Az - CosmosDB

Reading time: 15 minutes

Azure CosmosDB

Azure Cosmos DB ni hifadhi ya data ya NoSQL, ya uhusiano, na ya vector inayosimamiwa kikamilifu, inatoa nyakati za majibu za milisekunde moja, upanuzi wa kiotomatiki, na upatikanaji unaoungwa mkono na SLA pamoja na usalama wa kiwango cha biashara. Inaruhusu maendeleo ya programu kwa haraka kupitia usambazaji wa data wa mikoa mingi, APIs za chanzo wazi, SDKs za lugha maarufu, na vipengele vya hifadhi ya data ya AI kama msaada wa vector uliojumuishwa na uunganisho wa Azure AI usio na mshono.

Azure Cosmos DB inatoa APIs nyingi za hifadhi ya data ili kuunda mfano wa data halisi kwa kutumia nyaraka, uhusiano, funguo-thamani, grafu, na mifano ya data ya familia ya safu, ambapo APIs hizi ni NoSQL, MongoDB, PostgreSQL, Cassandra, Gremlin na Table.

Moja ya vipengele muhimu vya CosmosDB ni Akaunti ya Azure Cosmos. Akaunti ya Azure Cosmos, inafanya kazi kama kiingilio kwa hifadhi za data. Akaunti inamua mipangilio muhimu kama usambazaji wa kimataifa, viwango vya usawa, na API maalum itakayotumika, kama NoSQL. Kupitia akaunti, unaweza kuunda upya wa kimataifa ili kuhakikisha data inapatikana katika mikoa mingi kwa ufikiaji wa chini wa ucheleweshaji. Zaidi ya hayo, unaweza kuchagua kiwango cha usawa kinacholingana kati ya utendaji na usahihi wa data, huku chaguo zikisambaa kutoka kwa Usawa Mkali hadi Usawa wa Hatimaye.

Azure Cosmos DB inasaidia vitambulisho vilivyotolewa na mtumiaji na vitambulisho vilivyotolewa na mfumo ambavyo vinaundwa kiotomatiki na kuunganishwa na mzunguko wa maisha wa rasilimali. Hata hivyo, Cosmos DB haina mekanizma iliyojengwa ndani ya kutafuta moja kwa moja vyanzo vya data vya nje kama Azure Blob Storage. Tofauti na vipengele vya meza za nje za SQL Server, Cosmos DB inahitaji data kuingizwa katika vyombo vyake kwa kutumia zana za nje kama Azure Data Factory, Zana ya Uhamasishaji wa Data, au skripti za kawaida kabla ya kuweza kutafutwa kwa uwezo wake wa kutafuta wa asili.

NoSQL

API ya NoSQL ya Azure Cosmos DB ni API inayotumia nyaraka ambayo inatumia JSON kama muundo wake wa data. Inatoa sintaksia ya kutafuta kama SQL kwa kutafuta vitu vya JSON, na kuifanya iweze kutumika kwa kufanya kazi na data iliyopangwa na isiyo na mpangilio. Kituo cha huduma ni:

https://<Account-Name>.documents.azure.com:443/

Databases

Katika akaunti, unaweza kuunda moja au zaidi ya hifadhidata, ambazo hutumikia kama makundi ya mantiki ya kontena. Hifadhidata inafanya kazi kama mpaka wa usimamizi wa rasilimali na ruhusa za mtumiaji. Hifadhidata zinaweza kuruhusu kontena nyingi kutumia mchanganyiko wa uwezo wa utendaji au kutoa kila kontena nguvu yake maalum.

Containers

Kitengo cha msingi cha uhifadhi wa data ni kontena, ambacho kinashikilia hati za JSON na kinapangwa kiotomatiki kwa ajili ya uchunguzi mzuri. Kontena zinaweza kupanuliwa kwa urahisi na kusambazwa katika sehemu, ambazo zinatolewa na ufunguo wa sehemu ulioelezwa na mtumiaji. Ufunguzi wa sehemu ni muhimu kwa kuhakikisha utendaji bora na usambazaji sawa wa data. Kwa mfano, kontena inaweza kuhifadhi data za wateja, huku "customerId" ikiwa kama ufunguo wa sehemu.

Key Features

• Global Distribution: Wezesha au zima Geo-Redundancy kwa ajili ya nakala za kuvuka mikoa na Multi-region Writes kwa ajili ya kuboresha upatikanaji.
• Networking & Security: kati ya mwisho wa umma (mitandao yote/teule) au binafsi kwa ajili ya uhusiano. Uhusiano salama na usimbuaji wa TLS 1.2. Inasaidia CORS (Cross-Origin Resource Sharing) kwa ajili ya ufikiaji ulio na udhibiti wa rasilimali. Microsoft Defender for Cloud inaweza kuwezeshwa. Ili kuunda uhusiano unaweza kutumia funguo.
• Backup & Recovery: kutoka kwa sera za nakala za Kila Wakati, Endelevu (siku 7), au Endelevu (siku 30) zenye vipindi na uhifadhi vinavyoweza kubadilishwa.
• Data Encryption: Funguo za huduma zinazodhibitiwa na chaguo au funguo zinazodhibitiwa na mteja (CMK) kwa ajili ya usimbuaji (uchaguzi wa CMK hauwezi kubadilishwa).

Enumeration

# CosmoDB Account
## List Azure Cosmos DB database accounts.
az cosmosdb list --resource-group <ResourceGroupName>
az cosmosdb show --resource-group <ResourceGroupName> --name <AccountName>

## Lists the virtual network accounts associated with a Cosmos DB account
az cosmosdb network-rule list --resource-group <ResourceGroupName> --name <AccountName>
## List the access keys or connection strings for a Azure Cosmos DB
az cosmosdb keys list --name <AccountName> --resource-group <ResourceGroupName>
## List all the database accounts that can be restored.
az cosmosdb restorable-database-account list --account-name <AccountName>
## Show the identities for a Azure Cosmos DB database account.
az cosmosdb identity show --resource-group <ResourceGroupName> --name <AccountName>


# CosmoDB (NoSQL)
## List the NoSQL databases under an Azure Cosmos DB account.
az cosmosdb sql database list --resource-group <ResourceGroupName> --account-name <AccountName>
## List the NoSQL containers under an Azure Cosmos DB NoSQL database.
az cosmosdb sql container list --account-name <AccountName> --database-name <DatabaseName> --resource-group <ResourceGroupName>

## List all NoSQL role assignments under an Azure Cosmos DB
az cosmosdb sql role assignment list --resource-group <ResourceGroupName> --account-name <AccountName>
## List all NoSQL role definitions under an Azure Cosmos DB
az cosmosdb sql role definition list --resource-group <ResourceGroupName> --account-name <AccountName>

## List the NoSQL stored procedures under an Azure Cosmos DB
az cosmosdb sql stored-procedure list --account-name <AccountName> --container-name <ContainerName> --database-name <DatabaseName> --resource-group <ResourceGroupName>
## List the NoSQL triggers under an Azure Cosmos DB NoSQL container.
az cosmosdb sql trigger list --account-name <AccountName> --container-name <ContainerName> --database-name <DatabaseName> --resource-group <ResourceGroupName>
## List the NoSQL user defined functions under an Azure Cosmos DB NoSQL container
az cosmosdb sql user-defined-function list --account-name <AccountName> --container-name <ContainerName> --database-name <DatabaseName> --resource-group <ResourceGroupName>


