Az - Logic Apps Privesc

Reading time: 2 minutes

Logic Apps Privesc

For more information about SQL Database check:

Az - Logic Apps

(Microsoft.Resources/subscriptions/resourcegroups/read, Microsoft.Logic/workflows/read, Microsoft.Logic/workflows/write && Microsoft.ManagedIdentity/userAssignedIdentities/assign/action) && (Microsoft.Logic/workflows/triggers/run/action)

With this permission, you can create or update, Azure Logic Apps workflows. Workflows define automated processes and integrations between various systems and services.

az logic workflow create \
  --resource-group <resource_group_name> \
  --name <workflow_name> \
  --definition <workflow_definition_file.json> \
  --location <location>

az logic workflow update \
  --name my-new-workflow \
  --resource-group logicappgroup \
  --definition <workflow_definition_file.json>

And after changing it, you can run it with:

az rest \
  --method post \
  --uri "https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{logicAppName}/triggers/{triggerName}/run?api-version=2016-10-01" \
  --body '{}' \
  --headers "Content-Type=application/json"

(Microsoft.Web/sites/read, Microsoft.Web/sites/basicPublishingCredentialsPolicies/read, Microsoft.Web/sites/write, Microsoft.Web/sites/config/list/action) && (Microsoft.Web/sites/start/action)

With these permissions, you can deploy, Logic App workflows using ZIP file deployments. These permissions enable actions such as reading app details, accessing publishing credentials, writing changes, and listing app configurations. Alongside the start permissions you can update and deploy a new Logic App with the content desired

az logicapp deployment source config-zip \
  --name <logic_app_name> \
  --resource-group <resource_group_name> \
  --src <path_to_zip_file>