HackTricks
Searchโ€ฆ
๐Ÿ‘ฝ
Network Services Pentesting
Email Injections
Support HackTricks and get benefits!

Email Header Injection

Inject Cc and Bcc after sender argument

The message will be sent to the recipient and recipient1 accounts.

Inject argument

The message will be sent to the original recipient and the attacker account.

Inject Subject argument

1
From:[email protected]%0ASubject:This is%20Fake%20Subject
Copied!
The fake subject will be added to the original subject and in some cases will replace it. It depends on the mail service behavior.

Change the body of the message

Inject a two-line feed, then write your message to change the body of the message.
1
From:[email protected]%0A%0AMy%20New%20%0Fake%20Message.
Copied!

PHP mail() function exploitation

1
# The function has the following definition:
2
โ€‹
3
php --rf mail
4
โ€‹
5
Function [ <internal:standard> function mail ] {
6
- Parameters [5] {
7
Parameter #0 [ <required> $to ]
8
Parameter #1 [ <required> $subject ]
9
Parameter #2 [ <required> $message ]
10
Parameter #3 [ <optional> $additional_headers ]
11
Parameter #4 [ <optional> $additional_parameters ]
12
}
13
}
Copied!

The 5th parameter ($additional_parameters)

This section is going to be based on how to abuse this parameter supposing that an attacker controls it.
This parameter is going to be added to the command line PHP will be using to invoke the binary sendmail. However, it will be sanitised with the function escapeshellcmd($additional_parameters).
An attacker can inject extract parameters for sendmail in this case.

Differences in the implementation of /usr/sbin/sendmail

sendmail interface is provided by the MTA email software (Sendmail, Postfix, Exim etc.) installed on the system. Although the basic functionality (such as -t -i -f parameters) remains the same for compatibility reasons, other functions and parameters vary greatly depending on the MTA installed.
Here are a few examples of different man pages of sendmail command/interface:
  • Sendmail MTA: http://www.sendmail.org/~ca/email/man/sendmail.html
  • Postfix MTA: http://www.postfix.org/mailq.1.html
  • Exim MTA: https://linux.die.net/man/8/eximReferences
Depending on the origin of the sendmail binary different options have been discovered to abuse them and leak files or even execute arbitrary commands. Check how in https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.htmlโ€‹

References

Support HackTricks and get benefits!