Az - CosmosDB Post Exploitation

Reading time: 6 minutes

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}

CosmosDB Post Exploitation

For more information about SQL Database check:

{% content-ref url="../az-services/az-cosmosDB.md" %} az-cosmosDB.md {% endcontent-ref %}

"Microsoft.DocumentDB/databaseAccounts/read" && "Microsoft.DocumentDB/databaseAccounts/write"

With this permission, you can create or update Azure Cosmos DB accounts. This includes modifying account-level settings, adding or removing regions, changing consistency levels, and enabling or disabling features like multi-region writes.

{% code overflow="wrap" %}

bash

az cosmosdb update \
  --name <account_name> \
  --resource-group <resource_group_name> \
  --public-network-access ENABLED

{% endcode %}

"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read" && "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/write"

With this permission, you can create or modify containers (collections) within a SQL database of an Azure Cosmos DB account. Containers are used to store data, and changes to them can impact the database's structure and access patterns.

{% code overflow="wrap" %}

bash

# Create
az cosmosdb sql container create \
  --account-name <account_name> \
  --resource-group <resource_group_name> \
  --database-name <database_name> \
  --name <container_name> \
  --partition-key-path <partition_key_path>

#Update
az cosmosdb sql container update \
  --account-name <account_name> \
  --resource-group <resource_group_name> \
  --database-name <database_name> \
  --name <container_name> \
  --ttl 3600

{% endcode %}

"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/write" && "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/read"

With this permission, you can create or modify SQL databases within an Azure Cosmos DB account. This allows for managing the database structure and adding new databases to the account. While this permission enables database creation, improper or unauthorized use could result in unnecessary resource consumption, increased costs, or operational inefficiencies.

{% code overflow="wrap" %}

bash

az cosmosdb sql database create \
  --account-name <account_name> \
  --resource-group <resource_group_name> \
  --name <database_name>

{% endcode %}

"Microsoft.DocumentDB/databaseAccounts/failoverPriorityChange/action"

With this permission, you can change the failover priority of regions for an Azure Cosmos DB database account. This action determines the order in which regions become primary during a failover event. Improper use of this permission can disrupt the high availability of the database or lead to unintended operational impacts.

{% code overflow="wrap" %}

bash

az cosmosdb failover-priority-change \
  --name <database_account_name> \
  --resource-group <resource_group_name> \
  --failover-policies <region1=priority1> <region2=priority2>

{% endcode %}

"Microsoft.DocumentDB/databaseAccounts/regenerateKey/action"

With this permission, you can regenerate the primary or secondary keys for an Azure Cosmos DB account. This is typically used to enhance security by replacing old keys, but it can disrupt access for services or applications that rely on the current keys.

{% code overflow="wrap" %}

bash

az cosmosdb keys regenerate \
  --name <account_name> \
  --resource-group <resource_group_name> \
  --key-kind <primary|secondary>

{% endcode %}

"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/userDefinedFunctions/write" && "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/userDefinedFunctions/read"

With this permission, you can create or modify triggers within a container of a SQL database in an Azure Cosmos DB account. Triggers allow you to execute server-side logic in response to operations.

{% code overflow="wrap" %}

bash

az cosmosdb sql trigger create \
  --account-name <account_name> \
  --resource-group <resource_group_name> \
  --database-name <sql_database_name> \
  --container-name <container_name> \
  --name <trigger_name> \
  --body 'function trigger() { var context = getContext(); var request = context.getRequest(); request.setBody("Triggered operation!"); }' \
  --type Pre \
  --operation All

{% endcode %}

"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/storedProcedures/write" && "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/storedProcedures/read"

With this permission, you can create or modify stored procedures within a container of a SQL database in an Azure Cosmos DB account. Stored procedures in Cosmos DB are server-side JavaScript functions that allow you to encapsulate logic for processing data or performing operations directly within the database.

{% code overflow="wrap" %}

bash

az cosmosdb sql stored-procedure create \
  --account-name <account_name> \
  --resource-group <resource_group_name> \
  --database-name <sql_database_name> \
  --container-name <container_name> \
  --name <stored_procedure_name> \
  --body 'function sample() { return "Hello, Cosmos!"; }'

{% endcode %}

"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/write" && "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/read"

With this permission, you can create or modify triggers within a container of a SQL database in an Azure Cosmos DB account. Triggers allow you to execute server-side logic in response to operations like inserts, updates, or deletes.

{% code overflow="wrap" %}

bash

az cosmosdb sql trigger create \
  --account-name <account_name> \
  --resource-group <resource_group_name> \
  --database-name <sql_database_name> \
  --container-name <container_name> \
  --name <trigger_name> \
  --body 'function trigger() { var context = getContext(); var request = context.getRequest(); request.setBody("Triggered operation!"); }' \
  --type Pre \
  --operation All

{% endcode %}

"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/read" && "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/write"

With this permission, you can create or modify collections within MongoDB databases in an Azure Cosmos DB account. Collections are used to store documents and define the structure and partitioning for data.

{% code overflow="wrap" %}

bash

az cosmosdb mongodb collection create \
  --account-name <account_name> \
  --resource-group <resource_group_name> \
  --database-name <mongodb_database_name> \
  --name <collection_name>

{% endcode %}

"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/write" && "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/read"

With this permission, you can create new MongoDB databases within an Azure Cosmos DB account. This allows for provisioning new databases to store and manage collections and documents.

{% code overflow="wrap" %}

bash

az cosmosdb mongodb database create \
  --account-name <account_name> \
  --resource-group <resource_group_name> \
  --name <database_name>

{% endcode %}

"Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write" && "Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/read"

With this permission, you can create new MongoDB role definitions within an Azure Cosmos DB account. This allows defining custom roles with specific permissions for MongoDB users.

{% code overflow="wrap" %}

bash

az cosmosdb mongodb role definition create \
    --account-name <account_name> \
    --resource-group <resource_group_name> \
    --body '{
        "Id": "<mydatabase>.readWriteRole",
        "RoleName": "readWriteRole",
        "Type": "CustomRole",
        "DatabaseName": "<mydatabase>",
        "Privileges": [
            {
                "Resource": {
                    "Db": "<mydatabase>",
                    "Collection": "mycollection"
                },
                "Actions": [
                    "insert",
                    "find",
                    "update"
                ]
            }
        ],
        "Roles": []
    }'

{% endcode %}

"Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write" && "Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/read"

With this permission, you can create new MongoDB user definitions within an Azure Cosmos DB account. This allows the provisioning of users with specific roles and access levels to MongoDB databases. {% code overflow="wrap" %}

bash

az cosmosdb mongodb user definition create \
    --account-name <account_name> \
    --resource-group <resource_group_name> \
    --body '{
        "Id": "<mydatabase>.myUser",
        "UserName": "myUser",
        "Password": "mySecurePassword",
        "DatabaseName": "<mydatabase>",
        "CustomData": "TestCustomData",
        "Mechanisms": "SCRAM-SHA-256",
        "Roles": [
            {
                "Role": "readWriteRole",
                "Db": "<mydatabase>"
            }
        ]
    }'

{% endcode %}

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}

HackTricks Cloud