GITBOOK-3783: No subject
BIN
.gitbook/assets/image (39) (1).png
Normal file
After Width: | Height: | Size: 82 KiB |
Before Width: | Height: | Size: 82 KiB After Width: | Height: | Size: 200 KiB |
BIN
.gitbook/assets/image (40) (1).png
Normal file
After Width: | Height: | Size: 205 KiB |
Before Width: | Height: | Size: 205 KiB After Width: | Height: | Size: 200 KiB |
BIN
.gitbook/assets/image (6) (1) (1) (1).png
Normal file
After Width: | Height: | Size: 114 KiB |
Before Width: | Height: | Size: 114 KiB After Width: | Height: | Size: 95 KiB |
Before Width: | Height: | Size: 95 KiB After Width: | Height: | Size: 23 KiB |
Before Width: | Height: | Size: 23 KiB After Width: | Height: | Size: 94 KiB |
|
@ -444,7 +444,8 @@
|
|||
* [9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)](network-services-pentesting/9100-pjl.md)
|
||||
* [9200 - Pentesting Elasticsearch](network-services-pentesting/9200-pentesting-elasticsearch.md)
|
||||
* [10000 - Pentesting Network Data Management Protocol (ndmp)](network-services-pentesting/10000-network-data-management-protocol-ndmp.md)
|
||||
* [11211 - Pentesting Memcache](network-services-pentesting/11211-memcache.md)
|
||||
* [11211 - Pentesting Memcache](network-services-pentesting/11211-memcache/README.md)
|
||||
* [Memcache Commands](network-services-pentesting/11211-memcache/memcache-commands.md)
|
||||
* [15672 - Pentesting RabbitMQ Management](network-services-pentesting/15672-pentesting-rabbitmq-management.md)
|
||||
* [24007,24008,24009,49152 - Pentesting GlusterFS](network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs.md)
|
||||
* [27017,27018 - Pentesting MongoDB](network-services-pentesting/27017-27018-mongodb.md)
|
||||
|
|
|
@ -141,7 +141,7 @@ Arguments of the script:
|
|||
|
||||
**Our host seems to be in trouble :)**
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (6) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (6) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
As you can see, the host loses connectivity to host **172.16.100.140/32** due to route injection.
|
||||
|
||||
|
|
|
@ -1,96 +0,0 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
|
||||
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
# Protocol Information
|
||||
|
||||
**Memcached** (pronunciation: mem-cashed, mem-cash-dee) is a general-purpose distributed [memory caching](https://en.wikipedia.org/wiki/Memory\_caching) system. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source (such as a database or API) must be read. (From [wikipedia](https://en.wikipedia.org/wiki/Memcached))\
|
||||
Although Memcached supports SASL, most instances are **exposed without authentication**.
|
||||
|
||||
**Default port:** 11211
|
||||
|
||||
```
|
||||
PORT STATE SERVICE
|
||||
11211/tcp open unknown
|
||||
```
|
||||
|
||||
# Enumeration
|
||||
|
||||
## Manual
|
||||
|
||||
To ex-filtrate all the information saved inside a memcache instance you need to:
|
||||
|
||||
1. Find **slabs** with **active items**
|
||||
2. Get the **key names** of the slabs detected before
|
||||
3. Ex-filtrate the **saved data** by **getting the key names**
|
||||
|
||||
Remember that this service is just a **cache**, so **data may be appearing and disappearing**.
