HackTricks CloudAz - SQL
Reading time: 13 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Azure SQL
Azure SQL ni familia ya bidhaa zinazodhibitiwa, salama, na za akili zinazotumia injini ya database ya SQL Server katika wingu la Azure. Hii ina maana kwamba haupaswi kuwa na wasiwasi kuhusu usimamizi wa kimwili wa seva zako, na unaweza kuzingatia kusimamia data yako.
Azure SQL inajumuisha ofa kuu nne:
- Azure SQL Server: Seva inahitajika kwa kupeleka na kusimamia databases za SQL Server.
- Azure SQL Database: Hii ni huduma ya database inayodhibitiwa kikamilifu, ambayo inakuwezesha kuhifadhi databases binafsi katika wingu la Azure.
- Azure SQL Managed Instance: Hii ni kwa ajili ya matumizi makubwa, kupeleka kwa kiwango cha SQL Server instance nzima.
- Azure SQL Server kwenye Azure VMs: Hii ni bora kwa usanifu ambapo unataka udhibiti juu ya mfumo wa uendeshaji na SQL Server instance.
Vipengele vya Usalama wa SQL Server
Upatikanaji wa Mtandao:
- Kiwango cha umma (inaweza kupunguza upatikanaji kwa mitandao maalum).
- Kiwango cha kibinafsi.
- Pia inawezekana kupunguza muunganisho kulingana na majina ya kikoa.
- Pia inawezekana kuruhusu huduma za Azure kuipata (kama kutumia mhariri wa Maswali katika lango au kuruhusu Azure VM kuungana).
Mbinu za Uthibitishaji:
- Uthibitishaji wa Microsoft Entra-only: Unahitaji kuashiria wahusika wa Entra ambao watakuwa na upatikanaji wa huduma.
- Uthibitishaji wa SQL na Microsoft Entra: Uthibitishaji wa jadi wa SQL na jina la mtumiaji na nenosiri pamoja na Microsoft Entra.
- Uthibitishaji wa SQL pekee: Ruhusu upatikanaji tu kupitia watumiaji wa database.
Kumbuka kwamba ikiwa uthibitishaji wowote wa SQL unaruhusiwa mtumiaji wa admin (jina la mtumiaji + nenosiri) anahitaji kuashiriwa na ikiwa uthibitishaji wa Entra ID umechaguliwa inahitajika pia kuashiria angalau wahusika mmoja mwenye upatikanaji wa admin.
Ushifishaji:
-
Inaitwa "Ushifishaji wa data wa wazi" na inashifisha databases, nakala za akiba, na kumbukumbu wakati wa kupumzika.
-
Kama kawaida, funguo za usimamizi wa Azure zinatumika kwa chaguo-msingi lakini funguo za ushirikiano wa ushirikiano wa mteja (CMEK) pia zinaweza kutumika. Identities Zinazosimamiwa:
-
Inawezekana kutoa MIs zinazodhibitiwa na mfumo na mtumiaji.
-
Inatumika kupata funguo za ushirikishaji (ikiwa CMEK inatumika) na huduma nyingine kutoka kwa databases.
-
Kwa baadhi ya mifano ya huduma za Azure ambazo zinaweza kupatikana kutoka kwa database angalia ukurasa huu wa hati
-
Ikiwa zaidi ya UMI mmoja umepewa, inawezekana kuashiria ile ya chaguo-msingi kutumia.
-
Inawezekana kuunda kitambulisho cha mteja kilichounganishwa kwa upatikanaji wa wapangaji tofauti.
Amri zingine za kupata taarifa ndani ya uhifadhi wa blob kutoka kwa database ya SQL:
-- Create a credential for the managed identity
CREATE DATABASE SCOPED CREDENTIAL [ManagedIdentityCredential]
WITH IDENTITY = 'Managed Identity';
GO
-- Create an external data source pointing to the blob storage to access
CREATE EXTERNAL DATA SOURCE ManagedIdentity
WITH (
TYPE = BLOB_STORAGE,
LOCATION = 'https://testsqlidentity.blob.core.windows.net/sqlcontainer',
CREDENTIAL = ManagedIdentityCredential
);
GO
-- Read a file from ths storage and return it
SELECT *
FROM OPENROWSET(
BULK 'message.txt',
DATA_SOURCE = 'ManagedIdentity',
SINGLE_CLOB
) AS DataFile;
GO
Microsoft Defender:
- Inatumika kwa “kupunguza hatari za uwezekano wa database, na kugundua shughuli zisizo za kawaida”
- Tutazungumzia kuhusu Defender katika somo lake mwenyewe (inaweza kuwezeshwa katika huduma nyingine nyingi za Azure)
Backups:
- Mara ya kuhifadhi inasimamiwa katika sera za uhifadhi.
Deleted databases:
- Inawezekana kurejesha DBs ambazo zimefutwa kutoka kwa backups zilizopo.
Azure SQL Database
Azure SQL Database ni jukwaa la database linalosimamiwa kikamilifu kama huduma (PaaS) linalotoa suluhisho za database za uhusiano zinazoweza kupanuka na salama. Imejengwa kwenye teknolojia za hivi punde za SQL Server na inondoa hitaji la usimamizi wa miundombinu, na kuifanya kuwa chaguo maarufu kwa programu za msingi wa wingu.
Ili kuunda database ya SQL inahitajika kuashiria seva ya SQL ambapo itakuwa ikihifadhiwa.
SQL Database Security Features
- Daima Iko Sawa: Inafanya kazi kwenye toleo la hivi punde la SQL Server na inapata vipengele na patches mpya kiotomatiki.
- Vipengele vya usalama vya SQL Server vilivyorithiwa:
- Uthibitishaji (SQL na/au Entra ID)
- Identiti za Usimamizi zilizotolewa
- Vikwazo vya mtandao
- Usimbaji
- Backups
- …
- Ukarabati wa data: Chaguzi ni za ndani, eneo, Geo au Geo-Zone redundant.
- Ledger: Inathibitisha kwa njia ya cryptographic uaminifu wa data, kuhakikisha kwamba mabadiliko yoyote yanagundulika. Inatumika kwa kifedha, matibabu na shirika lolote linalosimamia data nyeti.
Database ya SQL inaweza kuwa sehemu ya elastic Pool. Mifuko ya elastic ni suluhisho la gharama nafuu kwa usimamizi wa databases nyingi kwa kushiriki rasilimali za kompyuta zinazoweza kubadilishwa (eDTUs) na uhifadhi kati yao, huku bei ikitegemea rasilimali zilizotolewa badala ya idadi ya databases.
Azure SQL Column Level Security (Masking) & Row Level Security
Azure SQL's dynamic data masking ni kipengele kinachosaidia kulinda taarifa nyeti kwa kuzificha kutoka kwa watumiaji wasioidhinishwa. Badala ya kubadilisha data halisi, inaficha data inayonyeshwa kwa njia ya dynamic, kuhakikisha kwamba maelezo nyeti kama nambari za kadi za mkopo yanatiliwa mbali.
Dynamic Data Masking inawagusa watumiaji wote isipokuwa wale ambao hawajafichwa (watumiaji hawa wanahitaji kuashiriwa) na wasimamizi. Ina chaguo la usanidi linaloeleza ni watumiaji wa SQL gani wanaondolewa kwenye dynamic data masking, huku wasimamizi wakitengwa kila wakati.
Azure SQL Row Level Security (RLS) ni kipengele kinachodhibiti ni mistari ipi mtumiaji anaweza kuona au kubadilisha, kuhakikisha kila mtumiaji anaona tu data inayohusiana nao. Kwa kuunda sera za usalama zenye vichujio au vikwazo, mashirika yanaweza kutekeleza ufikiaji wa kina katika ngazi ya database.
Azure SQL Managed Instance
Azure SQL Managed Instances ni kwa ajili ya matumizi makubwa, kupeleka kwa kiwango cha SQL Server nzima. Inatoa karibu 100% ulinganifu na SQL Server ya hivi punde kwenye tovuti (Enterprise Edition) Database Engine, ambayo inatoa utekelezaji wa mtandao wa ndani (VNet) unaoshughulikia wasiwasi wa kawaida wa usalama, na mfano wa biashara unaofaa kwa wateja wa SQL Server kwenye tovuti.
Azure SQL Virtual Machines
Azure SQL Virtual Machines inaruhusu kudhibiti mfumo wa uendeshaji na mfano wa SQL Server, kwani VM itazalishwa katika huduma ya VM inayokimbia SQL server.
Wakati VM ya SQL inaundwa inawezekana kuchagua mipangilio yote ya VM (kama ilivyoonyeshwa katika somo la VM) ambayo itakuwa ikihifadhi SQL server.
- Hii ina maana kwamba VM itakuwa ikifikia baadhi ya VNet(s), inaweza kuwa na Identiti za Usimamizi zilizounganishwa nayo, inaweza kuwa na sehemu za faili zilizowekwa… ikifanya kuhamasisha kutoka SQL hadi VM kuwa ya kuvutia sana.
- Zaidi ya hayo, inawezekana kuunda kitambulisho cha programu na siri ili kuruhusu SQL kufikia vault maalum ya funguo, ambayo inaweza kuwa na taarifa nyeti.
Pia inawezekana kusanidi mambo kama sasisho za SQL za kiotomatiki, backups za kiotomatiki, uthibitishaji wa Entra ID na sehemu kubwa ya vipengele vya huduma nyingine za SQL.
Enumeration
# List Servers
az sql server list # managed identities are enumerated here too
## List Server Usages
az sql server list-usages --name <server_name> --resource-group <resource_group>
## List Server Firewalls
az sql server firewall-rule list --resource-group <resource_group> --server <server_name>
## List of Azure Active Directory administrators in a server.
az sql server ad-admin list --resource-group <resource_group> --server <server_name>
## Gets an advanced threat protection
az sql server advanced-threat-protection-setting show --resource-group <resource_group> --name <server_name>
## Get server's auditing policy.
az sql server audit-policy show --resource-group <resource_group> --name <server_name>
## Gets a server's secure connection policy.
az sql server conn-policy show --resource-group <resource_group> --server <server_name>
## Gets a list of server DNS aliases for a server.
az sql server dns-alias list --resource-group <resource_group> --server <server_name>
## List of server keys.
az sql server key list --resource-group <resource_group> --server <server_name>
## Gets a server encryption protector.
az sql server tde-key show --resource-group <resource_group> --server <server_name>
# List Databases in a SQL server
az sql db list --server <server_name> --resource-group <resource_group> #--output table
## Get details of a specific database
az sql db show --name <database_name> --server <server_name> --resource-group <resource_group>
## List database usages
az sql db list-usages --name <database_name> --server <server_name> --resource-group <resource_group>
## List of operations performed on the database.
az sql db op list --database <database_name> --server <server_name> --resource-group <resource_group>
## List sql database classification
az sql db classification list --name <database_name> --server <server_name> --resource-group <resource_group>
## List long-term retention backups for a SQL database
az sql db ltr-backup list --database <database_name> --server <server_name> --resource-group <resource_group>
## List long-term retention policy
az sql db ltr-policy --name <database_name> --server <server_name> --resource-group <resource_group>
## List long-term retention policy
az sql db str-policy --name <database_name> --server <server_name> --resource-group <resource_group>
## List the replicas of a database and their replication status
az sql db replica list-links --name <database_name> --server <server_name> --resource-group <resource_group>
## List deleted SQL databases
az sql db list-deleted --server <server_name> --resource-group <resource_group>
## List database usages
az sql db list-usages --name <database_name> --server <server_name> --resource-group <resource_group>
## List restorable dropped databases in a SQL server
az sql db list-deleted --server <server_name> --resource-group <resource_group>
## List advanced threat protection setting show
az sql db advanced-threat-protection-setting --name <database_name> --server <server_name> --resource-group <resource_group>
# List all elastic pools in a SQL server
az sql elastic-pool list --server <server_name> --resource-group <resource_group> #--output table
## List all databases in a specific elastic pool
az sql elastic-pool show --name <elastic_pool_name> --server <server_name> --resource-group <resource_group>
