14 KiB
邮件注入
使用Trickest可以轻松构建和自动化由全球最先进的社区工具提供支持的工作流程。
立即获取访问权限:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- 你在一家网络安全公司工作吗?你想在HackTricks中看到你的公司广告吗?或者你想要访问PEASS的最新版本或下载PDF格式的HackTricks吗?请查看订阅计划!
- 发现我们的独家NFTs收藏品The PEASS Family
- 获取官方PEASS和HackTricks周边产品
- 加入💬 Discord群组或电报群组,或在Twitter上关注我🐦@carlospolopm。
- 通过向hacktricks repo 和hacktricks-cloud repo 提交PR来分享你的黑客技巧。
在发送的电子邮件中注入
在发送者参数之后注入抄送和密送
From:sender@domain.com%0ACc:recipient@domain.co,%0ABcc:recipient1@domain.com
注入参数
The message will be sent to the recipient and recipient1 accounts.
注入参数
From:sender@domain.com%0ATo:attacker@domain.com
注入主题参数
An email injection vulnerability occurs when an attacker is able to inject malicious content into the subject field of an email. This can be done by manipulating the input data in a way that allows the attacker to insert additional commands or characters into the subject field.
Email injections can be used to perform various malicious activities, such as sending spam emails, phishing attacks, or even executing arbitrary code on the recipient's system.
To exploit an email injection vulnerability, the attacker needs to identify a vulnerable input field where the subject of the email is not properly validated or sanitized. Once a vulnerable input field is identified, the attacker can inject their malicious content by appending it to the subject argument.
For example, consider the following vulnerable code snippet:
$subject = $_GET['subject'];
mail($to, $subject, $message);
In this code, the subject argument is directly taken from the user input without any validation or sanitization. An attacker can exploit this vulnerability by injecting additional commands or characters into the subject argument.
To prevent email injections, it is important to properly validate and sanitize all user input before using it in email functions. This can be done by implementing input validation techniques, such as whitelisting or blacklisting certain characters, or by using parameterized queries to prevent SQL injections.
By following secure coding practices and regularly updating software, developers can mitigate the risk of email injection vulnerabilities and protect their applications from potential attacks.
From:sender@domain.com%0ASubject:This is%20Fake%20Subject
伪造的主题将被添加到原始主题中,在某些情况下可能会替换原始主题。这取决于邮件服务的行为。
更改消息正文
注入两行换行符,然后编写您的消息以更改消息的正文。
From:sender@domain.com%0A%0AMy%20New%20%0Fake%20Message.
PHP mail() 函数的利用
The PHP mail() function is commonly used to send emails from a web application. However, if not properly secured, it can be vulnerable to email injection attacks. Email injection occurs when an attacker is able to manipulate the email headers and inject malicious content into the email.
PHP mail() 函数通常用于从 Web 应用程序发送电子邮件。然而,如果没有正确地进行安全保护,它可能会受到电子邮件注入攻击的威胁。电子邮件注入是指攻击者能够操纵电子邮件头,并向电子邮件中注入恶意内容。
Exploiting email injection
To exploit email injection, an attacker needs to find a vulnerable form or input field that directly passes user input to the mail() function without proper sanitization or validation. The attacker can then craft a malicious payload that includes additional email headers and content.
要利用电子邮件注入,攻击者需要找到一个存在漏洞的表单或输入字段,该表单或输入字段直接将用户输入传递给 mail() 函数,而没有进行适当的过滤或验证。然后,攻击者可以构造一个恶意负载,其中包括额外的电子邮件头和内容。
Injecting additional headers
By injecting additional headers, an attacker can manipulate the behavior of the email. For example, they can set the "From" header to a spoofed email address, making it appear as if the email was sent from someone else. They can also add multiple recipients, including BCC recipients, without the knowledge of the original sender.
通过注入额外的头部,攻击者可以操纵电子邮件的行为。例如,他们可以将 "From" 头部设置为伪造的电子邮件地址,使其看起来像是由其他人发送的电子邮件。他们还可以在不让原始发送者知道的情况下,添加多个收件人,包括密送收件人。
Injecting malicious content
In addition to manipulating headers, an attacker can inject malicious content into the email body. This can include HTML or JavaScript code that, when executed, can lead to further exploitation or compromise of the recipient's system.
除了操纵头部之外,攻击者还可以将恶意内容注入到电子邮件正文中。这可以包括 HTML 或 JavaScript 代码,当执行时,可能会导致进一步的利用或对收件人系统的妥协。
Prevention and mitigation
To prevent email injection attacks, it is important to properly sanitize and validate user input before passing it to the mail() function. This includes removing or encoding any special characters that could be used to manipulate email headers or inject malicious content.
为了防止电子邮件注入攻击,重要的是在将用户输入传递给 mail() 函数之前,正确地进行输入过滤和验证。这包括删除或编码可能用于操纵电子邮件头部或注入恶意内容的特殊字符。
Additionally, it is recommended to use a secure email library or framework that handles email sending and validation in a more secure manner. These libraries often have built-in protections against email injection attacks.
