8.3 KiB
Az - CosmosDB Post Exploitation
{{#include ../../../banners/hacktricks-training.md}}
CosmosDB Post Exploitation
For more information about SQL Database check:
{{#ref}} ../az-services/az-cosmosDB.md {{#endref}}
Microsoft.DocumentDB/databaseAccounts/read && Microsoft.DocumentDB/databaseAccounts/write
With this permission, you can create or update Azure Cosmos DB accounts. This includes modifying account-level settings, adding or removing regions, changing consistency levels, and enabling or disabling features like multi-region writes.
az cosmosdb update \
--name <account_name> \
--resource-group <resource_group_name> \
--public-network-access ENABLED
Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read && Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/write
With this permission, you can create or modify containers (collections) within a SQL database of an Azure Cosmos DB account. Containers are used to store data, and changes to them can impact the database's structure and access patterns.
# Create
az cosmosdb sql container create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--database-name <database_name> \
--name <container_name> \
--partition-key-path <partition_key_path>
#Update
az cosmosdb sql container update \
--account-name <account_name> \
--resource-group <resource_group_name> \
--database-name <database_name> \
--name <container_name> \
--ttl 3600
Microsoft.DocumentDB/databaseAccounts/sqlDatabases/write && Microsoft.DocumentDB/databaseAccounts/sqlDatabases/read
With this permission, you can create or modify SQL databases within an Azure Cosmos DB account. This allows for managing the database structure and adding new databases to the account. While this permission enables database creation, improper or unauthorized use could result in unnecessary resource consumption, increased costs, or operational inefficiencies.
az cosmosdb sql database create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--name <database_name>
Microsoft.DocumentDB/databaseAccounts/failoverPriorityChange/action
With this permission, you can change the failover priority of regions for an Azure Cosmos DB database account. This action determines the order in which regions become primary during a failover event. Improper use of this permission can disrupt the high availability of the database or lead to unintended operational impacts.
az cosmosdb failover-priority-change \
--name <database_account_name> \
--resource-group <resource_group_name> \
--failover-policies <region1=priority1> <region2=priority2>
Microsoft.DocumentDB/databaseAccounts/regenerateKey/action
With this permission, you can regenerate the primary or secondary keys for an Azure Cosmos DB account. This is typically used to enhance security by replacing old keys, but it can disrupt access for services or applications that rely on the current keys.
az cosmosdb keys regenerate \
--name <account_name> \
--resource-group <resource_group_name> \
--key-kind <primary|secondary>
Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/userDefinedFunctions/write && Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/userDefinedFunctions/read
With this permission, you can create or modify triggers within a container of a SQL database in an Azure Cosmos DB account. Triggers allow you to execute server-side logic in response to operations.
az cosmosdb sql trigger create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--database-name <sql_database_name> \
--container-name <container_name> \
--name <trigger_name> \
--body 'function trigger() { var context = getContext(); var request = context.getRequest(); request.setBody("Triggered operation!"); }' \
--type Pre \
--operation All
Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/storedProcedures/write && Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/storedProcedures/read
With this permission, you can create or modify stored procedures within a container of a SQL database in an Azure Cosmos DB account. Stored procedures in Cosmos DB are server-side JavaScript functions that allow you to encapsulate logic for processing data or performing operations directly within the database.
az cosmosdb sql stored-procedure create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--database-name <sql_database_name> \
--container-name <container_name> \
--name <stored_procedure_name> \
--body 'function sample() { return "Hello, Cosmos!"; }'
Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/write && Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/read
With this permission, you can create or modify triggers within a container of a SQL database in an Azure Cosmos DB account. Triggers allow you to execute server-side logic in response to operations like inserts, updates, or deletes.
az cosmosdb sql trigger create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--database-name <sql_database_name> \
--container-name <container_name> \
--name <trigger_name> \
--body 'function trigger() { var context = getContext(); var request = context.getRequest(); request.setBody("Triggered operation!"); }' \
--type Pre \
--operation All
Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/read && Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/write
With this permission, you can create or modify collections within MongoDB databases in an Azure Cosmos DB account. Collections are used to store documents and define the structure and partitioning for data.
az cosmosdb mongodb collection create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--database-name <mongodb_database_name> \
--name <collection_name>
Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/write && Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/read
With this permission, you can create new MongoDB databases within an Azure Cosmos DB account. This allows for provisioning new databases to store and manage collections and documents.
az cosmosdb mongodb database create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--name <database_name>
Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write && Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/read
With this permission, you can create new MongoDB role definitions within an Azure Cosmos DB account. This allows defining custom roles with specific permissions for MongoDB users.
az cosmosdb mongodb role definition create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--body '{
"Id": "<mydatabase>.readWriteRole",
"RoleName": "readWriteRole",
"Type": "CustomRole",
"DatabaseName": "<mydatabase>",
"Privileges": [
{
"Resource": {
"Db": "<mydatabase>",
"Collection": "mycollection"
},
"Actions": [
"insert",
"find",
"update"
]
}
],
"Roles": []
}'
Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write && Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/read
With this permission, you can create new MongoDB user definitions within an Azure Cosmos DB account. This allows the provisioning of users with specific roles and access levels to MongoDB databases.
az cosmosdb mongodb user definition create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--body '{
"Id": "<mydatabase>.myUser",
"UserName": "myUser",
"Password": "mySecurePassword",
"DatabaseName": "<mydatabase>",
"CustomData": "TestCustomData",
"Mechanisms": "SCRAM-SHA-256",
"Roles": [
{
"Role": "readWriteRole",
"Db": "<mydatabase>"
}
]
}'
{{#include ../../../banners/hacktricks-training.md}}