|
||||
|
||||
```bash
|
||||
echo "version" | nc -vn -w 1 <IP> 11211 #Get version
|
||||
echo "stats" | nc -vn -w 1 <IP> 11211 #Get status
|
||||
echo "stats slabs" | nc -vn -w 1 <IP> 11211 #Get slabs
|
||||
echo "stats items" | nc -vn -w 1 <IP> 11211 #Get items of slabs with info
|
||||
echo "stats cachedump <number> 0" | nc -vn -w 1 <IP> 11211 #Get key names (the 0 is for unlimited output size)
|
||||
echo "get <item_name>" | nc -vn -w 1 <IP> 11211 #Get saved info
|
||||
|
||||
#This php will just dump the keys, you need to use "get <item_name> later"
|
||||
sudo apt-get install php-memcached
|
||||
php -r '$c = new Memcached(); $c->addServer("localhost", 11211); var_dump( $c->getAllKeys() );'
|
||||
```
|
||||
|
||||
## Manual2
|
||||
|
||||
```bash
|
||||
sudo apt install libmemcached-tools
|
||||
memcstat --servers=127.0.0.1 #Get stats
|
||||
memcdump --servers=127.0.0.1 #Get all items
|
||||
memccat --servers=127.0.0.1 <item1> <item2> <item3> #Get info inside the item(s)
|
||||
```
|
||||
|
||||
## Automatic
|
||||
|
||||
```bash
|
||||
nmap -n -sV --script memcached-info -p 11211 <IP> #Just gather info
|
||||
msf > use auxiliary/gather/memcached_extractor #Extracts saved data
|
||||
msf > use auxiliary/scanner/memcached/memcached_amp #Check is UDP DDoS amplification attack is possible
|
||||
```
|
||||
|
||||
## **Shodan**
|
||||
|
||||
* `port:11211 "STAT pid"`
|
||||
* `"STAT pid"`
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
|
||||
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||||
|
||||
</details>
|
||||
|
||||
|
264
network-services-pentesting/11211-memcache/README.md
Normal file
|
@ -0,0 +1,264 @@
|
|||
# 11211 - Pentesting Memcache
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
||||
## Protocol Information
|
||||
|
||||
**Memcached** (pronunciation: mem-cashed, mem-cash-dee) is a general-purpose distributed [memory caching](https://en.wikipedia.org/wiki/Memory\_caching) system. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source (such as a database or API) must be read. (From [wikipedia](https://en.wikipedia.org/wiki/Memcached))\
|
||||
Although Memcached supports SASL, most instances are **exposed without authentication**.
|
||||
|
||||
**Default port:** 11211
|
||||
|
||||
```
|
||||
PORT STATE SERVICE
|
||||
11211/tcp open unknown
|
||||
```
|
||||
|
||||
## Enumeration
|
||||
|
||||
### Manual
|
||||
|
||||
To ex-filtrate all the information saved inside a memcache instance you need to:
|
||||
|
||||
1. Find **slabs** with **active items**
|
||||
2. Get the **key names** of the slabs detected before
|
||||
3. Ex-filtrate the **saved data** by **getting the key names**
|
||||
|
||||
Remember that this service is just a **cache**, so **data may be appearing and disappearing**.
