Az - CosmosDB Privesc

Reading time: 4 minutes

CosmosDB Privesc

Kwa maelezo zaidi kuhusu SQL Database angalia:

Az - CosmosDB

(Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write, Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/read) & (Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write, Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/read)

Kwa ruhusa hizi unaweza kuongeza hadhi kwa kumpa mtumiaji ruhusa za kutekeleza maswali na kuungana na hifadhidata. Kwanza, jukumu la ufafanuzi linaundwa likitoa ruhusa na mipaka inayohitajika.

az cosmosdb sql role definition create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--body '{
"Id": "<Random-Unique-ID>", # For example 12345678-1234-1234-1234-123456789az
"RoleName": "CustomReadRole",
"Type": "CustomRole",
"AssignableScopes": [
"/subscriptions/<subscription_id>/resourceGroups/sqldatabase/providers/Microsoft.DocumentDB/databaseAccounts/<account_name>"
],
"Permissions": [
{
"DataActions": [
"Microsoft.DocumentDB/databaseAccounts/readMetadata",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*"
]
}
]
}'

Baada ya hapo, ugawaji wa ufafanuzi unatolewa kwa mtumiaji. Baada ya hii, mtumiaji huyo anaweza kutumia njia ya muunganisho ya DefaultAzureCredential() kutekeleza maswali.

az cosmosdb sql role assignment create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--role-definition-id <Random-Unique-ID-used-in-definition> \
--principal-id <principal_id-togive-perms> \
--scope "/"

(Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write && Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/read)&& (Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write && Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/read)

Kwa ruhusa hii, unaweza kuunda ufafanuzi mpya wa majukumu ya MongoDB ndani ya akaunti ya Azure Cosmos DB. Hii inaruhusu kufafanua majukumu maalum yenye ruhusa maalum kwa watumiaji wa MongoDB. Kazi za RBAC lazima ziwe zimewezeshwa ili kutumia hii.

az cosmosdb mongodb role definition create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--body '{
"Id": "<mydatabase>.readWriteRole",
"RoleName": "readWriteRole",
"Type": "CustomRole",
"DatabaseName": "<mydatabase>",
"Privileges": [
{
"Resource": {
"Db": "<mydatabase>",
"Collection": "mycollection"
},
"Actions": [
"insert",
"find",
"update"
]
}
],
"Roles": []
}'

Unaweza kuunda ufafanuzi mpya wa mtumiaji wa MongoDB ndani ya akaunti ya Azure Cosmos DB. Hii inaruhusu ugawaji wa watumiaji wenye majukumu maalum na ufikiaji wa hifadhidata za MongoDB.

az cosmosdb mongodb user definition create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--body '{
"Id": "<mydatabase>.myUser",
"UserName": "<myUser>",
"Password": "<mySecurePassword>",
"DatabaseName": "<mydatabase>",
"CustomData": "TestCustomData",
"Mechanisms": "SCRAM-SHA-256",
"Roles": [
{
"Role": "readWriteRole",
"Db": "<mydatabase>"
}
]
}'

Baada ya hapo, mtumiaji mpya anaundwa ndani ya MongoDB, tunaweza kuufikia:

mongosh "mongodb://<myUser>:<mySecurePassword>@<account_name>.mongo.cosmos.azure.com:10255/<mymongodatabase>?ssl=true&replicaSet=globaldb&retrywrites=false"

Microsoft.DocumentDB/databaseAccounts/listKeys/action

Kwa ruhusa hii, unaweza kupata funguo za msingi na za pili za akaunti ya Azure Cosmos DB. Funguo hizi zinatoa ufikiaji kamili kwa akaunti ya hifadhidata na rasilimali zake, zikihusisha vitendo kama vile kusoma data, kuandika, na mabadiliko ya usanidi.

az cosmosdb keys list \
--name <account_name> \
--resource-group <resource_group_name>