Az - SQL

Reading time: 11 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Azure SQL

Azure SQL is a family of managed, secure, and intelligent products that use the SQL Server database engine in the Azure cloud. This means you don't have to worry about the physical administration of your servers, and you can focus on managing your data.

Azure SQL consists of three main offerings:

  1. Azure SQL Database: This is a fully-managed database service, which allows you to host individual databases in the Azure cloud. It offers built-in intelligence that learns your unique database patterns and provides customized recommendations and automatic tuning.
  2. Azure SQL Managed Instance: This is for larger scale, entire SQL Server instance-scoped deployments. It provides near 100% compatibility with the latest SQL Server on-premises (Enterprise Edition) Database Engine, which provides a native virtual network (VNet) implementation that addresses common security concerns, and a business model favorable for on-premises SQL Server customers.
  3. Azure SQL Server on Azure VMs: This is Infrastructure as a Service (IaaS) and is best for migrations where you want control over the operating system and SQL Server instance, like it was a server running on-premises.

Azure SQL Database

Azure SQL Database is a fully managed database platform as a service (PaaS) that provides scalable and secure relational database solutions. It's built on the latest SQL Server technologies and eliminates the need for infrastructure management, making it a popular choice for cloud-based applications.

Key Features

  • Always Up-to-Date: Runs on the latest stable version of SQL Server and Receives new features and patches automatically.
  • PaaS Capabilities: Built-in high availability, backups, and updates.
  • Data Flexibility: Supports relational and non-relational data (e.g., graphs, JSON, spatial, and XML).

Purchasing Models / Service Tiers

  • vCore-based: Choose compute, memory, and storage independently. For General Purpose, Business Critical (with high resilience and performance for OLTP apps), and scales up to 128 TB storag
  • DTU-based: Bundles compute, memory, and I/O into fixed tiers. Balanced resources for common tasks.
    • Standard: Balanced resources for common tasks.
    • Premium: High performance for demanding workloads.

Deployment Models

Azure SQL Database supports flexible deployment options to suit various needs:

  • Single Database:
    • A fully isolated database with its own dedicated resources.
    • Great for microservices or applications requiring a single data source.
  • Elastic Pool:
    • Allows multiple databases to share resources within a pool.
    • Cost-efficient for applications with fluctuating usage patterns across multiple databases.

Scalable performance and pools

  • Single Databases: Each database is isolated and has its own dedicated compute, memory, and storage resources. Resources can be scaled dynamically (up or down) without downtime (1–128 vCores, 32 GB–4 TB storage, and up to 128 TB).
  • Elastic Pools: Share resources across multiple databases in a pool to maximize efficiency and save costs. Resources can also be scaled dynamically for the entire pool.
  • Service Tier Flexibility: Start small with a single database in the General Purpose tier. Upgrade to Business Critical or Hyperscale tiers as needs grow.
  • Scaling Options: Dynamic Scaling or Autoscaling Alternatives.

Built-In Monitoring & Optimization

  • Query Store: Tracks performance issues, identifies top resource consumers, and offers actionable recommendations.
  • Automatic Tuning: Proactively optimizes performance with features like automatic indexing and query plan corrections.
  • Telemetry Integration: Supports monitoring through Azure Monitor, Event Hubs, or Azure Storage for tailored insights.

Disaster Recovery & Availavility

  • Automatic backups: SQL Database automatically performs full, differential, and transaction log backups of databases
  • Point-in-Time Restore: Recover databases to any past state within the backup retention period.
  • Geo-Redundancy
  • Failover Groups: Simplifies disaster recovery by grouping databases for automatic failover across regions.

Azure SQL Managed Instance

Azure SQL Managed Instance is a Platform as a Service (PaaS) database engine that offers near 100% compatibility with SQL Server and handles most management tasks (e.g., upgrading, patching, backups, monitoring) automatically. It provides a cloud solution for migrating on-premises SQL Server databases with minimal changes.

Service Tiers

  • General Purpose: Cost-effective option for applications with standard I/O and latency requirements.
  • Business Critical: High-performance option with low I/O latency for critical workloads.

Advanced Security Features

* **Threat Protection**: Advanced Threat Protection alerts for suspicious activities and SQL injection attacks. Auditing to track and log database events for compliance.
* **Access Control**: Microsoft Entra authentication for centralized identity management. Row-Level Security and Dynamic Data Masking for granular access control.
* **Backups**: Automated and manual backups with point-in-time restore capability.

Azure SQL Virtual Machines

Azure SQL Virtual Machines is best for migrations where you want control over the operating system and SQL Server instance, like it was a server running on-premises. It can have different machine sizes, and a wide selection of SQL Server versions and editions.