|
||||
|
||||
```bash
|
||||
echo "version" | nc -vn -w 1 <IP> 11211 #Get version
|
||||
echo "stats" | nc -vn -w 1 <IP> 11211 #Get status
|
||||
echo "stats slabs" | nc -vn -w 1 <IP> 11211 #Get slabs
|
||||
echo "stats items" | nc -vn -w 1 <IP> 11211 #Get items of slabs with info
|
||||
echo "stats cachedump <number> 0" | nc -vn -w 1 <IP> 11211 #Get key names (the 0 is for unlimited output size)
|
||||
echo "get <item_name>" | nc -vn -w 1 <IP> 11211 #Get saved info
|
||||
|
||||
#This php will just dump the keys, you need to use "get <item_name> later"
|
||||
sudo apt-get install php-memcached
|
||||
php -r '$c = new Memcached(); $c->addServer("localhost", 11211); var_dump( $c->getAllKeys() );'
|
||||
```
|
||||
|
||||
### Manual2
|
||||
|
||||
```bash
|
||||
sudo apt install libmemcached-tools
|
||||
memcstat --servers=127.0.0.1 #Get stats
|
||||
memcdump --servers=127.0.0.1 #Get all items
|
||||
memccat --servers=127.0.0.1 <item1> <item2> <item3> #Get info inside the item(s)
|
||||
```
|
||||
|
||||
### Automatic
|
||||
|
||||
```bash
|
||||
nmap -n -sV --script memcached-info -p 11211 <IP> #Just gather info
|
||||
msf > use auxiliary/gather/memcached_extractor #Extracts saved data
|
||||
msf > use auxiliary/scanner/memcached/memcached_amp #Check is UDP DDoS amplification attack is possible
|
||||
```
|
||||
|
||||
## Dumping Memcache Keys <a href="#dumping-memcache-keys" id="dumping-memcache-keys"></a>
|
||||
|
||||
**If your memcached version is above 1.4.31, read next section for advanced method of dumping keys.**
|
||||
|
||||
The memcache protocol provides [commands](https://lzone.de/articles/memcached.htm) to peek into the data that is organized by slabs (categories of data of a given size range). There are some significant limitations though:
|
||||
|
||||
1. You can only dump keys per slab class (keys with roughly the same content size)
|
||||
2. You can only dump one page per slab class (1MB of data)
|
||||
3. This is an unofficial feature that [might be removed anytime.](https://groups.google.com/forum/?fromgroups=#!topic/memcached/1-T8I-RVGKM)
|
||||
|
||||
The second limitation is probably the hardest because 1MB of several gigabytes is almost nothing. Still it can be useful to watch how you use a subset of your keys. But this might depend on your use case. If you don’t care about the technical details just skip to the [tools section](https://lzone.de/cheat-sheet/memcached#tools) to learn about what tools allow you to easily dump everything. Alternatively follow the following guide and try the commands [using telnet](https://lzone.de/articles/memcached.htm) against your memcached setup. **How it Works** First you need to know how memcache organizes its memory. If you start memcache with option “-vv” you see the slab classes it creates. For example
|
||||
|
||||
```
|
||||
$ memcached -vv
|
||||
slab class 1: chunk size 96 perslab 10922
|
||||
slab class 2: chunk size 120 perslab 8738
|
||||
slab class 3: chunk size 152 perslab 6898
|
||||
slab class 4: chunk size 192 perslab 5461
|
||||
[...]
|
||||
```
|
||||
|
||||
In the configuration printed above memcache will keep fit 6898 pieces of data between 121 and 152 byte in a single slab of 1MB size (6898\*152). All slabs are sized as 1MB per default. Use the following command to print all currently existing slabs:
|
||||
|
||||
```
|
||||
stats slabs
|
||||
```
|
||||
|
||||
If you’ve added a single key to an empty memcached 1.4.13 with
|
||||
|
||||
```
|
||||
set mykey 0 60 1
|
||||
1
|
||||
STORED
|
||||
```
|
||||
|
||||
you’ll now see the following result for the “stats slabs” command:
|
||||
|
||||
```
|
||||
stats slabs
|
||||
STAT 1:chunk_size 96
|
||||
STAT 1:chunks_per_page 10922
|
||||
STAT 1:total_pages 1
|
||||
STAT 1:total_chunks 10922
|
||||
STAT 1:used_chunks 1
|
||||
STAT 1:free_chunks 0
|
||||
STAT 1:free_chunks_end 10921
|
||||
STAT 1:mem_requested 71
|
||||
STAT 1:get_hits 0
|
||||
STAT 1:cmd_set 2
|
||||
STAT 1:delete_hits 0
|
||||
STAT 1:incr_hits 0
|
||||
STAT 1:decr_hits 0
|
||||
STAT 1:cas_hits 0
|
||||
STAT 1:cas_badval 0
|
||||
STAT 1:touch_hits 0
|
||||
STAT active_slabs 1
|
||||
STAT total_malloced 1048512
|
||||
END
|
||||
```
|
||||
|
||||
The example shows that we have only one active slab type #1. Our key being just one byte large fits into this as the smallest possible chunk size. The slab statistics show that currently on one page of the slab class exists and that only one chunk is used. **Most importantly it shows a counter for each write operation (set, incr, decr, cas, touch) and one for gets. Using those you can determine a hit ratio!** You can also fetch another set of infos using “stats items” with interesting counters concerning evictions and out of memory counters.
|
||||
|
||||
```
|
||||
stats items
|
||||
STAT items:1:number 1
|
||||
STAT items:1:age 4
|
||||
STAT items:1:evicted 0
|
||||
STAT items:1:evicted_nonzero 0
|
||||
STAT items:1:evicted_time 0
|
||||
STAT items:1:outofmemory 0
|
||||
STAT items:1:tailrepairs 0
|
||||
STAT items:1:reclaimed 0
|
||||
STAT items:1:expired_unfetched 0
|
||||
STAT items:1:evicted_unfetched 0
|
||||
END
|
||||
```
|
||||
|
||||
**What We Can Guess Already…** Given the statistics infos per slabs class we can already guess a lot of thing about the application behaviour:
|
||||
|
||||
1. How is the cache ratio for different content sizes?
|
||||
* How good is the caching of large HTML chunks?
|
||||
2. How much memory do we spend on different content sizes?
|
||||
* How much do we spend on simple numeric counters?
|
||||
* How much do we spend on our session data?
|
||||
* How much do we spend on large HTML chunks?
|
||||
3. How many large objects can we cache at all?
|
||||
|
||||
Of course to answer the questions you need to know about the cache objects of your application. **Now: How to Dump Keys?** Keys can be dumped per slabs class using the “stats cachedump” command.
|
||||
|
||||
```
|
||||
stats cachedump <slab class> <number of items to dump>
|
||||
```
|
||||
|
||||
To dump our single key in class #1 run
|
||||
|
||||
```
|
||||
stats cachedump 1 1000
|
||||
ITEM mykey [1 b; 1350677968 s]
|
||||
END
|
||||
```
|
||||
|
||||
The “cachedump” returns one item per line. The first number in the braces gives the size in bytes, the second the timestamp of the creation. Given the key name you can now also dump its value using
|
||||
|
||||
```
|
||||
get mykey
|
||||
VALUE mykey 0 1
|
||||
1
|
||||
END
|
||||
```
|
||||
|
||||
This is it: iterate over all slabs classes you want, extract the key names and if need dump there contents.
|
||||
|
||||
### **DUMPING MEMCACHE KEYS (VER 1.4.31+)**
|
||||
|
||||
In memcache version 1.4.31 and above there is a new command for dumping memory keys in non-blocking mode (read https://github.com/memcached/memcached/wiki/ReleaseNotes1431 ). This method is safe to run in production. The output is not consistent, but good enough for finding keys, their exact expiration time (EXP) and last accessed time (LA). Because of huge output generated, it’s recommended to use ‘nc’ command. Examples:
|
||||
|
||||
```
|
||||
echo 'lru_crawler metadump all' | nc 127.0.0.1 11211 | head -1
|
||||
key=0dLLX%253Amemcache_test_key exp=1590718787 la=1590718487 cas=2238881166 fetch=yes
|
||||
|
||||
echo 'lru_crawler metadump all' | nc 127.0.0.1 11211 | grep ee6ba58566e234ccbbce13f9a24f9a28
|
||||
key=VQRFX%253Aee6ba58566e234ccbbce13f9a24f9a28 exp=-1 la=1590386157 cas=1776204003 fetch=yes
|
||||
key=0dLLX%253Aee6ba58566e234ccbbce13f9a24f9a28 exp=-1 la=1590712292 cas=2225524871 fetch=yes
|
||||
```
|
||||
|
||||
EXP=-1 means the item never expires EXP=1590718787 (Fri May 29 02:19:47 GMT 2020) keeps the unix timestamp when the item should expire LA=1590712292 (Mon May 25 05:55:57 GMT 2020) keeps the unix timestamp when the item was last accessed
|
||||
|
||||
### **DUMPING TOOLS**
|
||||
|
||||
There are different dumping tools sometimes just scripts out there that help you with printing memcache keys:
|
||||
|
||||
| Programming Languages | Tools | Functionality | | |
|
||||
| --------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- | ------- |
|
||||
| PHP | [simple script](http://snipt.org/xtP) | Prints key names. | | |
|
||||
| Perl | [simple script](https://wiki.jasig.org/download/attachments/13572172/memcached-clean.pl?version=1\&modificationDate=1229693957401) | Prints keys and values | | |