## MongoDB (vCore)
# Install az cli extension
az extension add --name cosmosdb-preview
# List all MongoDB databases in a specified Azure Cosmos DB account
az cosmosdb mongocluster list
az cosmosdb mongocluster show --cluster-name <name> --resource-group <ResourceGroupName>
# Get firewall rules
az cosmosdb mongocluster firewall rule list --cluster-name <name> --resource-group <ResourceGroupName>
# Connect to in
brew install mongosh
mongosh "mongodb://<username>:<password>@<account-name>.mongo.cosmos.azure.com:10255/?ssl=true&replicaSet=globaldb&retryWrites=false" --username <username> --password <password>

Get-Command -Module Az.CosmosD

# List all Cosmos DB accounts in a specified resource group.
Get-AzCosmosDBAccount -ResourceGroupName "<ResourceGroupName>"

# Get the access keys for a specific Cosmos DB account.
Get-AzCosmosDBAccountKey -ResourceGroupName "<ResourceGroupName>" -Name "<AccountName>"

# Retrieve the client encryption keys for a specific Cosmos DB account.
Get-AzCosmosDbClientEncryptionKey -ResourceGroupName "<ResourceGroupName>" -AccountName "<AccountName>" -DatabaseName "<DatabaseName>"

# List all SQL containers in a specific Cosmos DB SQL database.
Get-AzCosmosDBSqlContainer -ResourceGroupName "<ResourceGroupName>" -AccountName "<AccountName>" -DatabaseName "<DatabaseName>"

# Get backup information for a specific Cosmos DB SQL container.
Get-AzCosmosDBSqlContainerBackupInformation -ResourceGroupName "<ResourceGroupName>" -AccountName "<AccountName>" -DatabaseName "<DatabaseName>" -Name "<ContainerName>" -Location "<location>"

# Get the throughput (RU/s) settings for a specific Cosmos DB SQL container.
Get-AzCosmosDBSqlContainerThroughput -ResourceGroupName "<ResourceGroupName>" -AccountName "<AccountName>" -DatabaseName "<DatabaseName>" -Name "<ContainerName>"

# List all SQL databases under a specific Cosmos DB account.
Get-AzCosmosDBSqlDatabase -ResourceGroupName "<ResourceGroupName>" -AccountName "<AccountName>"

# Get the throughput (RU/s) settings for a specific Cosmos DB SQL database.
Get-AzCosmosDBSqlDatabaseThroughput -ResourceGroupName "<ResourceGroupName>" -AccountName "<AccountName>" -Name "<DatabaseName>"

# List all SQL role assignments for a specific Cosmos DB account.
Get-AzCosmosDBSqlRoleAssignment -ResourceGroupName "<ResourceGroupName>" -AccountName "<AccountName>"

# List all SQL role definitions for a specific Cosmos DB account.
Get-AzCosmosDBSqlRoleDefinition -ResourceGroupName "<ResourceGroupName>" -AccountName "<AccountName>"

# List all stored procedures in a specific Cosmos DB SQL container.
Get-AzCosmosDBSqlStoredProcedure -ResourceGroupName "<ResourceGroupName>" -AccountName "<AccountName>" -DatabaseName "<DatabaseName>" -ContainerName "<ContainerName>"

# List all triggers in a specific Cosmos DB SQL container.
Get-AzCosmosDBSqlTrigger -ResourceGroupName "<ResourceGroupName>" -AccountName "<AccountName>" -DatabaseName "<DatabaseName>" -ContainerName "<ContainerName>"

# List all user-defined functions (UDFs) in a specific Cosmos DB SQL container.
Get-AzCosmosDBSqlUserDefinedFunction -ResourceGroupName "<ResourceGroupName>" -AccountName "<AccountName>" -DatabaseName "<DatabaseName>" -ContainerName "<ContainerName>"

Muunganisho

Ina aina 2 za funguo, Kusoma-kandika (kamili) na Kusoma-tu. Zinatoa ufikiaji ulioonyeshwa kwa hifadhidata zote, makusanyo, na data ndani ya akaunti ya Cosmos DB. Ili kuungana, maktaba ya azure-cosmosDB (pip install azure-cosmos) inahitajika. Zaidi ya hayo, mwisho wa huduma na funguo ni vipengele muhimu ili kufanya muunganisho.

