18 KiB
Az - CosmosDB
{% hint style="success" %}
Leer & oefen AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Ondersteun HackTricks
- Kyk na die subskripsie planne!
- Sluit aan by die 💬 Discord groep of die telegram groep of volg ons op Twitter 🐦 @hacktricks_live.
- Deel hacking truuks deur PRs in te dien na die HackTricks en HackTricks Cloud github repos.
Azure CosmosDB
Azure Cosmos DB is 'n volledig bestuurde NoSQL, relationele, en vektordatabasis wat enkel-digit millisekonde reaksietye, outomatiese skaalbaarheid, en SLA-ondersteunde beskikbaarheid met ondernemingsgraad sekuriteit bied. Dit stel vinniger app-ontwikkeling in staat deur kant-en-klaar multi-streek data verspreiding, oopbron API's, SDK's vir gewilde tale, en KI-databasis funksies soos geïntegreerde vektorondersteuning en naatlose Azure KI-integrasie.
Azure Cosmos DB bied verskeie databasis API's om werklike data te modelleer met behulp van dokumente, relationele, sleutel-waarde, grafiek, en kolom-familie datamodelles, wat hierdie API's NoSQL, MongoDB, PostgreSQL, Cassandra, Gremlin en Tabel is.
Een sleutel aspek van CosmosDB is Azure Cosmos Account. Azure Cosmos Account dien as die toegangspunt tot die databasisse. Die rekening bepaal sleutelinstellings soos globale verspreiding, konsekwentievlakke, en die spesifieke API wat gebruik moet word, soos NoSQL. Deur die rekening kan jy globale replikaasies konfigureer om te verseker dat data beskikbaar is oor verskeie streke vir lae-latensie toegang. Boonop kan jy 'n konsekwentievlak kies wat 'n balans tussen prestasie en datanauwkeurigheid handhaaf, met opsies wat wissel van Sterk tot Finale konsekwentheid.
NoSQL (sql)
Die Azure Cosmos DB NoSQL API is 'n dokument-gebaseerde API wat JSON as sy dataformaat gebruik. Dit bied 'n SQL-agtige vraagsintaksis vir die opvra van JSON-objekte, wat dit geskik maak vir die werk met gestruktureerde en semi-gestruktureerde data. Die eindpunt van die diens is:
{% code overflow="wrap" %}
https://<Account-Name>.documents.azure.com:443/
{% endcode %}
Databasies
Binne 'n rekening kan jy een of meer databasies skep, wat dien as logiese groepe van houers. 'n Databasis dien as 'n grense vir hulpbronbestuur en gebruikersregte. Databasies kan of die toegewezen deurvoer oor hul houers deel of toegewyde deurvoer aan individuele houers toewys.
Houers
Die kern eenheid van data-opberging is die houer, wat JSON-dokumente bevat en outomaties geindexeer word vir doeltreffende navraag. Houers is elasties skaalbaar en versprei oor partisie, wat bepaal word deur 'n deur gebruiker gedefinieerde partisie sleutel. Die partisie sleutel is krities vir die verseker van optimale prestasie en gelyke data verspreiding. Byvoorbeeld, 'n houer kan klantdata stoor, met "customerId" as die partisie sleutel.
Enumerasie
{% tabs %} {% tab title="az cli" %} {% code overflow="wrap" %}
# CosmoDB Account
## List Azure Cosmos DB database accounts.
az cosmosdb list --resource-group <ResourceGroupName>
az cosmosdb show --resource-group <ResourceGroupName> --name <AccountName>
## Lists the virtual network accounts associated with a Cosmos DB account
az cosmosdb network-rule list --resource-group <ResourceGroupName> --name <AccountName>
## List the access keys or connection strings for a Azure Cosmos DB
az cosmosdb keys list --name <AccountName> --resource-group <ResourceGroupName>
## List all the database accounts that can be restored.
az cosmosdb restorable-database-account list --account-name <AccountName>
## Show the identities for a Azure Cosmos DB database account.
az cosmosdb identity show --resource-group <ResourceGroupName> --name <AccountName>
# CosmoDB (NoSQL)
## List the SQL databases under an Azure Cosmos DB account.
az cosmosdb sql database list --resource-group <ResourceGroupName> --account-name <AccountName>
