Az - CosmosDB Post Exploitation

Reading time: 6 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

CosmosDB Post Exploitation

For more information about SQL Database check:

Az - CosmosDB

Microsoft.DocumentDB/databaseAccounts/read && Microsoft.DocumentDB/databaseAccounts/write

With this permission, you can create or update Azure Cosmos DB accounts. This includes modifying account-level configurations, enabling or disabling automatic failover, managing network access controls, setting backup policies, and adjusting consistency levels. Attackers with this permission could alter settings to weaken security controls, disrupt availability, or exfiltrate data by modifying network rules.

bash
az cosmosdb update \
  --name <account_name> \
  --resource-group <resource_group_name> \
  --public-network-access ENABLED
bash
az cosmosdb update \
    --account-name <account_name> \
    --resource-group <resource_group_name> \
    --capabilities EnableMongoRoleBasedAccessControl

Additionally you can enable managed identities in the account:

bash
az cosmosdb identity assign \
    --name <cosmosdb_account_name> \
    --resource-group <resource_group_name>

Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read && Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/write

With this permission, you can create or modify containers (collections) within a SQL database of an Azure Cosmos DB account. Containers are used to store data, and changes to them can impact the database's structure and access patterns.

bash
# Create
az cosmosdb sql container create \
  --account-name <account_name> \
  --resource-group <resource_group_name> \
  --database-name <database_name> \
  --name <container_name> \
  --partition-key-path <partition_key_path>

#Update
az cosmosdb sql container update \
  --account-name <account_name> \
  --resource-group <resource_group_name> \
  --database-name <database_name> \
  --name <container_name> \
  --ttl 3600

Microsoft.DocumentDB/databaseAccounts/sqlDatabases/write && Microsoft.DocumentDB/databaseAccounts/sqlDatabases/read

With this permission, you can create or modify SQL databases within an Azure Cosmos DB account. This allows for managing the database structure and adding new databases to the account. While this permission enables database creation, improper or unauthorized use could result in unnecessary resource consumption, increased costs, or operational inefficiencies.

bash
az cosmosdb sql database create \
  --account-name <account_name> \
  --resource-group <resource_group_name> \
  --name <database_name>

Microsoft.DocumentDB/databaseAccounts/failoverPriorityChange/action

With this permission, you can change the failover priority of regions for an Azure Cosmos DB database account. This action determines the order in which regions become primary during a failover event. Improper use of this permission can disrupt the high availability of the database or lead to unintended operational impacts.

bash
az cosmosdb failover-priority-change \
  --name <database_account_name> \
  --resource-group <resource_group_name> \
  --failover-policies <region1=priority1> <region2=priority2>

Microsoft.DocumentDB/databaseAccounts/regenerateKey/action

With this permission, you can regenerate the primary or secondary keys for an Azure Cosmos DB account. This is typically used to enhance security by replacing old keys, but it can disrupt access for services or applications that rely on the current keys.

bash
az cosmosdb keys regenerate \
  --name <account_name> \
  --resource-group <resource_group_name> \
  --key-kind <primary|secondary>

Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/userDefinedFunctions/write && Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/userDefinedFunctions/read

With this permission, you can create or modify triggers within a container of a SQL database in an Azure Cosmos DB account. Triggers allow you to execute server-side logic in response to operations.

bash
az cosmosdb sql trigger create \
  --account-name <account_name> \
  --resource-group <resource_group_name> \
  --database-name <sql_database_name> \
  --container-name <container_name> \
  --name <trigger_name> \
  --body 'function trigger() { var context = getContext(); var request = context.getRequest(); request.setBody("Triggered operation!"); }' \
  --type Pre \
  --operation All

Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/storedProcedures/write && Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/storedProcedures/read

With this permission, you can create or modify stored procedures within a container of a SQL database in an Azure Cosmos DB account. Stored procedures in Cosmos DB are server-side JavaScript functions that allow you to encapsulate logic for processing data or performing operations directly within the database.

bash
az cosmosdb sql stored-procedure create \
  --account-name <account_name> \
  --resource-group <resource_group_name> \
  --database-name <sql_database_name> \
  --container-name <container_name> \
  --name <stored_procedure_name> \
  --body 'function sample() { return "Hello, Cosmos!"; }'

Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/write && Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/read

With this permission, you can create or modify triggers within a container of a SQL database in an Azure Cosmos DB account. Triggers allow you to execute server-side logic in response to operations like inserts, updates, or deletes.

bash
az cosmosdb sql trigger create \
  --account-name <account_name> \
  --resource-group <resource_group_name> \
  --database-name <sql_database_name> \
  --container-name <container_name> \
  --name <trigger_name> \
  --body 'function trigger() { var context = getContext(); var request = context.getRequest(); request.setBody("Triggered operation!"); }' \
  --type Pre \
  --operation All

Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/read && Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/write

With this permission, you can create or modify collections within MongoDB databases in an Azure Cosmos DB account. Collections are used to store documents and define the structure and partitioning for data.

bash
az cosmosdb mongodb collection create \
  --account-name <account_name> \
  --resource-group <resource_group_name> \
  --database-name <mongodb_database_name> \
  --name <collection_name>

Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/write && Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/read

With this permission, you can create new MongoDB databases within an Azure Cosmos DB account. This allows for provisioning new databases to store and manage collections and documents.

bash
az cosmosdb mongodb database create \
  --account-name <account_name> \
  --resource-group <resource_group_name> \
  --name <database_name>

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks