The New Page of Injections Book - Memcached Injections

Explore memcached injections in this 49-minute Black Hat conference talk by Ivan Novikov. Dive into the world of distributed memory caching systems and their vulnerabilities. Learn about input validation issues in memcached wrappers for popular web development platforms like Go, Ruby, Java, Python, PHP, Lua, and .NET. Discover how to perform "SQL Injection-like" attacks on memcached services, potentially leading to authentication bypass or arbitrary code execution. Examine the memcached protocol, command types, and various injection techniques. Understand the scope of the research, including command and argument injections, state breaking, and post-exploitation scenarios. Witness a real-world remote code execution demonstration and gain insights into securing big-data Internet projects that rely on memcached for performance optimization.

Intro
Memcached BIO
Shodan stats
Protocol overview
Commands types
How applications uses memcached
Memcached wrappers
Scope of research
Injection types
Command injection
State breaking
Who is vulnerable
Argument injection
Length breaking
Post exploitation
Application level
Deserialization
RCE demo