11211 - memcached
Overview
Memcached is a distributed in-memory key-value store caching system. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source (such as a database or API) must be read.
Memcached is a free and open-source software written in C, that runs on Unix-like operating systems (at least Linux and OS X) and on Microsoft Windows.
Memcached's APIs provide a very large hash table distributed across multiple machines. When the table is full, subsequent inserts cause older data to be purged in least recently used (LRU) order. Expired items are removed first then the least used items are overwritten so that the frequently requested information can be retained in memory.
Memcached is widely used for large scale web application, including major players like YouTube, Reddit, Facebook, Twitter, and Wikipedia.
Memcached supports the only following data structure, called an "item" which consists of:
A key (arbitrary string up to 250 bytes in length. No space or newlines for ASCII mode)
A 32bit "flag" value
An expiration time, in seconds. '0' means never expire. Can be up to 30 days.
A 64bit "CAS" value, which is kept unique.
Arbitrary item data
Supported commands
Memcached handles a small number of basic commands:
| Command | Description | Example |
|---|---|---|
| Print memcached version | version |
| Increases log level | verbosity |
| Prints general memcached instance statistics | stats |
| Prints memory statistics including number of active slabs | stats slabs |
| Prints items stored broken down by slab | stats items STAT items:<SLAB_ID>:number 1 ... |
| Undocumented command that still exists in 1.4.5 but might be removed at anytime. Prints keys per slab id, limited to dump of one page (1MB of data) | stats cachedump 3 100 |
| Prints others statistics information | stats ... |
| Reads the value associated to the specified key | get key1 |
| Set a key and its associated parameters and data | set key1 0 60 4 \r\ndata\r |
| Add a new key and its associated parameters and data | add key2 0 60 5 \r\ndata2\r |
| Overwrite existing key and its associated parameters and data | add key1 0 60 5 \r\ndata1\r |
| Append data to the specified existing key | append key2 0 60 15 |
| Prepend data to existing key | prepend key2 0 60 15 |
| Increments numerical key value by given number | incr key_int 2 |
| Decrements numerical key value by given number | decr key_int 2 |
| Deletes the specified existing key | delete key2 |
| Invalidate all items immediately | flush_all |
| Invalidate all items in the specified number of seconds | flush_all 60 |
| Terminate current session | quit |
Network scan
nmap can be used to scan the network for memcached services:
Unrestricted keys dumping
As most deployments of memcached are within trusted networks, no authentication mechanism is implemented by default. Thus clients may connect freely to the memcached instance to retrieve the content cached, which may contain sensible information.
The dumping of the keys and their associated data relies on the undocumented command stats cachedump, which is needed to retrieve the keys. The command could be removed at anytime.
The process to dump the memcached keys and values is as follow:
The following bash script, courtesy of Omar Al-Ithawi, can be used to automate the process above. Note that the script is not adapted for larger memcached instance.
References
https://lzone.de/cheat-sheet/memcached https://stackoverflow.com/questions/19560150/get-all-keys-set-in-memcached
Last updated