diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md index 63e46e7dd..0a951171a 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md @@ -143,20 +143,29 @@ az rest --method GET \ # Access curl "?code=" -## Python example: +# Python function app example curl "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=RByfLxj0P-4Y7308dhay6rtuonL36Ohft9GRdzS77xWBAzFu75Ol5g==" -v +# JavaScript function app example +curl "https://consumptionexample.azurewebsites.net/admin/vfs/site/wwwroot/HttpExample/index.js?code=tKln7u4DtLgmG55XEvMjN0Lv9a3rKZK4dLbOHmWgD2v1AzFu3w9y_A==" -v ``` And to **change the code that is being executed** in the function with: ```bash # Set the code to set in the function in /tmp/function_app.py -## The following continues using the python example +## Python function app example curl -X PUT "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=RByfLxj0P-4Y7308dhay6rtuonL36Ohft9GRdzS77xWBAzFu75Ol5g==" \ --data-binary @/tmp/function_app.py \ -H "Content-Type: application/json" \ -H "If-Match: *" \ -v + +# NodeJS function app example +curl -X PUT "https://consumptionexample.azurewebsites.net/admin/vfs/site/wwwroot/HttpExample/index.js?code=tKln7u4DtLgmG55XEvMjN0Lv9a3rKZK4dLbOHmWgD2v1AzFu3w9y_A==" \ +--data-binary @/tmp/index.js \ +-H "Content-Type: application/json" \ +-H "If-Match: *" \ +-v ``` ### `Microsoft.Web/sites/functions/listKeys/action` @@ -258,6 +267,25 @@ az rest --method PUT \ --uri "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01" \ --headers '{"Content-Type": "application/json", "If-Match": "*"}' \ --body @/tmp/body + +# Through the SCM URL (using Azure permissions or SCM creds) +az rest --method PUT \ + --url "https://consumptionexample.scm.azurewebsites.net/api/vfs/site/wwwroot/HttpExample/index.js" \ + --resource "https://management.azure.com/" \ + --headers "If-Match=*" \ + --body 'module.exports = async function (context, req) { + context.log("JavaScript HTTP trigger function processed a request. Training Demo 2"); + + const name = (req.query.name || (req.body && req.body.name)); + const responseMessage = name + ? "Hello, " + name + ". This HTTP triggered function executed successfully. Training Demo 2" + : "This HTTP triggered function executed successfully. Pass a name in the query string or in the request body for a personalized response. Training Demo 2"; + + context.res = { + // status: 200, /* Defaults to 200 */ + body: responseMessage + }; +}' ``` ### `Microsoft.Web/sites/publishxml/action`, (`Microsoft.Web/sites/basicPublishingCredentialsPolicies/write`) diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md index 920bb0824..dd9a40f83 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md @@ -151,6 +151,9 @@ az rest --method POST \ Then, in order to **update an app using the token** you could run the following command. Note that this command was extracted checking **how to Github Action [https://github.com/Azure/static-web-apps-deploy](https://github.com/Azure/static-web-apps-deploy) works**, as it's the one Azure set by default ot use. So the image and paarements could change in the future. +> [!TIP] +> To deploy the app you could use the **`swa`** tool from [https://azure.github.io/static-web-apps-cli/docs/cli/swa-deploy#deployment-token](https://azure.github.io/static-web-apps-cli/docs/cli/swa-deploy#deployment-token) of follow the following raw steps: + 1. Download the repo [https://github.com/staticwebdev/react-basic](https://github.com/staticwebdev/react-basic) (or any other repo you want to deploy) and run `cd react-basic`. 2. Change the code you want to deploy 3. Deploy it running (Remember to change the ``): diff --git a/src/pentesting-cloud/azure-security/az-services/az-app-services.md b/src/pentesting-cloud/azure-security/az-services/az-app-services.md index 4170ba1f8..2128b7291 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-app-services.md +++ b/src/pentesting-cloud/azure-security/az-services/az-app-services.md @@ -25,6 +25,7 @@ Apps have some interesting configurations: - The URL containing the credentials for the database and Redis will be stored in the **appsettings**. - **Container**: It's possible to deploy a container to the App Service by indicating the URL of the container and the credentials to access it. - **Mounts**: It's possible to create 5 mounts from Storage accounts being these Azure Blob (Read-Only) or Azure Files. The configuration will store the access key over the Storage Account. +- **Netowrking**: Can be publicly abaible or only accessible private endpoints from a VNet. ## Basic Authentication diff --git a/src/pentesting-cloud/azure-security/az-services/az-function-apps.md b/src/pentesting-cloud/azure-security/az-services/az-function-apps.md index d8b3c2fea..52ece15f8 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-function-apps.md +++ b/src/pentesting-cloud/azure-security/az-services/az-function-apps.md @@ -214,10 +214,10 @@ Moreover, **no source code will be stored in the storage** account related to th # List all the functions az functionapp list -# Get info of 1 funciton (although in the list you already get this info) -az functionapp show --name --resource-group -## If "linuxFxVersion" has something like: "DOCKER|mcr.microsoft.com/..." -## This is using a container +# List functions in an function-app (endpoints) +az functionapp function list \ + --name \ + --resource-group # Get details about the source of the function code az functionapp deployment source show \ @@ -234,6 +234,9 @@ az functionapp config container show \ # Get settings (and privesc to the sorage account) az functionapp config appsettings list --name --resource-group +# Get access restrictions +az functionapp config access-restriction show --name --resource-group + # Check if a domain was assigned to a function app az functionapp config hostname list --webapp-name --resource-group @@ -243,17 +246,36 @@ az functionapp config ssl list --resource-group # Get network restrictions az functionapp config access-restriction show --name --resource-group -# Get more info about a function (invoke_url_template is the URL to invoke and script_href allows to see the code) -az rest --method GET \ - --url "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//functions?api-version=2024-04-01" +# Get acess restrictions +az functionapp config access-restriction show --name --resource-group + +# Get connection strings +az rest --method POST --uri "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//config/connectionstrings/list?api-version=2022-03-01" +az rest --method GET --uri "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//config/configreferences/connectionstrings?api-version=2022-03-01" + +# Get SCM credentials +az functionapp deployment list-publishing-credentials --name --resource-group + +# Get function, system and master keys +az functionapp keys list --name --resource-group + +# Get Host key +az rest --method POST --uri "https://management.azure.com//resourceGroups//providers/Microsoft.Web/sites//functions//listKeys?api-version=2022-03-01" # Get source code with Master Key of the function curl "?code=" -## Python example -curl "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=" -v +curl "https://.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=" -v + +# Get source code using SCM access (Azure permissions or SCM creds) +az rest --method GET \ + --url "https://.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=" \ + --resource "https://management.azure.com/" + +# Get source code with Azure permissions +az rest --url "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01" +## Another example +az rest --url "https://management.azure.com/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Web/sites/ConsumptionExample/hostruntime/admin/vfs/HttpExample/index.js?relativePath=1&api-version=2022-03-01" -# Get source code -az rest --url "https://management.azure.com//resourceGroups//providers/Microsoft.Web/sites//hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01" ``` {{#endtab }} diff --git a/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md b/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md index 39e6a9e41..352c662b5 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md +++ b/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md @@ -115,6 +115,10 @@ az staticwebapp secrets list --name # Get invited users az staticwebapp users list --name +# Get current snippets +az rest --method GET \ + --url "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/staticSites/trainingdemo/snippets?api-version=2022-03-01" + # Get database connections az rest --method GET \ --url "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/staticSites//databaseConnections?api-version=2021-03-01"