# Az - SQL {{#include ../../../banners/hacktricks-training.md}} ## Azure SQL Azure SQL is a family of managed database products that use the **SQL Server database** engine in the Azure cloud. This means you don't have to worry about the physical administration of your servers, and you can focus on managing your data. Assigned domain: `.database.windows.net` Azure SQL consists of four main offerings: 1. **Azure SQL Server**: A server is needed for the **deployment and management** of SQL Server databases. 2. **Azure SQL Database**: This is a **fully-managed database service**, which allows you to host individual databases in the Azure cloud. 3. **Azure SQL Managed Instance**: This is for larger scale, entire SQL Server instance-scoped deployments. 4. **Azure SQL Server on Azure VMs**: This is best for architectures where you want **control over the operating system **and SQL Server instance. ## Azure SQL Server Azure SQL Server is relational database management system (RDBMS) that uses Transact-SQL for data operations and is built to handle enterprise-level systems. It offers robust features for performance, security, scalability, and integration with various Microsoft applications. Azure SQL databases rely on this server, as these are built on this servers and it is the entrypoint for user to access the databases. ### SQL Server Security Features **Network access:** - Public endpoint (can limit access to specific networks). - Private endpoints. - It’s also possible to restrict connections based on domain names. - It’s also possible to allow Azure services to access it (like to use the Query editor in the portal or to allow an Azure VM to connect). **Authentication Methods:** - Microsoft **Entra-only** authentication: You need to indicate the Entra principals that will have access to the service. - **Both SQL and Microsoft Entra** authentication: Traditional SQL authentication with username and password alongside Microsoft Entra. - **Only SQL** authentication: Only allow access via database users. Note that if any SQL auth is allowed an admin user (username + password) needs to be indicated and if Entra ID auth is selected it’s also needed to indicate at least one principal with admin access. **Encryption:** - It’s called “Transparent data encryption” and it encrypts databases, backups, and logs at rest. - As always, an Azure managed key is used by default but a customer managed encryption key (CMEK) could also be used. **Managed Identities:** - It’s possible to assign system and user managed MIs. - Used to access the encryption key (is a CMEK is used) and other services from the databases. - If more than one UMI is assigned, It’s possible to indicate the default one to use. - It’s possible to configure a federated client identity for cross-tenant access. **Microsoft Defender:** - Useful for “mitigating potential database vulnerabilities, and detecting anomalous activities” - We will talk about Defender in its own lesson (it can be enabled in several other Azure services) **Backups:** - Backup frequency is managed in the retention policies. **Deleted databases:** - It’s possible to restore DBs that have been deleted from existing backups. ## Azure SQL Database **Azure SQL Database** is a **fully managed database platform as a service (PaaS)** that provides scalable and secure relational database solutions. It's built on the latest SQL Server technologies and eliminates the need for infrastructure management, making it a popular choice for cloud-based applications. To create a SQL database it’s needed to indicate the SQL server where it’ll be hosted. ### SQL Database Security Features - **Always Up-to-Date**: Runs on the latest stable version of SQL Server and Receives new features and patches automatically. - **Inherited SQL Server security features:** - Authentication (SQL and/or Entra ID) - Assigned Managed Identities - Network restrictions - Encryption - Backups - … - **Data redundancy:** Options are local, zone, Geo or Geo-Zone redundant. - **Ledger:** It cryptographically verifies the integrity of data, ensuring that any tampering is detected. Useful to financial, medical and any organization managing sensitive data. A SQL database could be part of an **elastic Pool**. Elastic pools are a cost-effective solution for managing multiple databases by sharing configurable compute (eDTUs) and storage resources among them, with pricing based solely on the resources allocated rather than the number of databases. ### Azure SQL Managed Instance **Azure SQL Managed Instances** are for larger scale, entire SQL Server instance-scoped deployments. It provides near 100% compatibility with the latest SQL Server on-premises (Enterprise Edition) Database Engine, which provides a native virtual network (VNet) implementation that addresses common security concerns, and a business model favorable for on-premises SQL Server customers. ### Azure SQL Virtual Machines **Azure SQL Virtual Machines** allows to **control the operating system** and the SQL Server instance, as a VM will be spawn in the VM service running the SQL server. When a SQL Virtual Machine is created it’s possible to **selected all the settings of the VM** (as shown the VM lesson) that will be hosting the SQL server. - This means that the VM will be accessing some VNet(s), might have **Managed Identities attached** to it, could have file shares mounted… making a **pivoting from the SQL** to the VM super interesting. - Moreover, it’s possible to configure an app id and secret to **allow the SQL to access an specific key vault**, which could contain sensitive info. It's also possible to configure things like **automatic SQL updates**, **automatic backups**, **Entra ID authentication** and most of the features of the other SQL services. ## Enumeration {{#tabs}} {{#tab name="az cli"}} ```bash # List Servers az sql server list # managed identities are enumerated here too ## List Server Usages az sql server list-usages --name --resource-group ## List Server Firewalls az sql server