## List the SQL containers under an Azure Cosmos DB SQL database.
az cosmosdb sql container list --account-name <AccountName> --database-name <DatabaseName> --resource-group <ResourceGroupName>
## List all SQL role assignments under an Azure Cosmos DB
az cosmosdb sql role assignment list --resource-group <ResourceGroupName> --account-name <AccountName>
## List all SQL role definitions under an Azure Cosmos DB
az cosmosdb sql role definition list --resource-group <ResourceGroupName> --account-name <AccountName>
## List the SQL stored procedures under an Azure Cosmos DB
az cosmosdb sql stored-procedure list --account-name <AccountName> --container-name <ContainerName> --database-name <DatabaseName> --resource-group <ResourceGroupName>
## List the SQL triggers under an Azure Cosmos DB SQL container.
az cosmosdb sql trigger list --account-name <AccountName> --container-name <ContainerName> --database-name <DatabaseName> --resource-group <ResourceGroupName>
## List the SQL user defined functions under an Azure Cosmos DB SQL container
az cosmosdb sql user-defined-function list --account-name <AccountName> --container-name <ContainerName> --database-name <DatabaseName> --resource-group <ResourceGroupName>
{% endcode %} {% endtab %}
{% tab title="Az PowerShell" %} {% code overflow="wrap" %}
Get-Command -Module Az.CosmosD
# List all Cosmos DB accounts in a specified resource group.
Get-AzCosmosDBAccount -ResourceGroupName "<ResourceGroupName>"
# Get the access keys for a specific Cosmos DB account.
Get-AzCosmosDBAccountKey -ResourceGroupName "<ResourceGroupName>" -Name "<AccountName>"
# Retrieve the client encryption keys for a specific Cosmos DB account.
Get-AzCosmosDbClientEncryptionKey -ResourceGroupName "<ResourceGroupName>" -AccountName "<AccountName>" -DatabaseName "<DatabaseName>"
# List all SQL containers in a specific Cosmos DB SQL database.
Get-AzCosmosDBSqlContainer -ResourceGroupName "<ResourceGroupName>" -AccountName "<AccountName>" -DatabaseName "<DatabaseName>"
# Get backup information for a specific Cosmos DB SQL container.
Get-AzCosmosDBSqlContainerBackupInformation -ResourceGroupName "<ResourceGroupName>" -AccountName "<AccountName>" -DatabaseName "<DatabaseName>" -Name "<ContainerName>" -Location "<location>"
# Get the throughput (RU/s) settings for a specific Cosmos DB SQL container.
Get-AzCosmosDBSqlContainerThroughput -ResourceGroupName "<ResourceGroupName>" -AccountName "<AccountName>" -DatabaseName "<DatabaseName>" -Name "<ContainerName>"
# List all SQL databases under a specific Cosmos DB account.
Get-AzCosmosDBSqlDatabase -ResourceGroupName "<ResourceGroupName>" -AccountName "<AccountName>"
# Get the throughput (RU/s) settings for a specific Cosmos DB SQL database.
Get-AzCosmosDBSqlDatabaseThroughput -ResourceGroupName "<ResourceGroupName>" -AccountName "<AccountName>" -Name "<DatabaseName>"
# List all SQL role assignments for a specific Cosmos DB account.
Get-AzCosmosDBSqlRoleAssignment -ResourceGroupName "<ResourceGroupName>" -AccountName "<AccountName>"
# List all SQL role definitions for a specific Cosmos DB account.
Get-AzCosmosDBSqlRoleDefinition -ResourceGroupName "<ResourceGroupName>" -AccountName "<AccountName>"
# List all stored procedures in a specific Cosmos DB SQL container.
Get-AzCosmosDBSqlStoredProcedure -ResourceGroupName "<ResourceGroupName>" -AccountName "<AccountName>" -DatabaseName "<DatabaseName>" -ContainerName "<ContainerName>"
# List all triggers in a specific Cosmos DB SQL container.
Get-AzCosmosDBSqlTrigger -ResourceGroupName "<ResourceGroupName>" -AccountName "<AccountName>" -DatabaseName "<DatabaseName>" -ContainerName "<ContainerName>"