|
||||
| Ruby | [simple script](https://gist.github.com/1365005) | Prints key names. | | |
|
||||
| Perl | [memdump](https://search.cpan.org/\~dmaki/Memcached-libmemcached-0.4202/src/libmemcached/docs/memdump.pod) | Tool in CPAN module | [Memcached-libmemcached](https://search.cpan.org/\~dmaki/Memcached-libmemc) | ached/) |
|
||||
| PHP | [memcache.php](http://livebookmark.net/journal/2008/05/21/memcachephp-stats-like-apcphp/) | Memcache Monitoring GUI that also allows dumping keys | | |
|
||||
| libmemcached | [peep](http://blog.evanweaver.com/2009/04/20/peeping-into-memcached/) | **Does freeze your memcached process!!!** Be careful when using this in production. Still using it you can workaround the 1MB limitation and really dump **all** keys. | | |
|
||||
|
||||
## Troubleshooting <a href="#troubleshooting" id="troubleshooting"></a>
|
||||
|
||||
### 1MB Data Limit <a href="#1mb-data-limit" id="1mb-data-limit"></a>
|
||||
|
||||
Note that prio to memcached 1.4 you cannot store objects larger than 1MB due to the default maximum slab size.
|
||||
|
||||
### Never Set a Timeout > 30 Days! <a href="#never-set-a-timeout--30-days" id="never-set-a-timeout--30-days"></a>
|
||||
|
||||
If you try to “set” or “add” a key with a timeout bigger than the allowed maximum you might not get what you expect because memcached then treats the value as a Unix timestamp. Also if the timestamp is in the past it will do nothing at all. Your command will silently fail.
|
||||
|
||||
So if you want to use the maximum lifetime specify 2592000. Example:
|
||||
|
||||
```
|
||||
set my_key 0 2592000 1
|
||||
1
|
||||
```
|
||||
|
||||
### Disappearing Keys on Overflow <a href="#disappearing-keys-on-overflow" id="disappearing-keys-on-overflow"></a>
|
||||
|
||||
Despite the documentation saying something about wrapping around 64bit overflowing a value using “incr” causes the value to disappear. It needs to be created using “add”/”set” again.
|
||||
|
||||
### Replication <a href="#replication" id="replication"></a>
|
||||
|
||||
memcached itself does not support replication. If you really need it you need to use 3rd party solutions:
|
||||
|
||||
* [repcached](http://repcached.lab.klab.org/): Multi-master async replication (memcached 1.2 patch set)
|
||||
* [Couchbase memcached interface](http://www.couchbase.com/memcached): Use CouchBase as memcached drop-in
|
||||
* [yrmcds](https://cybozu.github.io/yrmcds/): memcached compatible Master-Slave key value store
|
||||
* [twemproxy](https://github.com/twitter/twemproxy) (aka nutcracker): proxy with memcached support
|
||||
|
||||
### Commands Cheat-Sheet
|
||||
|
||||
{% content-ref url="memcache-commands.md" %}
|
||||
[memcache-commands.md](memcache-commands.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### **Shodan**
|
||||
|
||||
* `port:11211 "STAT pid"`
|
||||
* `"STAT pid"`
|
||||
|
||||
## References
|
||||
|
||||
* [https://lzone.de/cheat-sheet/memcached](https://lzone.de/cheat-sheet/memcached)
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
151
network-services-pentesting/11211-memcache/memcache-commands.md
Normal file
|
@ -0,0 +1,151 @@
|
|||
# Memcache Commands
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
||||
## Commands Cheat-Sheet
|
||||
|
||||
**From** [**https://lzone.de/cheat-sheet/memcached**](https://lzone.de/cheat-sheet/memcached)****
|
||||
|
||||
The supported commands (the official ones and some unofficial) are documented in the [doc/protocol.txt](https://github.com/memcached/memcached/blob/master/doc/protocol.txt) document.