## List of databases in an elastic pool.
az sql elastic-pool list-dbs --name <elastic_pool_name> --server <server_name> --resource-group <resource_group>
# List all managed Instances
az sql mi list
az sql mi show --resource-group <res-grp> --name <name>
az sql midb list
az sql midb show --resource-group <res-grp> --name <name>
# Lis all sql VM
az sql vm list
az sql vm show --resource-group <res-grp> --name <name>
# List schema by the database
az rest --method get \
--uri "https://management.azure.com/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Sql/servers/<serverName>/databases/<databaseName>/schemas?api-version=2021-11-01"
# Get tables of a database with the schema
az rest --method get \
--uri "https://management.azure.com/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Sql/servers/<serverName>/databases/<databaseName>/schemas/<schemaName>/tables?api-version=2021-11-01"
# Get columns of a database
az rest --method get \
--uri "https://management.azure.com/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Sql/servers/<serverName>/databases/<databaseName>/columns?api-version=2021-11-01"
# Get columns of a table
az rest --method get \
--uri "https://management.azure.com/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Sql/servers/<serverName>/databases/<databaseName>/schemas/<schemaName>/tables/<tableName>/columns?api-version=2021-11-01"
# Get DataMaskingPolicies of a database
az rest --method get \
--uri "https://management.azure.com/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Sql/servers/<serverName>/databases/<databaseName>/dataMaskingPolicies/Default?api-version=2021-11-01"
az rest --method get \
--uri "https://management.azure.com/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Sql/servers/<serverName>/databases/<databaseName>/dataMaskingPolicies/Default/rules?api-version=2021-11-01"
Zaidi ya hayo, ikiwa unataka kuhesabu Dynamic Data Masking, na sera za Kiwango cha Safu, ndani ya hifadhidata, unaweza kuuliza:
--Enumerates the masked columns
SELECT
OBJECT_NAME(mc.object_id) AS TableName,
c.name AS ColumnName,
mc.masking_function AS MaskingFunction
FROM sys.masked_columns AS mc
JOIN sys.columns AS c
ON mc.object_id = c.object_id
AND mc.column_id = c.column_id
--Enumerates Row level policies
SELECT
sp.name AS PolicyName,
sp.is_enabled,
sp.create_date,
sp.modify_date,
OBJECT_NAME(sp.object_id) AS TableName,
sp2.predicate_definition AS PredicateDefinition
FROM sys.security_policies AS sp
JOIN sys.security_predicates AS sp2
ON sp.object_id = sp2.object_id;
Connect and run SQL queries
Unaweza kupata mfuatano wa muunganisho (ukijumuisha akidi) kutoka kwa mfano kuhesabu Az WebApp:
function invoke-sql{
param($query)
$Connection_string = "Server=tcp:supercorp.database.windows.net,1433;Initial Catalog=flag;Persist Security Info=False;User ID=db_read;Password=gAegH!324fAG!#1fht;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;"
$Connection = New-Object System.Data.SqlClient.SqlConnection $Connection_string
$Connection.Open()
$Command = New-Object System.Data.SqlClient.SqlCommand
$Command.Connection = $Connection
$Command.CommandText = $query
$Reader = $Command.ExecuteReader()
while ($Reader.Read()) {
$Reader.GetValue(0)
}
$Connection.Close()
}
invoke-sql 'Select Distinct TABLE_NAME From information_schema.TABLES;'
Unaweza pia kutumia sqlcmd kufikia hifadhidata. Ni muhimu kujua ikiwa seva inaruhusu muunganisho wa umma az sql server show --name <server-name> --resource-group <resource-group>, na pia ikiwa sheria ya moto inaruhusu IP yetu kufikia:
sqlcmd -S <sql-server>.database.windows.net -U <server-user> -P <server-passworkd> -d <database>
References
- https://learn.microsoft.com/en-us/azure/azure-sql/azure-sql-iaas-vs-paas-what-is-overview?view=azuresql
- https://learn.microsoft.com/en-us/azure/azure-sql/database/single-database-overview?view=azuresql
- https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview?view=azuresql
- https://learn.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview?view=azuresql
Privilege Escalation
Post Exploitation
Persistence
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.