from azure.cosmos import CosmosClient, PartitionKey

# Connection details
endpoint = "<your-account-endpoint>"
key = "<your-account-key>"

# Initialize Cosmos Client
client = CosmosClient(endpoint, key)

# Access existing database and container
database_name = '<SampleDB>'
container_name = '<SampleContainer>'
database = client.get_database_client(database_name)
container = database.get_container_client(container_name)

# Insert multiple documents
items_to_insert = [
{"id": "1", "name": "Sample Item", "description": "This is a sample document."},
{"id": "2", "name": "Another Sample Item", "description": "This is another sample document."},
{"id": "3", "name": "Sample Item", "description": "This is a duplicate name sample document."},
]

for item in items_to_insert:
container.upsert_item(item)

# Query all documents
query = "SELECT * FROM c"
all_items = list(container.query_items(
query=query,
enable_cross_partition_query=True
))

# Print all queried items
print("All items in the container:")
for item in all_items:
print(item)

Njia nyingine ya kuanzisha muunganisho ni kutumia DefaultAzureCredential(). Inahitaji tu kuingia (az login) na akaunti ambayo ina ruhusa na kuitekeleza. Kwa kesi hii, lazima ifanyike ugawaji wa jukumu, ikitoa ruhusa zinazohitajika (ona kwa maelezo zaidi).

from azure.identity import DefaultAzureCredential
from azure.cosmos import CosmosClient

# Use Azure AD for authentication
credential = DefaultAzureCredential()
endpoint = "<your-account-endpoint>"
client = CosmosClient(endpoint, credential)

# Access database and container
database_name = "<mydatabase>"
container_name = "<mycontainer>"
database = client.get_database_client(database_name)
container = database.get_container_client(container_name)

# Insert a document
item = {
"id": "1",
"name": "Sample Item",
"description": "This is a test item."
}
container.create_item(item)
print("Document inserted.")

MongoDB

API ya MongoDB NoSQL ni API inayotegemea hati ambayo inatumia BSON (Binary JSON) kama muundo wake wa data. Inatoa lugha ya kuhoji yenye uwezo wa kujumlisha, na kuifanya iweze kutumika kwa kufanya kazi na data iliyopangwa, nusu iliyopangwa, na isiyo na muundo. Kituo cha huduma kwa kawaida kinafuata muundo huu:

mongodb://<hostname>:<port>/<database>

Databases

Katika MongoDB, unaweza kuunda moja au zaidi ya hifadhidata ndani ya mfano. Kila hifadhidata inatumika kama kundi la kimantiki la makusanyo na inatoa mipaka kwa ajili ya shirika na usimamizi wa rasilimali. Hifadhidata husaidia kutenganisha na kusimamia data kimantiki, kama vile kwa programu au miradi tofauti.

Collections

Kitengo cha msingi cha uhifadhi wa data katika MongoDB ni mkusanyiko, ambao unashikilia hati na umeundwa kwa ajili ya uchunguzi mzuri na muundo wa schema unaoweza kubadilishwa. Makusanyo yanaweza kupanuliwa kwa urahisi na yanaweza kusaidia operesheni zenye kiwango kikubwa katika muundo wa kusambazwa.