|
||||
|
||||
Sadly the syntax description isn’t really clear and a simple help command listing the existing commands would be much better. Here is an overview of the commands you can find in the [source](https://github.com/memcached/memcached) (as of 19.08.2016):
|
||||
|
||||
| Command | Description | Example |
|
||||
| --------------------- | --------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| get | Reads a value | `get mykey` |
|
||||
| set | Set a key unconditionally | <p><code>set mykey <flags> <ttl> <size></code><br><br><p>Ensure to use \r\n als line breaks when using Unix CLI tools. For example</p> <code>printf "set mykey 0 60 4\r\ndata\r\n" \| nc localhost 11211</code></p> |
|
||||
| add | Add a new key | `add newkey 0 60 5` |
|
||||
| replace | Overwrite existing key | `replace key 0 60 5` |
|
||||
| append | Append data to existing key | `append key 0 60 15` |
|
||||
| prepend | Prepend data to existing key | `prepend key 0 60 15` |
|
||||
| incr | Increments numerical key value by given number | `incr mykey 2` |
|
||||
| decr | Decrements numerical key value by given number | `decr mykey 5` |
|
||||
| delete | Deletes an existing key | `delete mykey` |
|
||||
| flush\_all | Invalidate all items immediately | `flush_all` |
|
||||
| flush\_all | Invalidate all items in n seconds | `flush_all 900` |
|
||||
| stats | Prints general statistics | `stats` |
|
||||
| | Prints memory statistics | `stats slabs` |
|
||||
| | Print higher level allocation statistics | `stats malloc` |
|
||||
| | Print info on items | `stats items` |
|
||||
| | | `stats detail` |
|
||||
| | | `stats sizes` |
|
||||
| | Resets statistics counters | `stats reset` |
|
||||
| lru\_crawler metadump | Dump (most of) the metadata for (all of) the items in the cache | `lru_crawler metadump all` |
|
||||
| version | Prints server version. | `version` |
|
||||
| verbosity | Increases log level | `verbosity` |
|
||||
| quit | Terminate session | `quit` |
|
||||
|
||||
#### Traffic Statistics <a href="#traffic-statistics" id="traffic-statistics"></a>
|
||||
|
||||
You can query the current traffic statistics using the command
|
||||
|
||||
```
|
||||
stats
|
||||
```
|
||||
|
||||
You will get a listing which serves the number of connections, bytes in/out and much more.