# List all user-defined functions (UDFs) in a specific Cosmos DB SQL container.
Get-AzCosmosDBSqlUserDefinedFunction -ResourceGroupName "<ResourceGroupName>" -AccountName "<AccountName>" -DatabaseName "<DatabaseName>" -ContainerName "<ContainerName>"
{% endcode %} {% endtab %} {% endtabs %}
Verbinding
Om die azure-cosmosDB (pip install azure-cosmos) biblioteek te verbind, is dit nodig. Boonop is die eindpunt en die sleutel kritieke komponente om die verbinding te maak. {% code overflow="wrap" %}
from azure.cosmos import CosmosClient, PartitionKey
# Connection details
endpoint = "<your-account-endpoint>"
key = "<your-account-key>"
# Initialize Cosmos Client
client = CosmosClient(endpoint, key)
# Access existing database and container
database_name = '<SampleDB>'
container_name = '<SampleContainer>'
database = client.get_database_client(database_name)
container = database.get_container_client(container_name)
# Insert multiple documents
items_to_insert = [
{"id": "1", "name": "Sample Item", "description": "This is a sample document."},
{"id": "2", "name": "Another Sample Item", "description": "This is another sample document."},
{"id": "3", "name": "Sample Item", "description": "This is a duplicate name sample document."},
]
for item in items_to_insert:
container.upsert_item(item)
# Query all documents
query = "SELECT * FROM c"
all_items = list(container.query_items(
query=query,
enable_cross_partition_query=True
))
# Print all queried items
print("All items in the container:")
for item in all_items:
print(item)
{% endcode %}
'n Ander manier om 'n verbinding te vestig, is om die DefaultAzureCredential() te gebruik. Jy moet net aanmeld (az login) met die rekening wat die toestemmings het en dit uitvoer. Vir hierdie geval moet 'n roltoewysing gedoen word, wat die nodige toestemmings gee (sien vir meer)
{% code overflow="wrap" %}
from azure.identity import DefaultAzureCredential
from azure.cosmos import CosmosClient
# Use Azure AD for authentication
credential = DefaultAzureCredential()
endpoint = "<your-account-endpoint>"
client = CosmosClient(endpoint, credential)
# Access database and container
database_name = "<mydatabase>"
container_name = "<mycontainer>"
database = client.get_database_client(database_name)
container = database.get_container_client(container_name)
# Insert a document
item = {
"id": "1",
"name": "Sample Item",
"description": "This is a test item."
}
container.create_item(item)
print("Document inserted.")
{% endcode %}
MongoDB
Die MongoDB NoSQL API is 'n dokument-gebaseerde API wat JSON-agtige BSON (Binary JSON) as sy dataformaat gebruik. Dit bied 'n navraagtaal met aggregasie vermoëns, wat dit geskik maak om met gestruktureerde, semi-gestruktureerde en ongestruktureerde data te werk. Die eindpunt van die diens volg tipies hierdie formaat:
{% code overflow="wrap" %}
mongodb://<hostname>:<port>/<database>
{% endcode %}
Databasas
In MongoDB kan jy een of meer databasas binne 'n instansie skep. Elke databasis dien as 'n logiese groep van versamelings en bied 'n grense vir hulpbronorganisasie en -bestuur. Databasas help om data logies te skei en te bestuur, soos vir verskillende toepassings of projekte.
Versamelings
Die kern eenheid van data-opberging in MongoDB is die versameling, wat dokumente hou en ontwerp is vir doeltreffende navraag en buigsame skema-ontwerp. Versamelings is elasties skaalbaar en kan hoë-deurvoer operasies oor verskeie nodes in 'n verspreide opstelling ondersteun.
Enumerasie
{% tabs %} {% tab title="az cli" %} {% code overflow="wrap" %}
# CosmoDB Account
## List Azure Cosmos DB database accounts.
az cosmosdb list --resource-group <ResourceGroupName>
az cosmosdb show --resource-group <ResourceGroupName> --name <AccountName>
## Lists the virtual network accounts associated with a Cosmos DB account
az cosmosdb network-rule list --resource-group <ResourceGroupName> --name <AccountName>
## List the access keys or connection strings for a Azure Cosmos DB
az cosmosdb keys list --name <AccountName> --resource-group <ResourceGroupName>
## List all the database accounts that can be restored.
az cosmosdb restorable-database-account list --account-name <AccountName>
## Show the identities for a Azure Cosmos DB database account.
az cosmosdb identity show --resource-group <ResourceGroupName> --name <AccountName>
