az functions

2026-01-05 09:17:24 -08:00 · 2025-02-24 11:27:01 +01:00
parent 2d32b37d9c
commit a19517f026
5 changed files with 71 additions and 13 deletions
--- a/src/pentesting-cloud/azure-security/az-services/az-app-services.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-app-services.md
@@ -25,6 +25,7 @@ Apps have some interesting configurations:
  - The URL containing the credentials for the database and Redis will be stored in the **appsettings**.
 - **Container**: It's possible to deploy a container to the App Service by indicating the URL of the container and the credentials to access it.
 - **Mounts**: It's possible to create 5 mounts from Storage accounts being these Azure Blob (Read-Only) or Azure Files. The configuration will store the access key over the Storage Account.
+- **Netowrking**: Can be publicly abaible or only accessible private endpoints from a VNet.


 ## Basic Authentication
--- a/src/pentesting-cloud/azure-security/az-services/az-function-apps.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-function-apps.md
@@ -214,10 +214,10 @@ Moreover, **no source code will be stored in the storage** account related to th
 # List all the functions
 az functionapp list

-# Get info of 1 funciton (although in the list you already get this info)
-az functionapp show --name <app-name> --resource-group <res-group>
-## If "linuxFxVersion" has something like: "DOCKER|mcr.microsoft.com/..."
-## This is using a container
+# List functions in an function-app (endpoints)
+az functionapp function list \
+  --name <app-name> \
+  --resource-group <res-group>

 # Get details about the source of the function code
 az functionapp deployment source show \
@@ -234,6 +234,9 @@ az functionapp config container show \
 # Get settings (and privesc to the sorage account)
 az functionapp config appsettings list --name <app-name> --resource-group <res-group>

+# Get access restrictions
+az functionapp config access-restriction show --name <app-name> --resource-group <res-group>
+
 # Check if a domain was assigned to a function app
 az functionapp config hostname list --webapp-name <app-name> --resource-group <res-group>

@@ -243,17 +246,36 @@ az functionapp config ssl list --resource-group <res-group>
 # Get network restrictions
 az functionapp config access-restriction show --name <app-name> --resource-group <res-group>

-# Get more info about a function (invoke_url_template is the URL to invoke and script_href allows to see the code)
-az rest --method GET \
-  --url "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/functions?api-version=2024-04-01"
+# Get acess restrictions
+az functionapp config access-restriction show --name <app-name> --resource-group <res-group>
+
+# Get connection strings
+az rest --method POST --uri "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/config/connectionstrings/list?api-version=2022-03-01"
+az rest --method GET --uri "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/config/configreferences/connectionstrings?api-version=2022-03-01"
+
+# Get SCM credentials
+az functionapp deployment list-publishing-credentials --name <app-name> --resource-group <res-group>
+
+# Get function, system and master keys
+az functionapp keys list --name <app-name> --resource-group <res-group>
+
+# Get Host key
+az rest --method POST --uri "https://management.azure.com/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/functions/<function-endpoint-name>/listKeys?api-version=2022-03-01"

 # Get source code with Master Key of the function
 curl "<script_href>?code=<master-key>"
-## Python example
-curl "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=<master-key>" -v
+curl "https://<func-app-name>.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=<master-key>" -v
+
+# Get source code using SCM access (Azure permissions or SCM creds)
+az rest --method GET \
+  --url "https://<func-app-name>.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=<master-key>" \
+  --resource "https://management.azure.com/"
+
+# Get source code with Azure permissions
+az rest --url "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01"
+## Another example
+az rest --url "https://management.azure.com/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Web/sites/ConsumptionExample/hostruntime/admin/vfs/HttpExample/index.js?relativePath=1&api-version=2022-03-01"

-# Get source code
-az rest --url "https://management.azure.com/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01"
 ```
 {{#endtab }}

--- a/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md
@@ -115,6 +115,10 @@ az staticwebapp secrets list --name <name>
 # Get invited users
 az staticwebapp users list --name <name>

+# Get current snippets
+az rest --method GET \
+  --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/trainingdemo/snippets?api-version=2022-03-01"
+
 # Get database connections
 az rest --method GET \
  --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/databaseConnections?api-version=2021-03-01"