Key Features

Automated Backup: Schedule backups for SQL databases. Automatic Patching: Automates the installation of Windows and SQL Server updates during a maintenance window. Azure Key Vault Integration: Automatically configures Key Vault for SQL Server VMs. Defender for Cloud Integration: View Defender for SQL recommendations in the portal. Version/Edition Flexibility: Change SQL Server version or edition metadata without redeploying the VM.

Security Features

Microsoft Defender for SQL: Security insights and alerts. Azure Key Vault Integration: Secure storage of credentials and encryption keys. Microsoft Entra (Azure AD): Authentication and access control.

Enumeration

bash
# List Servers
az sql server list # --output table
## List Server Usages
az sql server list-usages --name <server_name> --resource-group <resource_group>
## List Server Firewalls
az sql server firewall-rule list --resource-group <resource_group> --server <server_name>
## List of Azure Active Directory administrators in a server.
az sql server ad-admin list --resource-group <resource_group> --server <server_name>
## Gets an advanced threat protection
az sql server advanced-threat-protection-setting show --resource-group <resource_group> --name <server_name>
## Get server's auditing policy.
az sql server audit-policy show --resource-group <resource_group> --name <server_name>
## Gets a server's secure connection policy.
az sql server conn-policy show --resource-group <resource_group> --server <server_name>
## Gets a list of server DNS aliases for a server.
az sql server dns-alias list --resource-group <resource_group> --server <server_name>
## List of server keys.
az sql server key list --resource-group <resource_group> --server <server_name>
## Gets a server encryption protector.
az sql server tde-key show --resource-group <resource_group> --server <server_name>

# List Databases in a SQL server
az sql db list --server <server_name> --resource-group <resource_group> #--output table
## Get details of a specific database
az sql db show --name <database_name> --server <server_name> --resource-group <resource_group>
## List database usages
az sql db list-usages --name <database_name> --server <server_name> --resource-group <resource_group>
## List of operations performed on the database.
az sql db op list --database <database_name> --server <server_name> --resource-group <resource_group>
## List sql database classification
az sql db classification list --name <database_name> --server <server_name> --resource-group <resource_group>
## List long-term retention backups for a SQL database
az sql db ltr-backup list --database <database_name> --server <server_name> --resource-group <resource_group>
## List long-term retention policy
az sql db ltr-policy --name <database_name> --server <server_name> --resource-group <resource_group>
## List long-term retention policy
az sql db str-policy --name <database_name> --server <server_name> --resource-group <resource_group>
## List the replicas of a database and their replication status
az sql db replica list-links --name <database_name> --server <server_name> --resource-group <resource_group>
## List deleted SQL databases
az sql db list-deleted --server <server_name> --resource-group <resource_group>
## List database usages
az sql db list-usages --name <database_name> --server <server_name> --resource-group <resource_group>
## List restorable dropped databases in a SQL server
az sql db list-deleted --server <server_name> --resource-group <resource_group>
## List advanced threat protection setting show
az sql db advanced-threat-protection-setting --name <database_name> --server <server_name> --resource-group <resource_group>

# List all elastic pools in a SQL server
az sql elastic-pool list --server <server_name> --resource-group <resource_group> #--output table
## List all databases in a specific elastic pool
az sql elastic-pool show --name <elastic_pool_name>  --server <server_name> --resource-group <resource_group>
## List of databases in an elastic pool.
az sql elastic-pool list-dbs --name <elastic_pool_name>  --server <server_name> --resource-group <resource_group>

# List all managed Instances
az sql mi list
az sql mi show --resource-group <res-grp> --name <name>
az sql midb list
az sql midb show --resource-group <res-grp> --name <name>

# Lis all sql VM
az sql vm list
az sql vm show --resource-group <res-grp> --name <name>

Connect and run SQL queries

You could find a connection string (containing credentials) from example enumerating an Az WebApp:

powershell
function invoke-sql{
    param($query)
    $Connection_string = "Server=tcp:supercorp.database.windows.net,1433;Initial Catalog=flag;Persist Security Info=False;User ID=db_read;Password=gAegH!324fAG!#1fht;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;"
    $Connection = New-Object System.Data.SqlClient.SqlConnection $Connection_string
    $Connection.Open()
    $Command = New-Object System.Data.SqlClient.SqlCommand
    $Command.Connection = $Connection
    $Command.CommandText = $query
    $Reader = $Command.ExecuteReader()
    while ($Reader.Read()) {
        $Reader.GetValue(0)
    }
    $Connection.Close()
}

invoke-sql 'Select Distinct TABLE_NAME From information_schema.TABLES;'

You can also use sqlcmd to access the database. It is important to know if the server allows public connections az sql server show --name <server-name> --resource-group <resource-group>, and also if it the firewall rule let's our IP to access:

powershell
sqlcmd -S <sql-server>.database.windows.net -U <server-user> -P <server-passworkd> -d <database>

References

Privilege Escalation

Az - SQL Privesc

Post Exploitation

Az - SQL Post Exploitation

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks