A server cache is an information technology for the temporary storage of data, to reduce server lag. I find a lot of those technologies in my daily work while doing penetration testing. Memcached is one of them and I’d like to talk about it and how to extract informations from it.

TL;DR Link to heading

Memcached is a distributed memory object caching system, is an in-memory key-value store for small chunks of arbitrary data (strings, objects) from results of database calls, API calls, or page rendering.

Security Link to heading

Memcached exposes TCP port 11211 and bind it to localhost, however it’s still possible to communicate with this port via SSRF or literary movement techniques.

Protocol Link to heading

Clients of memcached communicate with server through TCP connections. A simple raw commands can be performed to do various things with memcached.

More Commands can be found here.

Memcached Extractor Link to heading

Now let’s see how to extract the slabs from a memcached instance and then find the keys and values stored in those slabs. First, let’s connect to the server using netcat

nc 11211

After successfully connected, let’s print memory statistics with :

stats slabs

STAT 16:chunk_size 2904
STAT 16:chunks_per_page 361
STAT 16:total_pages 1
STAT 16:total_chunks 361
STAT 16:used_chunks 0
STAT 16:free_chunks 361
STAT 16:free_chunks_end 0
STAT 16:mem_requested 0
STAT 16:get_hits 14
STAT 16:cmd_set 7
STAT 16:delete_hits 0
STAT 16:incr_hits 0
STAT 16:decr_hits 0
STAT 16:cas_hits 0
STAT 16:cas_badval 0
STAT 16:touch_hits 0
STAT 26:chunk_size 27120
STAT 26:chunks_per_page 38
STAT 26:total_pages 1
STAT 26:total_chunks 38
STAT 26:used_chunks 0
STAT 26:free_chunks 38
STAT 26:free_chunks_end 0
STAT 26:mem_requested 0
STAT 26:get_hits 7046
STAT 26:cmd_set 33
STAT 26:delete_hits 0
STAT 26:incr_hits 0
STAT 26:decr_hits 0
STAT 26:cas_hits 0
STAT 26:cas_badval 0
STAT 26:touch_hits 0
STAT active_slabs 2
STAT total_malloced 2078904

If you notice in our example we have two different values 16 and 26. We will be using those values to fetch the key’s names associated with them.

stats cachedump 16 0

ITEM stock [2807 b; 1549317135 s]

stats cachedump 26 0

ITEM users [24625 b; 1549317140 s]

As you can see now we have the key’s names which are stock and users, now let’s extract all the data associated with those keys with the command :

get stock

VALUE stock 0 2807
{"1": {"product": "Apples - Sliced / Wedge", "qty": 568}, "2": {"product": "Appetizer - Tarragon Chicken", "qty": 16}}

References: Link to heading