mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-28 15:41:34 +00:00
113 lines
10 KiB
Markdown
113 lines
10 KiB
Markdown
# Email Injections
|
|
|
|
<figure><img src="../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
\
|
|
[**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) **ghItlh** vItlhutlh **automate workflows** powered by the world's **most advanced** community tools.\
|
|
Get Access Today:
|
|
|
|
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
|
|
|
|
<details>
|
|
|
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
|
|
|
Other ways to support HackTricks:
|
|
|
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
|
|
## Inject in sent e-mail
|
|
|
|
### Inject Cc and Bcc after sender argument
|
|
```
|
|
From:sender@domain.com%0ACc:recipient@domain.co,%0ABcc:recipient1@domain.com
|
|
```
|
|
### Inject argument
|
|
|
|
### Inject argument (QapHa')
|
|
```
|
|
From:sender@domain.com%0ATo:attacker@domain.com
|
|
```
|
|
**Inject Subject argument**
|
|
|
|
Injecting a subject argument allows an attacker to manipulate the subject line of an email. By exploiting this vulnerability, an attacker can deceive the recipient into believing that the email is legitimate or urgent, increasing the chances of the recipient opening the email and taking the desired action.
|
|
|
|
To perform an email injection attack, the attacker needs to identify the vulnerable input field where the subject argument is passed. This can typically be found in the email creation or sending functionality of a web application.
|
|
|
|
Once the vulnerable input field is identified, the attacker can inject malicious code or special characters to manipulate the subject line. For example, by injecting line breaks or special characters such as "%0a" or "%0d", the attacker can create multiple subject lines or modify the appearance of the subject line.
|
|
|
|
The impact of a successful email injection attack can vary depending on the attacker's intentions. Some possible consequences include:
|
|
|
|
- Phishing: The attacker can craft a convincing email that appears to be from a trusted source, such as a bank or an online service, and trick the recipient into revealing sensitive information.
|
|
|
|
- Malware delivery: By manipulating the subject line, the attacker can deceive the recipient into opening an email attachment or clicking on a malicious link, leading to the delivery of malware onto the recipient's system.
|
|
|
|
- Account takeover: If the attacker can manipulate the subject line to trick the recipient into clicking on a link that leads to a fake login page, they can capture the recipient's credentials and gain unauthorized access to their account.
|
|
|
|
To prevent email injection attacks, it is essential to implement proper input validation and sanitization techniques. This includes validating and filtering user input to remove or encode any special characters that could be used for injection. Additionally, using secure coding practices and keeping software and libraries up to date can help mitigate the risk of email injection vulnerabilities.
|
|
```
|
|
From:sender@domain.com%0ASubject:This is%20Fake%20Subject
|
|
```
|
|
### tlhIngan Hol
|
|
|
|
**The fake subject will be added to the original subject and in some cases will replace it. It depends on the mail service behavior.**
|
|
|
|
### ghItlhvam vItlhutlh
|
|
|
|
**Inject a two-line feed, then write your message to change the body of the message.**
|
|
```
|
|
From:sender@domain.com%0A%0AMy%20New%20%0Fake%20Message.
|
|
```
|
|
### PHP mail() function exploitation
|
|
|
|
#### Description
|
|
|
|
The PHP `mail()` function is commonly used to send emails from a web application. However, if not properly secured, it can be vulnerable to email injection attacks. Email injection occurs when an attacker is able to manipulate the email headers and inject malicious content into the email.
|
|
|
|
#### Exploitation
|
|
|
|
To exploit the PHP `mail()` function, an attacker can craft a specially crafted email that includes additional headers with malicious content. These additional headers can be used to perform various attacks, such as:
|
|
|
|
- **Email header injection**: By injecting newline characters and additional headers, an attacker can manipulate the email headers and potentially perform actions like sending spam emails or redirecting the email to a different recipient.
|
|
|
|
- **Cross-site scripting (XSS)**: If the email content is not properly sanitized, an attacker can inject malicious JavaScript code into the email body. When the recipient opens the email, the JavaScript code will be executed in their browser, allowing the attacker to perform actions on their behalf.
|
|
|
|
- **Remote code execution**: In some cases, an attacker may be able to inject PHP code into the email body. If the email is processed by a vulnerable server, this code can be executed, leading to remote code execution vulnerabilities.
|
|
|
|
#### Prevention
|
|
|
|
To prevent email injection attacks, it is important to properly sanitize and validate user input before using it in the `mail()` function. Here are some best practices to follow:
|
|
|
|
- **Input validation**: Validate and sanitize all user input, especially when it is used in email headers or the email body.
|
|
|
|
- **Header encoding**: Properly encode email headers to prevent injection of additional headers or newline characters.
|
|
|
|
- **Content filtering**: Implement content filtering mechanisms to detect and block malicious content, such as JavaScript code or PHP code.
|
|
|
|
- **Secure email libraries**: Consider using secure email libraries that handle email sending and validation in a more secure manner, such as the PHPMailer library.
|
|
|
|
By following these best practices, you can mitigate the risk of email injection vulnerabilities in your PHP applications.
|
|
```bash
|
|
# The function has the following definition:
|
|
|
|
php --rf mail
|
|
|
|
Function [ <internal:standard> function mail ] {
|
|
- Parameters [5] {
|
|
Parameter #0 [ <required> $to ]
|
|
Parameter #1 [ <required> $subject ]
|
|
Parameter #2 [ <required> $message ]
|
|
Parameter #3 [ <optional> $additional_headers ]
|
|
Parameter #4 [ <optional> $additional_parameters ]
|
|
}
|
|
}
|
|
```
|
|
#### The 5th parameter ($additional\_parameters)
|
|
|
|
**vItlhutlh** **ghaH** **'ej** **'e'** **'e'** **'ej** **vaj** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'ej** **'e'** **'
|