Az - App Services

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

App Service Basic Information

Azure App Services omogućava programerima da prave, implementiraju i skaliraju web aplikacije, mobilne aplikacije i API-je bez problema. Podržava više programskih jezika i integriše se sa raznim Azure alatima i uslugama za poboljšanu funkcionalnost i upravljanje.

Svaka aplikacija radi unutar sandbox-a, ali izolacija zavisi od App Service planova

Aplikacije u Free i Shared nivoima rade na deljenim VM-ovima
Aplikacije u Standard i Premium nivoima rade na posvećenim VM-ovima

Napomena da nijedna od tih izolacija ne sprečava druge uobičajene web ranjivosti (kao što su upload fajlova ili injekcije). I ako se koristi identitet za upravljanje, može biti u mogućnosti da poveća privilegije na njih.

Azure Function Apps

U suštini, Azure Function aplikacije su podskup Azure App Service u web-u i ako odete na web konzolu i navedete sve app servise ili izvršite az webapp list u az cli, moći ćete da vidite da su Function aplikacije takođe navedene ovde.

U stvari, neke od bezbednosnih funkcija koje App servisi koriste (webapp u az cli), takođe koriste Function aplikacije.

Basic Authentication

Kada kreirate web aplikaciju (i obično Azure funkciju), moguće je naznačiti da želite da Basic Authentication bude omogućen. Ovo u suštini omogućava SCM i FTP za aplikaciju, tako da će biti moguće implementirati aplikaciju koristeći te tehnologije. Pored toga, da biste se povezali sa njima, Azure pruža API koji omogućava dobijanje korisničkog imena, lozinke i URL-a za povezivanje sa SCM i FTP serverima.

Authentication: az webapp auth show --name lol --resource-group lol_group

SSH

Always On

Debugging

Enumeration

# List webapps
az webapp list

## Less information
az webapp list --query "[].{hostName: defaultHostName, state: state, name: name, resourcegroup: resourceGroup}"

# Get info about 1 app
az webapp show --name <name> --resource-group <res-group>

# Get instances of a webapp
az webapp list-instances --name <name> --resource-group <res-group>
## If you have enough perm you can go to the "consoleUrl" and access a shell inside the instance form the web

# Get configured Auth information
az webapp auth show --name <app-name> --resource-group <res-group>

# Get access restrictions of an app
az webapp config access-restriction show --name <name> --resource-group <res-group>

# Remove access restrictions
az webapp config access-restriction remove --resource-group <res-group> -n <name> --rule-name <rule-name>

# Get appsettings of an app
az webapp config appsettings list --name <name> --resource-group <res-group>

# Get backups of a webapp
az webapp config backup list --webapp-name <name> --resource-group <res-group>

# Get backups scheduled for a webapp
az webapp config backup show --webapp-name <name> --resource-group <res-group>

# Get snapshots
az webapp config snapshot list --resource-group <res-group> -n <name>

# Restore snapshot
az webapp config snapshot restore -g <res-group> -n <name> --time 2018-12-11T23:34:16.8388367

# Get connection strings of a webapp
az webapp config connection-string list --name <name> --resource-group <res-group>

# Get used container by the app
az webapp config container show --name <name> --resource-group <res-group>

# Get storage account configurations of a webapp
az webapp config storage-account list --name <name> --resource-gl_group








# List all the functions
az functionapp list

# Get info of 1 funciton (although in the list you already get this info)
az functionapp show --name <app-name> --resource-group <res-group>
## If "linuxFxVersion" has something like: "DOCKER|mcr.microsoft.com/..."
## This is using a container

# Get details about the source of the function code
az functionapp deployment source show \
--name <app-name> \
--resource-group <res-group>
## If error like "This is currently not supported."
## Then, this is probalby using a container

# Get more info if a container is being used
az functionapp config container show \
--name <name> \
--resource-group <res-group>

# Get settings (and privesc to the sorage account)
az functionapp config appsettings list --name <app-name> --resource-group <res-group>

# Check if a domain was assigned to a function app
az functionapp config hostname list --webapp-name <app-name> --resource-group <res-group>

# Get SSL certificates
az functionapp config ssl list --resource-group <res-group>

# Get network restrictions
az functionapp config access-restriction show --name <app-name> --resource-group <res-group>

# Get more info about a function (invoke_url_template is the URL to invoke and script_href allows to see the code)
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/functions?api-version=2024-04-01"

# Get source code with Master Key of the function
curl "<script_href>?code=<master-key>"
## Python example
curl "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=<master-key>" -v

# Get source code
az rest --url "https://management.azure.com/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01"

# Get App Services and Function Apps
Get-AzWebApp
# Get only App Services
Get-AzWebApp | ?{$_.Kind -notmatch "functionapp"}

#!/bin/bash

# Get all App Service and Function Apps

# Define Azure subscription ID
azure_subscription="your_subscription_id"

# Log in to Azure
az login

# Select Azure subscription
az account set --subscription $azure_subscription

# Get all App Services in the specified subscription
list_app_services=$(az appservice list --query "[].{appServiceName: name, group: resourceGroup}" -o tsv)

# Iterate over each App Service
echo "$list_app_services" | while IFS=$'\t' read -r appServiceName group; do
# Get the type of the App Service
service_type=$(az appservice show --name $appServiceName --resource-group $group --query "kind" -o tsv)

# Check if it is a Function App and print its name
if [ "$service_type" == "functionapp" ]; then
echo "Function App Name: $appServiceName"
fi
done

Dobijanje akreditiva i pristup kodu web aplikacije

# Get connection strings that could contain credentials (with DBs for example)
az webapp config connection-string list --name <name> --resource-group <res-group>
## Check how to use the DBs connection strings in the SQL page

# Get credentials to access the code and DB credentials if configured.
az webapp deployment list-publishing-profiles --resource-group <res-group> -n <name>


# Get git URL to access the code
az webapp deployment source config-local-git --resource-group <res-group> -n <name>

# Access/Modify the code via git
git clone 'https://<username>:<password>@name.scm.azurewebsites.net/repo-name.git'
## In my case the username was: $nameofthewebapp and the password some random chars
## If you change the code and do a push, the app is automatically redeployed

Eskalacija privilegija

Az - App Services Privesc

Reference

https://learn.microsoft.com/en-in/azure/app-service/overview

Podržite HackTricks

Proverite planove pretplate!
Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.

PreviousAz - State Configuration RCE NextAz - Intune

Last updated 19 hours ago