{% endcode %} {% endtab %}
{% tab title="Az PowerShell" %} {% code overflow="wrap" %}
Get-Command -Module Az.CosmosDB
# List all Cosmos DB accounts in a specified resource group.
Get-AzCosmosDBAccount -ResourceGroupName "<ResourceGroupName>"
# Get the access keys for a specific Cosmos DB account.
Get-AzCosmosDBAccountKey -ResourceGroupName "<ResourceGroupName>" -Name "<AccountName>"
# Retrieve the client encryption keys for a specific Cosmos DB account.
Get-AzCosmosDbClientEncryptionKey -ResourceGroupName "<ResourceGroupName>" -AccountName "<AccountName>" -DatabaseName "<DatabaseName>"
# List all MongoDB collections in a specific database.
Get-AzCosmosDBMongoDBCollection -AccountName <account-name> -ResourceGroupName <resource-group-name> -DatabaseName <database-name>
# Retrieve backup information for a specific MongoDB collection in a database.
Get-AzCosmosDBMongoDBCollectionBackupInformation -AccountName <account-name> -ResourceGroupName <resource-group-name> -DatabaseName <database-name> -Name <collection-name> -Location <Location>
# Get the throughput (RU/s) of a specific MongoDB collection in a database.
Get-AzCosmosDBMongoDBCollectionThroughput -AccountName <account-name> -ResourceGroupName <resource-group-name> -DatabaseName <database-name> -Name <collection-name>
# List all MongoDB databases in a specified Cosmos DB account.
Get-AzCosmosDBMongoDBDatabase -AccountName <account-name> -ResourceGroupName <resource-group-name>
# Get the throughput (RU/s) of a specific MongoDB database.
Get-AzCosmosDBMongoDBDatabaseThroughput -AccountName <account-name> -ResourceGroupName <resource-group-name> -DatabaseName <database-name>
# Retrieve the role definitions for MongoDB users in a specified Cosmos DB account.
Get-AzCosmosDBMongoDBRoleDefinition -AccountName <account-name> -ResourceGroupName <resource-group-name>
{% endcode %} {% endtab %} {% endtabs %}
Verbinding
Hier kan jy die wagwoord vind met die sleutels of met die metode beskryf in die privesc afdeling. {% code overflow="wrap" %}
from pymongo import MongoClient
# Updated connection string with retryWrites=false
connection_string = "mongodb://<account-name>.mongo.cosmos.azure.com:10255/?ssl=true&replicaSet=globaldb&retryWrites=false"
# Create the client
client = MongoClient(connection_string, username="<username>", password="<password>")
# Access the database
db = client['<database>']
# Access a collection
collection = db['<collection>']
# Insert a single document
document = {
"name": "John Doe",
"email": "johndoe@example.com",
"age": 30,
"address": {
"street": "123 Main St",
"city": "Somewhere",
"state": "CA",
"zip": "90210"
}
}
# Insert document
result = collection.insert_one(document)
print(f"Inserted document with ID: {result.inserted_id}")
{% endcode %}
Verwysings
- https://learn.microsoft.com/en-us/azure/cosmos-db/choose-api
- https://learn.microsoft.com/en-us/azure/cosmos-db/
- https://learn.microsoft.com/en-us/azure/cosmos-db/introduction
- https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/security/how-to-grant-data-plane-role-based-access?tabs=built-in-definition%2Ccsharp&pivots=azure-interface-cli
Privilege Escalation
{% content-ref url="../az-privilege-escalation/az-cosmosDB-privesc.md" %} az-cosmosDB-privesc.md {% endcontent-ref %}
Post Exploitation
{% content-ref url="../az-post-exploitation/az-cosmosDB-post-exploitation.md" %} az-cosmosDB-post-exploitation.md {% endcontent-ref %}
ToDo
- Die res van die DB hier, tafels, cassandra, gremlin...
- Kyk na die post exploitation "Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write" && "Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/read" en rol definisies want hier mag daar 'n privesc wees
- Kyk na herstel
{% hint style="success" %}
Leer & oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Ondersteun HackTricks
- Kyk na die subskripsie planne!
- Sluit aan by die 💬 Discord groep of die telegram groep of volg ons op Twitter 🐦 @hacktricks_live.
- Deel hacking truuks deur PRs in te dien na die HackTricks en HackTricks Cloud github repos.