Merge pull request #162 from JaimePolop/master

sql & others

src/pentesting-cloud/azure-security/az-privilege-escalation/az-mysql-privesc.md

@@ -41,6 +41,18 @@ Additionally it is necesary to have the public access enabled if you want to acc
 az mysql flexible-server update --resource-group <resource_group_name> --server-name <server_name> --public-access Enabled
 ```
 
+### `Microsoft.DBforMySQL/flexibleServers/read`, `Microsoft.DBforMySQL/flexibleServers/write`, `Microsoft.DBforMySQL/flexibleServers/backups/read`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
+
+With this permissions you can restore a MySQL server from a backup:
+
+```bash
+az mysql flexible-server restore \
+    --resource-group <resource_group_name> \
+    --name <restore_server_name> \
+    --source-server <server_name> \
+    --yes
+```
+
 ### `Microsoft.DBforMySQL/flexibleServers/read`, `Microsoft.DBforMySQL/flexibleServers/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`, `Microsoft.DBforMySQL/flexibleServers/administrators/write` && `Microsoft.DBforMySQL/flexibleServers/administrators/read`
 
 With this permission, you can configure Azure Active Directory (AD) administrators for a MySQL Flexible Server. This can be exploited by setting oneself or another account as the AD administrator, granting full administrative control over the MySQL server. It's important that the flexible-server has a user assigned managed identities to use.

src/pentesting-cloud/azure-security/az-privilege-escalation/az-postgresql-privesc.md

@@ -35,12 +35,60 @@ az postgres flexible-server update \
     --admin-password <password_to_update>
 ```
 
+Furthermore, with the permissions you can enalbe the assign identity, an opertate with the managed identity attached to the server. Here you can find all the extensions that Azure PostgreSQL flexible server supports [https://learn.microsoft.com/en-us/azure/cosmos-db/postgresql/reference-extensions](https://learn.microsoft.com/en-us/azure/cosmos-db/postgresql/reference-extensions). To be able to use these extensions some server parameters (azure.extensions) need to be changed. For example here with a managed identity that can access Azure Storage:
+
+First we change the parameters and be sure the assigned identity is enabled:
+```bash
+az postgres flexible-server parameter set \
+  --resource-group <YourResourceGroupName> \
+  --server-name <YourServerName> \
+  --name azure.extensions \
+  --value "AZURE_STORAGE"
+
+az postgres flexible-server identity update \
+    --resource-group <YourResourceGroupName> \
+    --server-name <YourServerName> \
+    --system-assigned Enabled
+```
+```sql 
+
+CREATE EXTENSION IF NOT EXISTS azure_storage;
+
+CREATE EXTERNAL DATA SOURCE ManagedIdentity
+
+SELECT azure_storage.account_add('<storage-account>', '<storage-key>');
+
+SELECT *
+FROM azure_storage.blob_get(
+    '<storage-account>',
+    '<container>',
+    'message.txt',
+    decoder := 'text'
+) AS t(content text)
+LIMIT 1;
+
+```
+
 Additionally it is necesary to have the public access enabled if you want to access from a non private endpoint, to enable it:
 
 ```bash
 az postgres flexible-server update --resource-group <resource_group_name> --server-name <server_name> --public-access Enabled
 ```
 
+### `Microsoft.DBforPostgreSQL/flexibleServers/read`, `Microsoft.DBforPostgreSQL/flexibleServers/write`, `Microsoft.DBforPostgreSQL/flexibleServers/backups/read`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
+
+With this permissions you can restore a server from a backup with:
+
+```bash
+az postgres flexible-server restore \
+  --resource-group <RESOURCE_GROUP> \
+  --name <NEW_SERVER_NAME> \
+  --source-server <SOURCE_SERVER_NAME> \
+  --restore-time "<ISO8601_TIMESTAMP>" \
+  --yes
+
+```
+
 ### `Microsoft.DBforPostgreSQL/flexibleServers/read`, `Microsoft.DBforPostgreSQL/flexibleServers/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`, `Microsoft.DBforPostgreSQL/flexibleServers/administrators/write` && `Microsoft.DBforPostgreSQL/flexibleServers/administrators/read`
 
