Chinese - Ht Cloud
HackTricks Training Twitter Linkedin Sponsor

Az - Azure App Service & Function Apps

支持 HackTricks

App Service 基本信息

来自文档: Azure App Service 是一个基于 HTTP 的服务,用于托管 Web 应用程序、REST API 和移动后端。您可以使用自己喜欢的语言进行开发,如 .NET、.NET Core、Java、Ruby、Node.js、PHP 或 Python。应用程序可以在 Windows 和基于 Linux 的环境中轻松运行和扩展。

每个应用程序都在一个沙箱中运行,但隔离取决于 App Service 计划

  • Free 和 Shared 层中的应用程序在共享的虚拟机上运行

  • Standard 和 Premium 层中的应用程序在专用虚拟机上运行

请注意,这些隔离无法阻止其他常见的Web 漏洞(如文件上传或注入)。如果使用了管理身份,可能会危及其权限

枚举

# List webapps
az webapp list

## Less information
az webapp list --query "[].{hostName: defaultHostName, state: state, name: name, resourcegroup: resourceGroup}"

# Get access restrictions
az webapp config access-restriction show --resource-group <res-group> -n <name>

# Remove access restrictions
az webapp config access-restriction remove --resource-group <res-group> -n <name> --rule-name <rule-name>

# Get snapshots
az webapp config snapshot list --resource-group <res-group> -n <name>

# Restore snapshot
az webapp config snapshot restore -g <res-group> -n <name> --time 2018-12-11T23:34:16.8388367

# Restart webapp
az webapp restart --name <name> --resource-group <res-group>
# Get App Services and Function Apps
Get-AzWebApp
# Get only App Services
Get-AzWebApp | ?{$_.Kind -notmatch "functionapp"}

#!/bin/bash

# Get all App Service and Function Apps

# Define Azure subscription ID
azure_subscription="your_subscription_id"

# Log in to Azure
az login

# Select Azure subscription
az account set --subscription $azure_subscription

# Get all App Services in the specified subscription
list_app_services=$(az appservice list --query "[].{appServiceName: name, group: resourceGroup}" -o tsv)

# Iterate over each App Service
echo "$list_app_services" | while IFS=$'\t' read -r appServiceName group; do
# Get the type of the App Service
service_type=$(az appservice show --name $appServiceName --resource-group $group --query "kind" -o tsv)

# Check if it is a Function App and print its name
if [ "$service_type" == "functionapp" ]; then
echo "Function App Name: $appServiceName"
fi
done

获取凭据并访问 Web 应用程序代码

# Get connection strings that could contain credentials (with DBs for example)
az webapp config connection-string list --name <name> --resource-group <res-group>
## Check how to use the DBs connection strings in the SQL page

# Get credentials to access the code and DB credentials if configured.
az webapp deployment list-publishing-profiles --resource-group <res-group> -n <name>


# Get git URL to access the code
az webapp deployment source config-local-git --resource-group <res-group> -n <name>

# Access/Modify the code via git
git clone 'https://<username>:<password>@name.scm.azurewebsites.net/repo-name.git'
## In my case the username was: $nameofthewebapp and the password some random chars
## If you change the code and do a push, the app is automatically redeployed

通过ssh访问包含webapp的Docker容器:

# Get ssh session
az webapp create-remote-connection --subscription <SUBSCRIPTION-ID> --resource-group <RG-NAME> -n <APP-SERVICE-NAME>

## If successfull you will get a message such as:
#Verifying if app is running....
#App is running. Trying to establish tunnel connection...
#Opening tunnel on port: 39895
#SSH is available { username: root, password: Docker! }

## So from that machine ssh into that port (you might need generate a new ssh session to the jump host)
ssh root@127.0.0.1 -p 39895

Function Apps基本信息

Azure Functions是一种无服务器解决方案,允许您编写更少的代码,维护更少的基础设施,并节省成本。与担心部署和维护服务器不同,云基础设施提供了所有最新资源,以保持应用程序的运行。

在Azure门户中,Azure Functions与Azure API Management之间的集成得到了简化,允许将HTTP触发器函数端点公开为REST API。以这种方式公开的API使用OpenAPI定义进行描述,为RESTful API提供了标准的、与语言无关的接口。

Function Apps支持托管标识。

此外,Function App可能具有需要特定级别身份验证的特定端点,例如"admin"或"anonymous"。 攻击者可以尝试访问允许匿名访问的端点,以绕过限制并访问敏感数据或功能。

枚举

# Get only Function Apps
Get-AzFunctionApp

参考资料

支持 HackTricks
PreviousAz - State Configuration RCENextAz - Blob Storage

Last updated