <res-group>
az webapp list-instances --name <name> --resource-group <res-group>
## If you have enough perm you can go to the "consoleUrl" and access a shell inside the instance form the web
# Get configured Auth information
az webapp auth show --name <app-name> --resource-group <res-group>
# Get access restrictions of an app
az webapp config access-restriction show --name <name> --resource-group <res-group>
# Remove access restrictions
az webapp config access-restriction remove --resource-group <res-group> -n <name> --rule-name <rule-name>
# Get connection strings of a webapp
az webapp config connection-string list --name <name> --resource-group <res-group>
# Get appsettings of an app
az webapp config appsettings list --name <name> --resource-group <res-group>
# Get SCM and FTP credentials
az webapp deployment list-publishing-profiles --name <name> --resource-group <res-group>
# Get configured Auth information
az webapp auth show --name <app-name> --resource-group <res-group>
# Get backups of a webapp
az webapp config backup list --webapp-name <name> --resource-group <res-group>
@@ -76,8 +110,12 @@ az webapp config snapshot list --resource-group <res-group> -n <name>
# Restore snapshot
az webapp config snapshot restore -g <res-group> -n <name> --time 2018-12-11T23:34:16.8388367
# Get connection strings of a webapp
az webapp config connection-string list --name <name> --resource-group <res-group>
# Get slots
az webapp deployment slot list --name <AppName> --resource-group <ResourceGroupName> --output table
az webapp show --slot <SlotName> --name <AppName> --resource-group <ResourceGroupName>
# Get traffic-routing
az webapp traffic-routing show --name <AppName> --resource-group <ResourceGroupName>
# Get used container by the app
az webapp config container show --name <name> --resource-group <res-group>
@@ -85,52 +123,23 @@ az webapp config container show --name <name> --resource-group <res-group>
# Get storage account configurations of a webapp
az webapp config storage-account list --name <name> --resource-gl_group
# Get Webjobs
az webapp webjob continuous list --resource-group <res-group> --name <app-name>
az webapp webjob triggered list --resource-group <res-group> --name <app-name>
# Read webjobs logs with Azure permissions
az rest --method GET --url "<SCM-URL>/vfs/data/jobs/<continuous | triggered>/rev5/job_log.txt" --resource "https://management.azure.com/"
az rest --method GET --url "https://lol-b5fyaeceh4e9dce0.scm.canadacentral-01.azurewebsites.net/vfs/data/jobs/continuous/rev5/job_log.txt" --resource "https://management.azure.com/"
# Read webjobs logs with SCM credentials
curl "https://windowsapptesting-ckbrg3f0hyc8fkgp.scm.canadacentral-01.azurewebsites.net/vfs/data/jobs/continuous/lala/job_log.txt" \
--user '<username>:<password>' -v
# List all the functions
az functionapp list
# Get connections of a webapp
az webapp conection list --name <name> --resource-group <res-group>
# Get info of 1 funciton (although in the list you already get this info)
az functionapp show --name <app-name> --resource-group <res-group>
## If "linuxFxVersion" has something like: "DOCKER|mcr.microsoft.com/..."
## This is using a container
# Get details about the source of the function code
az functionapp deployment source show \
--name <app-name> \
--resource-group <res-group>
## If error like "This is currently not supported."
## Then, this is probalby using a container
# Get more info if a container is being used
az functionapp config container show \
--name <name> \
--resource-group <res-group>
# Get settings (and privesc to the sorage account)
az functionapp config appsettings list --name <app-name> --resource-group <res-group>
# Check if a domain was assigned to a function app
az functionapp config hostname list --webapp-name <app-name> --resource-group <res-group>
# Get SSL certificates
az functionapp config ssl list --resource-group <res-group>
# Get network restrictions
az functionapp config access-restriction show --name <app-name> --resource-group <res-group>
# Get more info about a function (invoke_url_template is the URL to invoke and script_href allows to see the code)
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/functions?api-version=2024-04-01"
# Get source code with Master Key of the function
curl "<script_href>?code=<master-key>"
## Python example
curl "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=<master-key>" -v
# Get source code
az rest --url "https://management.azure.com/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01"
# Get hybrid-connections of a webapp
az webapp hybrid-connections list --name <name> --resource-group <res-group>
```
{{#endtab }}