Understanding Memcache Injection

Inecjtion

In this article, I will be talking about memcached injection. Memcache injection is a type of injection attack that targets the Memcache distributed memory caching system. Memcache is a popular system for storing and retrieving data in a distributed cache in order to speed up web applications.

In a Memcache injection attack, an attacker can send malicious data to a web application that is using Memcache, which is then stored in the cache. The malicious data can be in the form of a command or query that is executed by the web application when it retrieves the data from the cache. This can allow the attacker to gain unauthorized access to sensitive information, modify or delete data, or perform other malicious actions.

To protect against Memcache injection attacks, it is important to properly sanitize any user-supplied input before storing it in the cache. This can be done using functions such as mysql_real_escape_string or addslashes to escape special characters that have a special meaning in the context of Memcache.

It is also a good idea to use prepared statements and parameterized queries to separate the data from the query, and to use a strong key hashing function to ensure that keys are unique and cannot be easily guessed by an attacker.

In addition, you should keep the Memcache server and any other dependencies up to date to ensure that you are protected against known vulnerabilities.

In summary, Memcache injection is a type of injection attack that targets the Memcache system. To protect against this type of attack, it is important to properly sanitize user-supplied input, use prepared statements and parameterized queries, and keep the Memcache server and dependencies up to date.

Here is an example of a Memcache injection attack in PHP:

$key = $_POST['key'];
$value = $_POST['value'];

// The attacker can send a key that includes a command or query
// For example: "key; delete users; key"

$memcache = new Memcache();
$memcache->connect('localhost', 11211);
$memcache->set($key, $value);

// The malicious command or query will be stored in the cache and may be executed later

To protect against this type of attack, you can sanitize the user-supplied input by escaping special characters that have a special meaning in the context of Memcache. For example:

$safe_key = addslashes($_POST['key']);
$safe_value = addslashes($_POST['value']);

$memcache = new Memcache();
$memcache->connect('localhost', 11211);
$memcache->set($safe_key, $safe_value);

It is important to note that both mysql_real_escape_string and addslashes have been deprecated as of PHP 7.4 and should no longer be used. Instead, you should use prepared statements and parameterized queries, which are more secure and easier to use. Prepared statements allow you to separate the data from the query, and the database engine automatically handles the proper escaping of the data.

To use prepared statements and parameterized queries with Memcache, you can use the memcache_set function with the MEMCACHE_COMPRESSED flag.

For example:

$memcache = new Memcache();
$memcache->connect('localhost', 11211);

$stmt = $memcache->prepare("set key:? 0 600 9");
$stmt->bind_param("s", $key);
$stmt->send_long_data(0, $value);
$stmt->execute();

In summary, it is important to properly sanitize user-supplied input to protect against Memcache injection attacks. You can use prepared statements and parameterized queries to separate the data from the query and ensure that it is properly escaped.

Canal Plus

In this article, I talked about memcached injection, see you in my next article, take care of yourself.

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!