Prema dokumentaciji:Azure App Service je HTTP bazirana usluga za hostovanje veb aplikacija, REST API-ja i mobilnih back end-ova. Možete razvijati u vašem omiljenom jeziku, bilo da je to .NET, .NET Core, Java, Ruby, Node.js, PHP ili Python. Aplikacije se pokreću i skaliraju lako kako na Windows tako i na Linux baziranim okruženjima.
Svaka aplikacija se pokreće unutar sandbox-a, ali izolacija zavisi od App Service planova.
Aplikacije u Free i Shared tier-ima se pokreću na deljenim VM-ovima
Aplikacije u Standard i Premium tier-ima se pokreću na dedikovanim VM-ovima
Imajte na umu da ni jedna od ovih izolacija ne sprečava druge uobičajene web ranjivosti (kao što su upload fajlova ili injekcije). I ako se koristi upravljački identitet, može biti sposoban da ugrozi njegove dozvole.
Enumeracija
# List webappsazwebapplist## Less informationazwebapplist--query"[].{hostName: defaultHostName, state: state, name: name, resourcegroup: resourceGroup}"# Get access restrictionsazwebappconfigaccess-restrictionshow--resource-group<res-group>-n<name># Remove access restrictionsazwebappconfigaccess-restrictionremove--resource-group<res-group>-n<name>--rule-name<rule-name># Get snapshotsazwebappconfigsnapshotlist--resource-group<res-group>-n<name># Restore snapshotazwebappconfigsnapshotrestore-g<res-group>-n<name>--time2018-12-11T23:34:16.8388367# Restart webappazwebapprestart--name<name>--resource-group<res-group>
# Get App Services and Function AppsGet-AzWebApp# Get only App ServicesGet-AzWebApp|?{$_.Kind-notmatch"functionapp"}
```bash #!/bin/bash
Get all App Service and Function Apps
Define Azure subscription ID
azure_subscription="your_subscription_id"
Log in to Azure
az login
Select Azure subscription
az account set --subscription $azure_subscription
Get all App Services in the specified subscription
list_app_services=$(az appservice list --query "[].{appServiceName: name, group: resourceGroup}" -o tsv)
Iterate over each App Service
echo "$list_app_services" | while IFS=$'\t' read -r appServiceName group; do
if [ "$service_type" == "functionapp" ]; then echo "Function App Name: $appServiceName" fi done
#### Dobijanje pristupnih podataka i pristup kodu veb aplikacije
To obtain credentials and gain access to the webapp code, you can follow these steps:
1. Use techniques like reconnaissance, enumeration, and scanning to gather information about the target Azure App Service.
2. Identify potential vulnerabilities or misconfigurations that could lead to unauthorized access.
3. Exploit any identified vulnerabilities or misconfigurations to gain access to the Azure App Service.
4. Once access is obtained, search for files or configuration settings that contain credentials or sensitive information.
5. Use techniques like password cracking, credential reuse, or social engineering to obtain valid credentials.
6. With valid credentials, you can access the webapp code and analyze it for potential security flaws or vulnerabilities.
Remember to always obtain proper authorization before performing any penetration testing activities.
```bash
# Get connection strings that could contain credentials (with DBs for example)
az webapp config connection-string list --name <name> --resource-group <res-group>
## Check how to use the DBs connection strings in the SQL page
# Get credentials to access the code and DB credentials if configured.
az webapp deployment list-publishing-profiles --resource-group <res-group> -n <name>
# Get git URL to access the code
az webapp deployment source config-local-git --resource-group <res-group> -n <name>
# Access/Modify the code via git
git clone 'https://<username>:<password>@name.scm.azurewebsites.net/repo-name.git'
## In my case the username was: $nameofthewebapp and the password some random chars
## If you change the code and do a push, the app is automatically redeployed
Pristup Docker kontejneru sa web aplikacijom putem ssh:
ssh-p<port><username>@<ip_address>
Zamenjati <port>, <username> i <ip_address> odgovarajućim vrednostima.
# Get ssh sessionazwebappcreate-remote-connection--subscription<SUBSCRIPTION-ID>--resource-group<RG-NAME>-n<APP-SERVICE-NAME>## If successfull you will get a message such as:#Verifying if app is running....#App is running. Trying to establish tunnel connection...#Opening tunnel on port: 39895#SSH is available { username: root, password: Docker! }## So from that machine ssh into that port (you might need generate a new ssh session to the jump host)sshroot@127.0.0.1-p39895
Osnovne informacije o funkcionalnim aplikacijama
Azure Functions je serverless rešenje koje vam omogućava da napišete manje koda, održavate manje infrastrukture i štedite na troškovima. Umesto brige o implementaciji i održavanju servera, cloud infrastruktura pruža sve potrebne resurse za održavanje vaših aplikacija.
U Azure portalu, integracija između Azure Functions i Azure API Management-a je olakšana, omogućavajući da se krajnje tačke funkcija sa HTTP okidačem izlažu kao REST API-ji. API-ji izloženi na ovaj način su opisani pomoću OpenAPI definicije, pružajući standardno, jezik-nezavisno sučelje za RESTful API-je.
Osim toga, funkcionalna aplikacija može imati određene krajnje tačke koje zahtevaju određeni nivo autentifikacije, kao što su "admin" ili "anonymous".
Napadač bi mogao pokušati da pristupi dozvoljenim anonimnim krajnjim tačkama kako bi zaobišao ograničenja i dobio pristup osetljivim podacima ili funkcionalnostima.
