memcached injection #4406
Description
Contributor wanted
This issue is easy and looking for a contributor, just add a comment saying you'll do it's yours!
Not sure where to start from? Take a look at our First steps as a contributor and Contributing 101 wiki pages.
Other interesting tasks which can be completed by new w3af contributors can be found here.
Tasks
- Write test scripts to reproduce this issue in django-moth:
- Core script is here
- Improve by using dockerized memcached
- Draft automated detection algorithm in paper
- Reduce false positives
- Reduce false negatives
- Write detection algorithm in python
- Unittest
Automated detection
This might be interesting, with good knowledge about the payloads to be sent we could define a set of payloads for each test that guarantees that the remote server is actually talking to a memcached.
For example, for Batch injection (command injection) — 0x0a/0x0d bytes we could send:
- target.com/?id=key1 0 0 1\r\n1\r\nset injected 0 foo 10\r\n1234567890\r\n
- Expect 500 because of the "foo" string instead of an integer in the timeout. If no 500 is sent, then there is no memcache and/or no injection
- If 500 is not received, stop testing.
- target.com/?id=key1 0 0 1\r\n1\r\nset injected 0 3 10\r\n1234567890\r\n
- Expect 200, the 3 "fixed" the injection. Sending 3 in order to avoid leaving many traces in the remote memcache
- target.com/?id=key1 0 0 1\r\n1\r\nset foo 0 bar 10\r\n1234567890\r\n
- Expect 500 because of the "bar" string instead of an integer in the timeout. This is simply a verification to make sure the previous 500 wasn't "random"
Haven't tested it