此外,建议使用安全的电子邮件库或框架,以更安全的方式处理电子邮件的发送和验证。这些库通常具有针对电子邮件注入攻击的内置保护机制。
By implementing these security measures, you can protect your web application from email injection vulnerabilities and ensure the integrity and security of your email communications.
通过实施这些安全措施,您可以保护您的 Web 应用程序免受电子邮件注入漏洞的威胁,并确保电子邮件通信的完整性和安全性。
# The function has the following definition:
php --rf mail
Function [ <internal:standard> function mail ] {
- Parameters [5] {
Parameter #0 [ <required> $to ]
Parameter #1 [ <required> $subject ]
Parameter #2 [ <required> $message ]
Parameter #3 [ <optional> $additional_headers ]
Parameter #4 [ <optional> $additional_parameters ]
}
}
第5个参数($additional_parameters)
本节将基于假设攻击者控制该参数的滥用方式。
该参数将添加到命令行中,PHP将用它来调用二进制sendmail。然而,它将通过函数escapeshellcmd($additional_parameters)进行过滤。
在这种情况下,攻击者可以注入sendmail的额外参数。
/usr/sbin/sendmail实现的差异
sendmail接口是由系统上安装的MTA邮件软件(Sendmail、Postfix、Exim等)提供的。尽管出于兼容性原因,基本功能(如-t -i -f参数)保持相同,但其他功能和参数根据安装的MTA而有很大差异。
以下是sendmail命令/接口的不同man页面的几个示例:
- Sendmail MTA: http://www.sendmail.org/~ca/email/man/sendmail.html
- Postfix MTA: http://www.postfix.org/mailq.1.html
- Exim MTA: https://linux.die.net/man/8/eximReferences
根据sendmail的来源,已经发现了不同的选项来滥用它们并泄露文件甚至执行任意命令。在https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html中查看如何操作。
在电子邮件名称中进行注入
忽略的电子邮件部分
符号:**+,-和{}**在极少数情况下可用于标记,并被大多数电子邮件服务器忽略。
- 例如:john.doe+intigriti@example.com → john.doe@example.com
括号()中的注释在开头或结尾也将被忽略。
- 例如:john.doe(intigriti)@example.com → john.doe@example.com
白名单绕过
引号
IP地址
您还可以使用IP地址作为方括号之间的域名:
- john.doe@[127.0.0.1]
- john.doe@[IPv6:2001:db8::1]
其他漏洞
第三方SSO
XSS
一些服务(如github或salesforce)允许您在电子邮件地址中使用XSS有效负载。如果您可以使用这些提供商登录其他服务,并且这些服务没有正确地对电子邮件进行过滤,您可能会引发XSS。
接管账户
如果SSO服务允许您创建一个未经验证的电子邮件地址的帐户(如salesforce),然后您可以使用该帐户登录信任salesforce的其他服务,您可以访问任何帐户。
请注意,salesforce会指示给定的电子邮件是否已验证,因此应用程序应考虑此信息。
回复地址(Reply-To)
您可以使用_From: company.com和Replay-To: attacker.com_发送电子邮件,如果由于电子邮件是从内部地址发送的而发送了自动回复,则攻击者可能能够接收该响应。
强制退信率(Hard Bounce Rate)
一些应用程序(如AWS)具有强制退信率(在AWS中为10%),当超载时,电子邮件服务将被阻止。
强制退信是由于某些永久原因无法传递的电子邮件。也许是电子邮件是虚假地址,也许是电子邮件域不是真实域,或者可能是电子邮件接收者的服务器不接受电子邮件。这意味着,如果1000封电子邮件中有100封是虚假的或无效的,导致所有电子邮件都被退回,AWS SES将阻止您的服务。
因此,如果您能够从Web应用程序发送邮件(例如邀请函)到任何电子邮件地址,您可以通过向不存在的用户和域发送数百封邀请函来引发此阻止:电子邮件服务拒绝服务攻击(Email service DoS)。
参考资料
- https://resources.infosecinstitute.com/email-injection/
- https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html
- https://drive.google.com/file/d/1iKL6wbp3yYwOmxEtAg1jEmuOf8RM8ty9/view
- https://www.youtube.com/watch?app=desktop&v=4ZsTKvfP1g0
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- 您在网络安全公司工作吗?您想在HackTricks中看到您的公司广告吗?或者您想获得PEASS的最新版本或下载PDF格式的HackTricks吗?请查看SUBSCRIPTION PLANS!
- 发现我们的独家NFTs收藏品The PEASS Family
- 获取官方PEASS和HackTricks周边产品
- 加入💬 Discord群组 或 电报群组,或在Twitter上关注我🐦@carlospolopm。
- 通过向hacktricks repo 和hacktricks-cloud repo 提交PR来分享您的黑客技巧。
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}