Key Features of Request unit (RU) type

Global Distribution: Wezesha au zima Geo-Redundancy kwa ajili ya replication ya mikoa tofauti na Multi-region Writes kwa ajili ya kuboresha upatikanaji.
Networking & Security: kati ya mwisho wa umma (mitandao yote/teule) au binafsi kwa ajili ya muunganisho. Muunganisho salama na usimbuaji wa TLS 1.2. Inasaidia CORS (Cross-Origin Resource Sharing) kwa ajili ya ufikiaji ulio na udhibiti wa rasilimali. Ili kufanya muunganisho unaweza kutumia funguo.
Backup & Recovery: kutoka kwa sera za Backup za Kawaida, Endelevu (siku 7, bure), au Endelevu (siku 30, kulipwa) zenye vipindi vinavyoweza kubadilishwa na uhifadhi.
Data Encryption: Funguo za huduma zinazodhibitiwa na chaguo au funguo zinazodhibitiwa na mteja (CMK) kwa ajili ya usimbuaji (uchaguzi wa CMK hauwezi kubadilishwa).

Key Features of vCore cluster type

Global Distribution: Wezesha replica ya kusoma katika eneo lingine la Azure kwa ajili ya upatikanaji wa juu na msaada wa failover. Sanidi jina la replica, eneo, na uhifadhi kwa kila shard.
Networking & Security: Inasaidia ufikiaji wa umma kwa IP za umma zilizotolewa na ufikiaji wa binafsi. Punguza muunganisho kwa kutumia sheria za firewall—kwa chaguo-msingi, hakuna IP za umma zinazoruhusiwa.
Encrypted Connections: Inalazimisha usimbuaji wa TLS kwa ajili ya usafirishaji salama wa data.

Enumeration

# CosmoDB Account
## List Azure Cosmos DB database accounts.
az cosmosdb list --resource-group <ResourceGroupName>
az cosmosdb show --resource-group <ResourceGroupName> --name <AccountName>

## Lists the virtual network accounts associated with a Cosmos DB account
az cosmosdb network-rule list --resource-group <ResourceGroupName> --name <AccountName>
## List the access keys or connection strings for a Azure Cosmos DB
az cosmosdb keys list --name <AccountName> --resource-group <ResourceGroupName>
## List all the database accounts that can be restored.
az cosmosdb restorable-database-account list --account-name <AccountName>
## Show the identities for a Azure Cosmos DB database account.
az cosmosdb identity show --resource-group <ResourceGroupName> --name <AccountName>

## MongoDB
# List all MongoDB databases in a specified Azure Cosmos DB account
az cosmosdb mongodb database list --account-name <AccountName> --resource-group <ResourceGroupName>
# List all collections in a specific MongoDB database within an Azure Cosmos DB account
az cosmosdb mongodb collection list --account-name <AccountName> --database-name <DatabaseName> --resource-group <ResourceGroupName>

#RBAC FUNCTIONALITIES MUST BE ENABLED TO USE THIS
# List all role definitions for MongoDB within an Azure Cosmos DB account
az cosmosdb mongodb role definition list --account-name <AccountName> --resource-group <ResourceGroupName>
# List all user definitions for MongoDB within an Azure Cosmos DB account
az cosmosdb mongodb user definition list --account-name <AccountName> --resource-group <ResourceGroupName>

## MongoDB (vCore)
# Install az cli extension
az extension add --name cosmosdb-preview
# List all MongoDB databases in a specified Azure Cosmos DB account
az cosmosdb mongocluster list
az cosmosdb mongocluster show --cluster-name <name> --resource-group <ResourceGroupName>
# Get firewall rules
az cosmosdb mongocluster firewall rule list --cluster-name <name> --resource-group <ResourceGroupName>
# Connect to in
brew install mongosh
mongosh "mongodb://<username>:<password>@<account-name>.mongo.cosmos.azure.com:10255/?ssl=true&replicaSet=globaldb&retryWrites=false" --username <username> --password <password>

Get-Command -Module Az.CosmosDB

# List all Cosmos DB accounts in a specified resource group.
Get-AzCosmosDBAccount -ResourceGroupName "<ResourceGroupName>"

# Get the access keys for a specific Cosmos DB account.
Get-AzCosmosDBAccountKey -ResourceGroupName "<ResourceGroupName>" -Name "<AccountName>"

