From the docs:Azure App Service ni huduma ya HTTP kwa ajili ya kuendesha programu za wavuti, REST APIs, na nyuma za simu. Unaweza kuendeleza kwa lugha unayopenda, iwe ni .NET, .NET Core, Java, Ruby, Node.js, PHP, au Python. Programu zinaendesha na kupanuka kwa urahisi katika mazingira ya Windows na Linux.
Kila programu inafanya kazi ndani ya sandbox lakini kutengwa kunategemea mipango ya App Service
Programu katika ngazi za Bure na Kushiriki zinaendesha kwenye VMs zinazoshirikiwa
Programu katika ngazi za Kawaida na Premium zinaendesha kwenye VMs zilizotengwa
Note that none of those isolations prevents other common web vulnerabilities (such as file upload, or injections). And if a management identity is used, it could be able to compromise its permissions.
Enumeration
# List webappsazwebapplist## Less informationazwebapplist--query"[].{hostName: defaultHostName, state: state, name: name, resourcegroup: resourceGroup}"# Get access restrictionsazwebappconfigaccess-restrictionshow--resource-group<res-group>-n<name># Remove access restrictionsazwebappconfigaccess-restrictionremove--resource-group<res-group>-n<name>--rule-name<rule-name># Get snapshotsazwebappconfigsnapshotlist--resource-group<res-group>-n<name># Restore snapshotazwebappconfigsnapshotrestore-g<res-group>-n<name>--time2018-12-11T23:34:16.8388367# Restart webappazwebapprestart--name<name>--resource-group<res-group>
# Get App Services and Function AppsGet-AzWebApp# Get only App ServicesGet-AzWebApp|?{$_.Kind-notmatch"functionapp"}
#!/bin/bash# Get all App Service and Function Apps# Define Azure subscription IDazure_subscription="your_subscription_id"# Log in to Azureazlogin# Select Azure subscriptionazaccountset--subscription $azure_subscription# Get all App Services in the specified subscriptionlist_app_services=$(azappservicelist--query"[].{appServiceName: name, group: resourceGroup}"-otsv)# Iterate over each App Serviceecho"$list_app_services"|while IFS=$'\t'read-rappServiceNamegroup; do# Get the type of the App Serviceservice_type=$(azappserviceshow--name $appServiceName --resource-group $group --query"kind"-otsv)# Check if it is a Function App and print its nameif [ "$service_type"=="functionapp" ]; thenecho"Function App Name: $appServiceName"fidone
Pata akreditif na upate ufikiaji wa msimbo wa wavuti
# Get connection strings that could contain credentials (with DBs for example)azwebappconfigconnection-stringlist--name<name>--resource-group<res-group>## Check how to use the DBs connection strings in the SQL page# Get credentials to access the code and DB credentials if configured.azwebappdeploymentlist-publishing-profiles--resource-group<res-group>-n<name># Get git URL to access the codeazwebappdeploymentsourceconfig-local-git--resource-group<res-group>-n<name># Access/Modify the code via gitgitclone'https://<username>:<password>@name.scm.azurewebsites.net/repo-name.git'## In my case the username was: $nameofthewebapp and the password some random chars## If you change the code and do a push, the app is automatically redeployed
Upatikanaji wa kontena la Docker na webapp kupitia ssh:
# Get ssh sessionazwebappcreate-remote-connection--subscription<SUBSCRIPTION-ID>--resource-group<RG-NAME>-n<APP-SERVICE-NAME>## If successfull you will get a message such as:#Verifying if app is running....#App is running. Trying to establish tunnel connection...#Opening tunnel on port: 39895#SSH is available { username: root, password: Docker! }## So from that machine ssh into that port (you might need generate a new ssh session to the jump host)sshroot@127.0.0.1-p39895
Function Apps Basic Information
Azure Functions ni suluhisho la serverless linalokuruhusu kuandika msimbo kidogo, kudumisha miundombinu kidogo, na kuokoa gharama. Badala ya kuwa na wasiwasi kuhusu kupeleka na kudumisha seva, miundombinu ya wingu inatoa rasilimali zote za kisasa zinazohitajika ili kuweka programu zako zikifanya kazi.
Katika lango la Azure, ushirikiano kati ya Azure Functions na Azure API Management unarahisishwa, ukiruhusu HTTP trigger function endpoints kuonyeshwa kama REST APIs. APIs zinazonyeshwa kwa njia hii zinaelezewa kwa kutumia ufafanuzi wa OpenAPI, ikitoa kiolesura cha kawaida, kisicho na lugha kwa APIs za RESTful.
Function Apps zinasaidia Identiti Zinazosimamiwa.
Zaidi ya hayo, Function App inaweza kuwa na baadhi ya endpoints ambazo zinahitaji kiwango fulani cha uthibitisho, kama "admin" au "anonymous".
Mshambuliaji anaweza kujaribu kufikia anonymous allowed endpoints ili kupita vizuizi na kupata ufikiaji wa data nyeti au kazi.