|
||||
|
||||
Example Output:
|
||||
|
||||
```
|
||||
STAT pid 14868
|
||||
STAT uptime 175931
|
||||
STAT time 1220540125
|
||||
STAT version 1.2.2
|
||||
STAT pointer_size 32
|
||||
STAT rusage_user 620.299700
|
||||
STAT rusage_system 1545.703017
|
||||
STAT curr_items 228
|
||||
STAT total_items 779
|
||||
STAT bytes 15525
|
||||
STAT curr_connections 92
|
||||
STAT total_connections 1740
|
||||
STAT connection_structures 165
|
||||
STAT cmd_get 7411
|
||||
STAT cmd_set 28445156
|
||||
STAT get_hits 5183
|
||||
STAT get_misses 2228
|
||||
STAT evictions 0
|
||||
STAT bytes_read 2112768087
|
||||
STAT bytes_written 1000038245
|
||||
STAT limit_maxbytes 52428800
|
||||
STAT threads 1
|
||||
END
|
||||
```
|
||||
|
||||
#### Memory Statistics <a href="#memory-statistics" id="memory-statistics"></a>
|
||||
|
||||
You can query the current memory statistics using
|
||||
|
||||
```
|
||||
stats slabs
|
||||
```
|
||||
|
||||
Example Output:
|
||||
|
||||
```
|
||||
STAT 1:chunk_size 80
|
||||
STAT 1:chunks_per_page 13107
|
||||
STAT 1:total_pages 1
|
||||
STAT 1:total_chunks 13107
|
||||
STAT 1:used_chunks 13106
|
||||
STAT 1:free_chunks 1
|
||||
STAT 1:free_chunks_end 12886
|
||||
STAT 2:chunk_size 100
|
||||
STAT 2:chunks_per_page 10485
|
||||
STAT 2:total_pages 1
|
||||
STAT 2:total_chunks 10485
|
||||
STAT 2:used_chunks 10484
|
||||
STAT 2:free_chunks 1
|
||||
STAT 2:free_chunks_end 10477
|
||||
[...]
|
||||
STAT active_slabs 3
|
||||
STAT total_malloced 3145436
|
||||
END
|
||||
```
|
||||
|
||||
If you are unsure if you have enough memory for your memcached instance always look out for the “evictions” counters given by the “stats” command. If you have enough memory for the instance the “evictions” counter should be 0 or at least not increasing.
|
||||
|
||||
#### Which Keys Are Used? <a href="#which-keys-are-used" id="which-keys-are-used"></a>
|
||||
|
||||
There is no builtin function to directly determine the current set of keys. However you can use the
|
||||
|
||||
```
|
||||
stats items
|
||||
```
|
||||
|
||||
command to determine how many keys do exist.
|
||||
|
||||
```
|
||||
stats items
|
||||
STAT items:1:number 220
|
||||
STAT items:1:age 83095
|
||||
STAT items:2:number 7
|
||||
STAT items:2:age 1405
|
||||
[...]
|
||||
END
|
||||
```
|
||||
|
||||
This at least helps to see if any keys are used. To dump the key names from a PHP script that already does the memcache access you can use the PHP code from [100days.de](http://100days.de/serendipity/archives/55-Dumping-MemcacheD-Content-Keys-with-PHP.html).
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
|
@ -27,7 +27,7 @@ When performing your directory brute force attacks make sure to add the followin
|
|||
* _/graphql.php_
|
||||
* _/graphql/console_
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (6).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (6) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Once you find an open graphQL instance you need to know **what queries it supports**. This can be done by using the introspection system, more details can be found here: [**GraphQL: A query language for APIs.**\
|
||||
It’s often useful to ask a GraphQL schema for information about what queries it supports. GraphQL allows us to do so…](https://graphql.org/learn/introspection/)
|
||||
|
|
|
@ -40,9 +40,9 @@ If `==` is used in PHP, then there are unexpected cases where the comparison doe
|
|||
|
||||
PHP comparison tables: [https://www.php.net/manual/en/types.comparisons.php](https://www.php.net/manual/en/types.comparisons.php)
|
||||
|
||||
![](<../../../.gitbook/assets/image (40).png>)
|
||||
![](<../../../.gitbook/assets/image (40) (1).png>)
|
||||
|
||||
{% file src="../../../.gitbook/assets/EN-PHP-loose-comparison-Type-Juggling-OWASP (1).pdf" %}
|
||||
{% file src="../../../.gitbook/assets/EN-PHP-loose-comparison-Type-Juggling-OWASP.pdf" %}
|
||||
|
||||
* `"string" == 0 -> True` A string which doesn't start with a number is equals to a number
|
||||
* `"0xAAAA" == "43690" -> True` Strings composed by numbers in dec or hex format can be compare to other numbers/strings with True as result if the numbers were the same (numbers in a string are interpreted as numbers)