# Retrieve the client encryption keys for a specific Cosmos DB account.
Get-AzCosmosDbClientEncryptionKey -ResourceGroupName "<ResourceGroupName>" -AccountName "<AccountName>" -DatabaseName "<DatabaseName>"

# List all MongoDB collections in a specific database.
Get-AzCosmosDBMongoDBCollection -AccountName <account-name> -ResourceGroupName <resource-group-name> -DatabaseName <database-name>

# Retrieve backup information for a specific MongoDB collection in a database.
Get-AzCosmosDBMongoDBCollectionBackupInformation -AccountName <account-name> -ResourceGroupName <resource-group-name> -DatabaseName <database-name> -Name <collection-name> -Location <Location>

# Get the throughput (RU/s) of a specific MongoDB collection in a database.
Get-AzCosmosDBMongoDBCollectionThroughput -AccountName <account-name> -ResourceGroupName <resource-group-name> -DatabaseName <database-name> -Name <collection-name>

# List all MongoDB databases in a specified Cosmos DB account.
Get-AzCosmosDBMongoDBDatabase -AccountName <account-name> -ResourceGroupName <resource-group-name>

# Get the throughput (RU/s) of a specific MongoDB database.
Get-AzCosmosDBMongoDBDatabaseThroughput -AccountName <account-name> -ResourceGroupName <resource-group-name> -DatabaseName <database-name>

# Retrieve the role definitions for MongoDB users in a specified Cosmos DB account.
Get-AzCosmosDBMongoDBRoleDefinition -AccountName <account-name> -ResourceGroupName <resource-group-name>

Connection

Aina ya RU MongoDB katika CosmoDB ina aina 2 za funguo, Kusoma-kandika (kamili) na Kusoma pekee. Zinatoa ufikiaji ulioonyeshwa kwa hifadhidata zote, makusanyo, na data ndani ya akaunti ya Cosmos DB. Kwa ajili ya nenosiri unaweza kutumia funguo au kwa njia iliyoelezwa katika sehemu ya privesc.

from pymongo import MongoClient

# Updated connection string with retryWrites=false
connection_string = "mongodb://<account-name>.mongo.cosmos.azure.com:10255/?ssl=true&replicaSet=globaldb&retryWrites=false"

# Create the client. The password and username is a custom one if the type is "vCore cluster".
# In case that is a Request unit (RU) the username is the account name and the password is the key of the cosomosDB account.
client = MongoClient(connection_string, username="<username>", password="<password>")

# Access the database
db = client['<database>']

# Access a collection
collection = db['<collection>']

# Insert a single document
document = {
"name": "John Doe",
"email": "johndoe@example.com",
"age": 30,
"address": {
"street": "123 Main St",
"city": "Somewhere",
"state": "CA",
"zip": "90210"
}
}

# Insert document
result = collection.insert_one(document)
print(f"Inserted document with ID: {result.inserted_id}")

Au kutumia mtumiaji ndani ya mongo:

mongosh "mongodb://<myUser>:<mySecurePassword>@<account_name>.mongo.cosmos.azure.com:10255/<mymongodatabase>?ssl=true&replicaSet=globaldb&retrywrites=false"

References

• https://learn.microsoft.com/en-us/azure/cosmos-db/choose-api
• https://learn.microsoft.com/en-us/azure/cosmos-db/
• https://learn.microsoft.com/en-us/azure/cosmos-db/introduction
• https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/security/how-to-grant-data-plane-role-based-access?tabs=built-in-definition%2Ccsharp&pivots=azure-interface-cli

Privilege Escalation

Az - CosmosDB Privesc

Post Exploitation

Az - SQL Post Exploitation

ToDo

• Sehemu nyingine za DB hapa, meza, cassandra, gremlin...
• Angalia post exploitation "Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write" && "Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/read" na ufafanuzi wa majukumu kwa sababu hapa huenda kuna privesc
• Angalia urejeleaji