hacktricks/pentesting-web/email-injections.md

Email Injections

Trickest ghItlh vItlhutlh automate workflows powered by the world's most advanced community tools.
Get Access Today:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Inject in sent e-mail

Inject Cc and Bcc after sender argument

From:sender@domain.com%0ACc:recipient@domain.co,%0ABcc:recipient1@domain.com

Inject argument

Inject argument (QapHa')

From:sender@domain.com%0ATo:attacker@domain.com

Inject Subject argument

Injecting a subject argument allows an attacker to manipulate the subject line of an email. By exploiting this vulnerability, an attacker can deceive the recipient into believing that the email is legitimate or urgent, increasing the chances of the recipient opening the email and taking the desired action.

To perform an email injection attack, the attacker needs to identify the vulnerable input field where the subject argument is passed. This can typically be found in the email creation or sending functionality of a web application.

Once the vulnerable input field is identified, the attacker can inject malicious code or special characters to manipulate the subject line. For example, by injecting line breaks or special characters such as "%0a" or "%0d", the attacker can create multiple subject lines or modify the appearance of the subject line.

The impact of a successful email injection attack can vary depending on the attacker's intentions. Some possible consequences include:

• Phishing: The attacker can craft a convincing email that appears to be from a trusted source, such as a bank or an online service, and trick the recipient into revealing sensitive information.

• Malware delivery: By manipulating the subject line, the attacker can deceive the recipient into opening an email attachment or clicking on a malicious link, leading to the delivery of malware onto the recipient's system.

• Account takeover: If the attacker can manipulate the subject line to trick the recipient into clicking on a link that leads to a fake login page, they can capture the recipient's credentials and gain unauthorized access to their account.

To prevent email injection attacks, it is essential to implement proper input validation and sanitization techniques. This includes validating and filtering user input to remove or encode any special characters that could be used for injection. Additionally, using secure coding practices and keeping software and libraries up to date can help mitigate the risk of email injection vulnerabilities.

From:sender@domain.com%0ASubject:This is%20Fake%20Subject

tlhIngan Hol

The fake subject will be added to the original subject and in some cases will replace it. It depends on the mail service behavior.

ghItlhvam vItlhutlh

Inject a two-line feed, then write your message to change the body of the message.

From:sender@domain.com%0A%0AMy%20New%20%0Fake%20Message.

PHP mail() function exploitation

Description

The PHP mail() function is commonly used to send emails from a web application. However, if not properly secured, it can be vulnerable to email injection attacks. Email injection occurs when an attacker is able to manipulate the email headers and inject malicious content into the email.

Exploitation

To exploit the PHP mail() function, an attacker can craft a specially crafted email that includes additional headers with malicious content. These additional headers can be used to perform various attacks, such as:

• Email header injection: By injecting newline characters and additional headers, an attacker can manipulate the email headers and potentially perform actions like sending spam emails or redirecting the email to a different recipient.

• Cross-site scripting (XSS): If the email content is not properly sanitized, an attacker can inject malicious JavaScript code into the email body. When the recipient opens the email, the JavaScript code will be executed in their browser, allowing the attacker to perform actions on their behalf.

• Remote code execution: In some cases, an attacker may be able to inject PHP code into the email body. If the email is processed by a vulnerable server, this code can be executed, leading to remote code execution vulnerabilities.

Prevention

To prevent email injection attacks, it is important to properly sanitize and validate user input before using it in the mail() function. Here are some best practices to follow:

• Input validation: Validate and sanitize all user input, especially when it is used in email headers or the email body.

• Header encoding: Properly encode email headers to prevent injection of additional headers or newline characters.

• Content filtering: Implement content filtering mechanisms to detect and block malicious content, such as JavaScript code or PHP code.

• Secure email libraries: Consider using secure email libraries that handle email sending and validation in a more secure manner, such as the PHPMailer library.

By following these best practices, you can mitigate the risk of email injection vulnerabilities in your PHP applications.

# The function has the following definition:

php --rf mail

Function [ <internal:standard> function mail ] {
- Parameters [5] {
Parameter #0 [ <required> $to ]
Parameter #1 [ <required> $subject ]
Parameter #2 [ <required> $message ]
Parameter #3 [ <optional> $additional_headers ]
Parameter #4 [ <optional> $additional_parameters ]
}
}

The 5th parameter ($additional_parameters)

vItlhutlh ghaH 'ej 'e' 'e' 'ej vaj 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' 'ej 'e' **'