firewall-rule list --resource-group --server ## List of Azure Active Directory administrators in a server. az sql server ad-admin list --resource-group --server ## Gets an advanced threat protection az sql server advanced-threat-protection-setting show --resource-group --name ## Get server's auditing policy. az sql server audit-policy show --resource-group --name ## Gets a server's secure connection policy. az sql server conn-policy show --resource-group --server ## Gets a list of server DNS aliases for a server. az sql server dns-alias list --resource-group --server ## List of server keys. az sql server key list --resource-group --server ## Gets a server encryption protector. az sql server tde-key show --resource-group --server # List Databases in a SQL server az sql db list --server --resource-group #--output table ## Get details of a specific database az sql db show --name --server --resource-group ## List database usages az sql db list-usages --name --server --resource-group ## List of operations performed on the database. az sql db op list --database --server --resource-group ## List sql database classification az sql db classification list --name --server --resource-group ## List long-term retention backups for a SQL database az sql db ltr-backup list --database --server --resource-group ## List long-term retention policy az sql db ltr-policy --name --server --resource-group ## List long-term retention policy az sql db str-policy --name --server --resource-group ## List the replicas of a database and their replication status az sql db replica list-links --name --server --resource-group ## List deleted SQL databases az sql db list-deleted --server --resource-group ## List database usages az sql db list-usages --name --server --resource-group ## List restorable dropped databases in a SQL server az sql db list-deleted --server --resource-group ## List advanced threat protection setting show az sql db advanced-threat-protection-setting --name --server --resource-group # List all elastic pools in a SQL server az sql elastic-pool list --server --resource-group #--output table ## List all databases in a specific elastic pool az sql elastic-pool show --name --server --resource-group ## List of databases in an elastic pool. az sql elastic-pool list-dbs --name --server --resource-group # List all managed Instances az sql mi list az sql mi show --resource-group --name az sql midb list az sql midb show --resource-group --name # Lis all sql VM az sql vm list az sql vm show --resource-group --name ``` {{#endtab}} {{#tab name="Az PowerShell"}} ```bash # List Servers Get-AzSqlServer -ResourceGroupName "" # List All Databases in a SQL Server Get-AzSqlDatabase -ServerName "" -ResourceGroupName "" # Get Details of a Specific Database Get-AzSqlDatabase -Name "" -ServerName "" -ResourceGroupName "" # List Operations Performed on the Database Get-AzSqlDatabaseActivity -DatabaseName "" -ServerName "" -ResourceGroupName "" # List SQL Database Classification Get-AzSqlDatabaseSensitivityClassification -DatabaseName "" -ServerName "" -ResourceGroupName "" # List Long-Term Retention Backups for a SQL Database Get-AzSqlDatabaseLongTermRetentionBackup -ResourceGroupName "" -Location "" # List Replicas of a Database and Their Replication Status Get-AzSqlDatabaseReplicationLink -DatabaseName "" -ServerName "" -ResourceGroupName "" # List Deleted SQL Databases Get-AzSqlDeletedDatabaseBackup -ServerName "" -ResourceGroupName "" # List All Elastic Pools in a SQL Server Get-AzSqlElasticPool -ServerName "" -ResourceGroupName "" # List All Databases in a Specific Elastic Pool Get-AzSqlElasticPoolDatabase -ElasticPoolName "" -ServerName "" -ResourceGroupName "" # List all managed Instances Get-AzSqlInstance Get-AzSqlInstance -ResourceGroupName -Name # List All Databases in a SQL Managed Instance Get-AzSqlInstanceDatabase -ResourceGroupName -InstanceName # Lis all sql VM Get-AzSqlVM ``` {{#endtab}} {{#endtabs}} ### Connect and run SQL queries You could find a connection string (containing credentials) from example [enumerating an Az WebApp](az-app-services.md): ```bash function invoke-sql{ param($query) $Connection_string = "Server=tcp:supercorp.database.windows.net,1433;Initial Catalog=flag;Persist Security Info=False;User ID=db_read;Password=gAegH!324fAG!#1fht;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;" $Connection = New-Object System.Data.SqlClient.SqlConnection $Connection_string $Connection.Open() $Command = New-Object System.Data.SqlClient.SqlCommand $Command.Connection = $Connection $Command.CommandText = $query $Reader = $Command.ExecuteReader() while ($Reader.Read()) { $Reader.GetValue(0) } $Connection.Close() } invoke-sql 'Select Distinct TABLE_NAME From information_schema.TABLES;' ``` You can also use sqlcmd to access the database. It is important to know if the server allows public connections `az sql server show --name --resource-group `, and also if it the firewall rule let's our IP to access: ```bash sqlcmd -S .database.windows.net -U -P -d ``` ## References - [https://learn.microsoft.com/en-us/azure/azure-sql/azure-sql-iaas-vs-paas-what-is-overview?view=azuresql](https://learn.microsoft.com/en-us/azure/azure-sql/azure-sql-iaas-vs-paas-what-is-overview?view=azuresql) - [https://learn.microsoft.com/en-us/azure/azure-sql/database/single-database-overview?view=azuresql](https://learn.microsoft.com/en-us/azure/azure-sql/database/single-database-overview?view=azuresql) - [https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview?view=azuresql](https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview?view=azuresql) - [https://learn.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview?view=azuresql](https://learn.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview?view=azuresql) ## Privilege Escalation {{#ref}} ../az-privilege-escalation/az-sql-privesc.md {{#endref}} ## Post Exploitation {{#ref}} ../az-post-exploitation/az-sql-post-exploitation.md {{#endref}} {{#include ../../../banners/hacktricks-training.md}}