GitBook: [#2864] update

SUMMARY.md

@@ -391,7 +391,7 @@
   * [Exploiting \_\_VIEWSTATE without knowing the secrets](pentesting-web/deserialization/exploiting-\_\_viewstate-parameter.md)
   * [Python Yaml Deserialization](pentesting-web/deserialization/python-yaml-deserialization.md)
 * [Domain/Subdomain takeover](pentesting-web/domain-subdomain-takeover.md)
-* [Email Header Injection](pentesting-web/email-header-injection.md)
+* [Email Injections](pentesting-web/email-header-injection.md)
 * [File Inclusion/Path traversal](pentesting-web/file-inclusion/README.md)
   * [phar:// deserialization](pentesting-web/file-inclusion/phar-deserialization.md)
 * [File Upload](pentesting-web/file-upload/README.md)

pentesting-web/email-header-injection.md

@@ -1,10 +1,10 @@
-# Email Header Injection
+# Email Injections
 
-[https://resources.infosecinstitute.com/email-injection/](https://resources.infosecinstitute.com/email-injection/)
+## Email Header Injection
 
 ## Inject Cc and Bcc after sender argument
 
-```text
+```
 From:sender@domain.com%0ACc:recipient@domain.co,%0ABcc:recipient1@domain.com
 ```
 
@@ -12,7 +12,7 @@ The message will be sent to the recipient and recipient1 accounts.
 
 ## Inject argument
 
-```text
+```
 From:sender@domain.com%0ATo:attacker@domain.com
 ```
 
@@ -20,7 +20,7 @@ The message will be sent to the original recipient and the attacker account.
 
 ## Inject Subject argument
 
-```text
+```
 From:sender@domain.com%0ASubject:This is%20Fake%20Subject
 ```
 
@@ -30,7 +30,49 @@ The fake subject will be added to the original subject and in some cases will re
 
 Inject a two-line feed, then write your message to change the body of the message.
 
-```text
+```
 From:sender@domain.com%0A%0AMy%20New%20%0Fake%20Message.
 ```
 
+## PHP mail() function exploitation
+
+```bash
+# The function has the following definition:
+
+php --rf mail
+
+Function [ <internal:standard> function mail ] {
+  - Parameters [5] {
+    Parameter #0 [ <required> $to ]
+    Parameter #1 [ <required> $subject ]
+    Parameter #2 [ <required> $message ]
+    Parameter #3 [ <optional> $additional_headers ]
+    Parameter #4 [ <optional> $additional_parameters ]
+  }
+}
+```
+
+### The 5th parameter ($additional\_parameters)
+
+This section is going to be based on **how to abuse this parameter supposing that an attacker controls it**.
+
+This parameter is going to be added to the command line PHP will be using to invoke the binary sendmail. However, it will be sanitised with the function `escapeshellcmd($additional_parameters)`.
+
+An attacker can **inject extract parameters for sendmail** in this case.
+
+#### Differences in the implementation of /usr/sbin/sendmail
+
+**sendmail** interface is **provided by the MTA email software** (Sendmail, Postfix, Exim etc.) installed on the system. Although the **basic functionality** (such as -t -i -f parameters) remains the **same** for compatibility reasons, **other functions and parameters **vary greatly depending on the MTA installed.
+
+Here are a few examples of different man pages of sendmail command/interface:
+
+* Sendmail MTA: http://www.sendmail.org/\~ca/email/man/sendmail.html
+* Postfix MTA: http://www.postfix.org/mailq.1.html
+* Exim MTA: https://linux.die.net/man/8/eximReferences
+
+Depending on the **origin of the sendmail** binary different options have been discovered to abuse them and l**eak files or even execute arbitrary commands**. Check how in [**https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html**](https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html)****
+
+## References
+
+* [**https://resources.infosecinstitute.com/email-injection/**](https://resources.infosecinstitute.com/email-injection/)****
+* [**https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html**](https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html)****