HackTricks CloudAz - MySQL Databases
Reading time: 6 minutes
{% hint style="success" %}
Learn & practice AWS Hacking: (1) (1) (1).png)
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking:  (1).png)
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Azure MySQL
Azure Database for MySQL is a fully managed relational database service based on the MySQL Community Edition, designed to provide scalability, security, and flexibility for various application needs. It has two different deployment models:
- Single Server (is on the retirement path):
- Optimized for cost-effective and easy-to-manage MySQL deployments.
- Features include automated backups, high availability, and basic monitoring.
- Ideal for applications with predictable workloads.
- Flexible Server:
- Provides more control over database management and configuration.
- Supports high availability (same-zone and zone-redundant).
- Features elastic scaling, patch management, and workload optimization.
- Offers stop/start functionality for cost savings.
Key Features
- Server Management: The ad-admin feature allows managing Azure Active Directory (AAD) administrators for MySQL servers, providing control over administrative access via AAD credentials, while the identity feature enables the assignment and management of Azure Managed Identities, offering secure, credential-free authentication for accessing Azure resources.
- Lifecycle Management: options to start or stop a server, delete a flexible server instance, restart a server to quickly apply configuration changes, and wait to ensure a server meets specific conditions before proceeding with automation scripts.
- Security and Networking: can manage server firewall rules for secure database access and detach virtual network configurations as needed.
- Data Protection and Backup: includes options to manage flexible server backups for data recovery, perform geo-restore to recover a server in a different region, export server backups for external use (in Preview), and restore a server from backup to a specific point in time.
Enumeration
{% tabs %} {% tab title="az cli" %} {% code overflow="wrap" %}
bash
# List all flexible-servers
az mysql flexible-server db list --resource-group <resource-group-name>
# List databases in a flexible-server
az mysql flexible-server db list --resource-group <resource-group-name> --server-name <server_name>
# Show specific details of a MySQL database
az mysql flexible-server db show --resource-group <resource-group-name> --server-name <server_name> --database-name <database_name>
# List firewall rules of the a server
az mysql flexible-server firewall-rule list --resource-group <resource-group-name> --name <server_name>
# List all ad-admin in a server
az mysql flexible-server ad-admin list --resource-group <resource-group-name> --server-name <server_name>
# List all user assigned managed identities from the server
az mysql flexible-server identity list --resource-group <resource-group-name> --server-name <server_name>
# List the server backups
az mysql flexible-server backup list --resource-group <resource-group-name> --name <server_name>
# List all read replicas for a given server
az mysql flexible-server replica list --resource-group <resource-group-name> --name <server_name>
# Get the server's advanced threat protection setting
az mysql flexible-server advanced-threat-protection-setting show --resource-group <resource-group-name> --name <server_name>
# List all of the maintenances of a flexible server
az mysql flexible-server maintenance list --resource-group <resource-group-name> --server-name <server_name>
# List log files for a server.
az mysql flexible-server server-logs list --resource-group <resource-group-name> --server-name <server_name>
{% endcode %} {% endtab %}
{% tab title="Az PowerShell" %} {% code overflow="wrap" %}
bash
Get-Command -Module Az.MySql
# Get all flexible servers in a resource group
Get-AzMySqlFlexibleServer -ResourceGroupName <resource-group-name>
# List databases in a specific flexible server
Get-AzMySqlFlexibleServerDatabase -ResourceGroupName <resource-group-name> -ServerName <server_name>
# Get details of a specific database in a flexible server
Get-AzMySqlFlexibleServerDatabase -ResourceGroupName <resource-group-name> -ServerName <server_name> -DatabaseName <database_name>
# List all firewall rules for a flexible server
Get-AzMySqlFlexibleServerFirewallRule -ResourceGroupName <resource-group-name> -ServerName <server_name>
# Get the identity information of a flexible server
Get-AzMySqlFlexibleServerIdentity -ResourceGroupName <resource-group-name> -ServerName <server_name>
# Get the server's advanced threat protection setting
Get-AzMySqlFlexibleServerAdvancedThreatProtection -ResourceGroupName <resource-group-name> -ServerName <server_name>
# List configuration settings of a flexible server
Get-AzMySqlFlexibleServerConfiguration -ResourceGroupName <resource-group-name> -ServerName <server_name>
# Get the connection string for a flexible server
Get-AzMySqlFlexibleServerConnectionString -ResourceGroupName <resource-group-name> -ServerName <server_name> -Client <client>
# List all read replicas for a given server
Get-AzMySqlFlexibleServerReplica -ResourceGroupName <resource-group-name> -ServerName <server_name>
# Get the maintenance window details for a flexible server
Get-AzMySqlFlexibleServerMaintenanceWindow -ResourceGroupName <resource-group-name> -ServerName <server_name>
# List log files for a server
Get-AzMySqlFlexibleServerLog -ResourceGroupName <resource-group-name> -ServerName <server_name>
{% endcode %} {% endtab %} {% endtabs %}
Connection
With the extension rdbms-connect you can access the database with:
{% code overflow="wrap" %}
bash
az mysql flexible-server connect -n <server-name> -u <username> -p <password> --interactive
#or execute commands
az mysql flexible-server execute \
-n <server-name> \
-u <username> \
-p "<password>" \
-d <database-name> \
--querytext "SELECT * FROM <table-name>;"
{% endcode %}
Or with the MySQL native extension plugin {% code overflow="wrap" %}
bash
mysql -h <server-name>.mysql.database.azure.com -P 3306 -u <username> -p
{% endcode %}
Also you can execute queries with github but the password and user are also needed. You need to set up a sql file with the query to run and then: {% code overflow="wrap" %}
bash
# Setup
az mysql flexible-server deploy setup \
-s <server-name> \
-g <resource-group> \
-u <admin-user> \
-p "<admin-password>" \
--sql-file <path-to-sql-file> \
--repo <github-username/repository-name> \
--branch <branch-name> \
--action-name <action-name> \
--allow-push
# Run it
az mysql flexible-server deploy run \
--action-name <action-name> \
--branch <branch-name>
{% endcode %}
Privilege Escalation
{% content-ref url="../az-privilege-escalation/az-mysql-privesc.md" %} az-mysql-privesc.md {% endcontent-ref %}
Post Exploitation
{% content-ref url="../az-post-exploitation/az-mysql-post-exploitation.md" %} az-sql-mysql-exploitation.md {% endcontent-ref %}
ToDo
- Look a way to access with mysql flexible-server ad-admin to verify its a privesc method
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.