 With this permission, you can configure Azure Active Directory (AD) administrators for a PostgreSQL Flexible Server. This can be exploited by setting oneself or another account as the AD administrator, granting full administrative control over the PostgreSQL server. Updating existing principal is not supported yet so if there is one created you must delete it first.

src/pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md

@@ -48,6 +48,11 @@ az sql server update \
     --assign_identity
 ```
 ```sql 
+CREATE DATABASE SCOPED CREDENTIAL [ManagedIdentityCredential]
+WITH IDENTITY = 'Managed Identity';
+GO
+
+
 CREATE EXTERNAL DATA SOURCE ManagedIdentity
 WITH (
     TYPE = BLOB_STORAGE,
@@ -134,6 +139,27 @@ az sql server azure-ad-only-auth disable \
   --resource-group <resource_group_name>
 ```
 
+### Microsoft.Sql/servers/databases/dataMaskingPolicies/write
+Modify (or disable) the data masking policies on your SQL databases.
+
+```bash
+az rest --method put \
+  --uri "https://management.azure.com/subscriptions/<your-subscription-id>/resourceGroups/<your-resource-group>/providers/Microsoft.Sql/servers/<your-server>/databases/<your-database>/dataMaskingPolicies/Default?api-version=2021-11-01" \
+  --body '{
+    "properties": {
+      "dataMaskingState": "Disable"
+    }
+  }'
+```
+
+### Remove Row Level Security
+If you loggin as admin, you can remove the policies of the admin itself and other users.
+
+```sql
+DROP SECURITY POLICY [Name_of_policy];
+```
+
+
 {{#include ../../../banners/hacktricks-training.md}}
 
 

src/pentesting-cloud/azure-security/az-services/az-cosmosDB.md

@@ -10,7 +10,9 @@ Azure Cosmos DB provides multiple database APIs to model real-world data using d
 
 One key aspect of CosmosDB is Azure Cosmos Account. **Azure Cosmos Account**, acts as the entry point to the databases. The account determines key settings such as global distribution, consistency levels, and the specific API to be used, such as NoSQL. Through the account, you can configure global replication to ensure data is available across multiple regions for low-latency access. Additionally, you can choose a consistency level that balances between performance and data accuracy, with options ranging from Strong to Eventual consistency.
 
-### NoSQL (sql)
+Azure Cosmos DB supports **user-assigned identities** and **system-assigned managed identities** that are automatically created and tied to the resource's lifecycle, allowing for secure, token-based authentication when connecting to other services—provided those services have the appropriate role assignments. However, Cosmos DB doesn't have a built‑in mechanism to directly query external data sources like Azure Blob Storage. Unlike SQL Server's external table features, Cosmos DB requires data to be ingested into its containers using external tools such as Azure Data Factory, the Data Migration Tool, or custom scripts before it can be queried with its native query capabilities.
+
+### NoSQL
 The Azure Cosmos DB NoSQL API is a document-based API that uses JSON as its data format. It provides a SQL-like query syntax for querying JSON objects, making it suitable for working with structured and semi-structured data. The endpoint of the service is:
 
 ```bash
@@ -23,6 +25,11 @@ Within an account, you can create one or more databases, which serve as logical
 #### Containers
 The core unit of data storage is the container, which holds JSON documents and is automatically indexed for efficient querying. Containers are elastically scalable and distributed across partitions, which are determined by a user-defined partition key. The partition key is critical for ensuring optimal performance and even data distribution. For example, a container might store customer data, with "customerId" as the partition key.
 
+#### Key Features
+**Global Distribution**: Enable or disable Geo-Redundancy for cross-region replication and Multi-region Writes for improved availability.
+**Networking & Security**: between public (all/select networks) or private endpoints for connectivity. Secure connections with TLS 1.2 encryption. Supports CORS (Cross-Origin Resource Sharing) for controlled access to resources.
+**Backup & Recovery**: from Periodic, Continuous (7 days), or Continuous (30 days) backup policies with configurable intervals and retention.
+**Data Encryption**: Default service-managed keys or customer-managed keys (CMK) for encryption (CMK selection is irreversible).
 
 #### Enumeration
 
@@ -45,21 +52,21 @@ az cosmosdb identity show --resource-group <ResourceGroupName> --name <AccountNa
 
 
 # CosmoDB (NoSQL)
-## List the SQL databases under an Azure Cosmos DB account.
+## List the NoSQL databases under an Azure Cosmos DB account.
 az cosmosdb sql database list --resource-group <ResourceGroupName> --account-name <AccountName>
-## List the SQL containers under an Azure Cosmos DB SQL database.
+## List the NoSQL containers under an Azure Cosmos DB NoSQL database.
 az cosmosdb sql container list --account-name <AccountName> --database-name <DatabaseName> --resource-group <ResourceGroupName>
 
-## List all SQL role assignments under an Azure Cosmos DB
+## List all NoSQL role assignments under an Azure Cosmos DB
 az cosmosdb sql role assignment list --resource-group <ResourceGroupName> --account-name <AccountName>
-## List all SQL role definitions under an Azure Cosmos DB
+## List all NoSQL role definitions under an Azure Cosmos DB
 az cosmosdb sql role definition list --resource-group <ResourceGroupName> --account-name <AccountName>
 
-## List the SQL stored procedures under an Azure Cosmos DB
+## List the NoSQL stored procedures under an Azure Cosmos DB
 az cosmosdb sql stored-procedure list --account-name <AccountName> --container-name <ContainerName> --database-name <DatabaseName> --resource-group <ResourceGroupName>
-## List the SQL triggers under an Azure Cosmos DB SQL container.
+## List the NoSQL triggers under an Azure Cosmos DB NoSQL container.
 az cosmosdb sql trigger list --account-name <AccountName> --container-name <ContainerName> --database-name <DatabaseName> --resource-group <ResourceGroupName>
-## List the SQL user defined functions under an Azure Cosmos DB SQL container
+## List the NoSQL user defined functions under an Azure Cosmos DB NoSQL container
 az cosmosdb sql user-defined-function list --account-name <AccountName> --container-name <ContainerName> --database-name <DatabaseName> --resource-group <ResourceGroupName>
 
 ```
@@ -193,6 +200,18 @@ In MongoDB, you can create one or more databases within an instance. Each databa
 #### Collections
 The core unit of data storage in MongoDB is the collection, which holds documents and is designed for efficient querying and flexible schema design. Collections are elastically scalable and can support high-throughput operations across multiple nodes in a distributed setup.
 
+#### Key Features of Request unit (RU) type
+**Global Distribution**: Enable or disable Geo-Redundancy for cross-region replication and Multi-region Writes for improved availability.
+**Networking & Security**: between public (all/select networks) or private endpoints for connectivity. Secure connections with TLS 1.2 encryption. Supports CORS (Cross-Origin Resource Sharing) for controlled access to resources.
+**Backup & Recovery**: from Periodic, Continuous (7 days, free), or Continuous (30 days, paid) backup policies with configurable intervals and retention.
+**Data Encryption**: Default service-managed keys or customer-managed keys (CMK) for encryption (CMK selection is irreversible).
+
+#### Key Features of vCore cluster type
+**Global Distribution**: Enable a read replica in another Azure region for high availability and failover support. Configure the replica name, region, and storage per shard.
+**Networking & Security**: Supports public access with assigned public IPs and private access. Restrict connections using firewall rules—by default, no public IPs are allowed.
+**Encrypted Connections**: Enforces TLS encryption for secure data transmission.
+
+
 #### Enumeration
 
 {{#tabs }}

src/pentesting-cloud/azure-security/az-services/az-logic-apps.md

@@ -8,6 +8,11 @@ Azure Logic Apps is a cloud-based service provided by Microsoft Azure that enabl
 
 Logic Apps provides a visual designer to create workflows with a **wide range of pre-built connectors**, which makes it easy to connect to and interact with various services, such as Office 365, Dynamics CRM, Salesforce, and many others. You can also create custom connectors for your specific needs.
 
+When creating a Logic App, you must either create or link an external storage account that stores the workflow state, run history, and artifacts. This storage can be configured with diagnostic settings for monitoring and can be secured with network access restrictions or integrated into a virtual network to control inbound and outbound traffic.
+
+### Managed Identities
+Logic Apps has **system-assigned managed identity** tied to its lifecycle. When enabled, it receives a unique Object (principal) ID that can be used with Azure RBAC to grant the necessary permissions to access other Azure services securely. This eliminates the need to store credentials in code because the identity is authenticated through Microsoft Entra ID. Additionally, you can also use **user-assigned managed identities**, which can be shared across multiple resources. These identities allow workflows and Logic Apps to interact securely with external systems, ensuring that the necessary access controls and permissions are managed centrally through Azure's security framework.
+
 ### Examples
 
 - **Automating Data Pipelines**: Logic Apps can automate **data transfer and transformation processes** in combination with Azure Data Factory. This is useful for creating scalable and reliable data pipelines that move and transform data between various data stores, like Azure SQL Database and Azure Blob Storage, aiding in analytics and business intelligence operations.
@@ -43,6 +48,10 @@ There are several hosting options:
     - **App Service Environment V3** dedicated compute resources with full isolation and scalability. It also integrates with VNET for networking and uses a pricing model based on App Service instances within the environment. This is ideal for enterprise-scale applications needing high isolation.
     - **Hybrid** designed for local processing and multi-cloud support. It allows customer-managed compute resources with local network access and utilizes Kubernetes Event-Driven Autoscaling (KEDA).
 
+### Workflows
+
+Workflows in Azure Logic Apps are the core automated processes that orchestrate actions across various services. A workflow starts with a trigger—an event or schedule—and then executes a series of actions, such as calling APIs, processing data, or interacting with other Azure services. Workflows can be defined visually using a designer or via code (JSON definitions) and are managed through commands like az logic workflow create, az logic workflow show, and az logic workflow update. They also support identity management (via the identity subgroup) to securely manage permissions and integrations with external resources.
+
 ### Enumeration
 
 {{#tabs }}

src/pentesting-cloud/azure-security/az-services/az-mysql.md

@@ -16,9 +16,9 @@ Azure Database for MySQL is a fully managed relational database service based on
  - Offers stop/start functionality for cost savings.
 
 ### Key Features
-* **Server Management**: The **ad-admin** feature allows managing Azure Active Directory (AAD) administrators for MySQL servers, providing control over administrative access via AAD credentials, while the **identity** feature enables the assignment and management of Azure Managed Identities, offering secure, credential-free authentication for accessing Azure resources.
+* **Server Management**: The **ad-admin** feature allows managing Azure Entra ID administrators for MySQL servers, providing control over administrative access via Entra ID credentials. Mysql supports User Managed Identities, used to autenticate without the need of credentials, and can be used by other services.
 * **Lifecycle Management**: options to start or stop a server, delete a flexible server instance, restart a server to quickly apply configuration changes, and wait to ensure a server meets specific conditions before proceeding with automation scripts.
-* **Security and Networking**: can manage server firewall rules for secure database access and detach virtual network configurations as needed.
+* **Security and Networking**: Secure your server by restricting connections through firewall rules that only allow specific public IP addresses, or by using private endpoints that integrate your server into a virtual network. All connections are protected with TLS 1.2 encryption. Databases, backups, and logs are encrypted at rest by default using service-managed keys or custom keys. 
 * **Data Protection and Backup**: includes options to manage flexible server backups for data recovery, perform geo-restore to recover a server in a different region, export server backups for external use (in Preview), and restore a server from backup to a specific point in time.
 
 ### Enumeration

src/pentesting-cloud/azure-security/az-services/az-postgresql.md

@@ -23,6 +23,7 @@
 * **Automatic Backups**: Built-in daily backups with retention periods configurable up to 35 days.
 * **Role-Based Access**: Control user permissions and administrative access through Azure Active Directory.
 * **Security and Networking**: can manage server firewall rules for secure database access and detach virtual network configurations as needed.
+* **Managed Identities**: allow your server to securely authenticate with other Azure services without storing credentials. It allow to access other services which would be System assigned managed identity and be accessed by other services with other identities which is User assigned managed identity.
 
 ### Enumeration