|
||||
|
|
|
@ -2,13 +2,13 @@
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
|
||||
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
||||
|
@ -121,8 +121,6 @@ http://stagecafrstore.starbucks.com/%3f%0D%0ALocation://x:1%0D%0AContent-Type:te
|
|||
|
||||
{% embed url="https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crlf.md" %}
|
||||
|
||||
|
||||
|
||||
### HTTP Header Injection
|
||||
|
||||
#### Description
|
||||
|
@ -171,7 +169,7 @@ You can inject essential headers to ensure the **back-end keeps the connection o
|
|||
GET /%20HTTP/1.1%0d%0aHost:%20redacted.net%0d%0aConnection:%20keep-alive%0d%0a%0d%0a HTTP/1.1
|
||||
```
|
||||
|
||||
Then, **specify a second request**. Here you have a **classic** [**request smuggling**](http-request-smuggling/) **** with **extra** **headers/body** appended by the server after the injection.\
|
||||
Then, **specify a second request**. Here you have a **classic** [**request smuggling**](http-request-smuggling/) \*\*\*\* with **extra** **headers/body** appended by the server after the injection.\
|
||||
Here's two of the many options for cross-user exploitation.
|
||||
|
||||
Specifying a **malicious prefix** to poison either the next user's request, or a web cache:
|
||||
|
@ -184,6 +182,28 @@ Or crafting our prefix to combine with the trailing junk and create a complete s
|
|||
|
||||
For more info about this technique and potential problems [**check the original source**](https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning).
|
||||
|
||||
### Memcache Injection
|
||||
|
||||
Memcache is a **key-value store that uses a clear text protocol**. More info in:
|
||||
|
||||
{% content-ref url="../network-services-pentesting/11211-memcache/" %}
|
||||
[11211-memcache](../network-services-pentesting/11211-memcache/)
|
||||
{% endcontent-ref %}
|
||||
|
||||
If a plarform is taking **data from an HTTP request and using it without sanitizing** it to perform **requests** to a **memcache** server, an attacker could abuse this behaviour to **inject new memcache commands**.
|
||||
|
||||
For example, in the original discovered vuln, cache keys were used to return the IP and port a user shuold connect to, and attackers were able to **inject memcache comands** that would **poison** the **cache to send the vistims details** (usrnames and passwords included) to the attacker servers:
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (6).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Moreover, researchers also discovered that they could desync the memcache responses to send the attackers ip and ports to users whose email the attacker didn't know:
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (40).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (39).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
**For the full information read the**[ **original writeup**](https://www.sonarsource.com/blog/zimbra-mail-stealing-clear-text-credentials-via-memcache-injection/)****
|
||||
|
||||
## Impacts of the CRLF injection Vulnerability
|
||||
|
||||
The impact of CRLF injections vary and also include all the impacts of Cross-site Scripting to information disclosure. It can also deactivate certain security restrictions like XSS Filters and the Same Origin Policy in the victim's browsers, leaving them susceptible to malicious attacks.
|
||||
|
@ -227,9 +247,7 @@ The best prevention technique is to not use users input directly inside response
|
|||
## References
|
||||
|
||||
* [**https://www.acunetix.com/websitesecurity/crlf-injection/**](https://www.acunetix.com/websitesecurity/crlf-injection/)
|
||||
* ****[**https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning**](https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning)****
|
||||
|
||||
|
||||
* [**https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning**](https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning)
|
||||
|
||||
<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
|
@ -239,12 +257,12 @@ If you are interested in **hacking carer** and hack the unhackable - **we are hi
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
|
||||
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
|