[ Have a look at the article: HaHacking_Mail-Injection.pdf / Habr / DeteAct Blog ]

Overview | Usage | More on the topic

My research on E-Mail Injection vulnerabilities & samples of vulnerable applications.

📦 Overview

[⚠️] This repository contains samples of purposefully-vulnerable applications!

These applications were developed for demonstration purposes only. Read the text of the research to better understand the underlying causes + ways to exploit this kind of vulnerabilities.

 – CRLF Injection (SMTP / IMAP Injection)
 – Arbitrary Command Flag Injection
 – Improper Input Validation

Brief overview of applications:

Environment	Technologies	Exploited vulnerabilities
NodeJS	Express + smtp-client	CRLF Injection (SMTP)
PHP	mail()	CRLF Injection (SMTP) + Arbitrary Command Flag Injection
Python	Flask + imaplib	CRLF Injection (IMAP)
Python	Flask + email + smtplib	Improper Input Validation

⚙️ Usage

1) Install & Configure an SMTP server (e.g: Postfix):

apt install postfix
nano /etc/postfix/main.cf
postfix start

2) Install & Configure an IMAP server (e.g: Dovecot):

apt install dovecot-imapd
nano /etc/dovecot/dovecot.conf
/etc/init.d/dovecot start

3) Set the hahacking.local domain name in /etc/hosts & Add users;
// *Make sure to make changes to the application in case you want to use your own domain name

nano /etc/hosts
adduser contact
...

4) Download this repository:

git clone https://github.com/qwqoro/Mail-Injection

5) Start the application by launching any of the proposed backend implementations:

cd nodejs; npm install express smtp-client; node app.js        # NodeJS
cd php; php -S 127.0.0.1:80                                    # PHP
cd python-imap; python app.py                                  # Python IMAP
cd python-smtp; python app.py                                  # Python Input Validation

6) Go to http://hahacking.local/ OR http://whateveryourdomainnameis/
7) Enjoy!

📑 More on the topic

• [CRLF Injection] [SMTP] [IMAP]
  OWASP ‟Testing for IMAP SMTP Injection”: owasp.org/...Testing_for_IMAP_SMTP_Injection

• [CRLF Injection] [SMTP]
  Invicti ‟E-Mail Injection”: invicti.com/.../email-injection

• [CRLF Injection] [SMTP]
  VK9 Security ‟SMTP Injection”: vk9-sec.com/smtp-injection-attack

• [CRLF Injection] [SMTP]
  MBSD Takeshi Terada ‟SMTP Injection via recipient email addresses”: mbsd.jp/.../smtpi.pdf

• [CRLF Injection] [SMTP] [IMAP]
  Vicente Aguilera Díaz “MX Injection: Capturing and Exploiting Hidden Mail Servers”: webappsec.org/.../121106.pdf

• [Arbitrary Command Flag Injection]
  ][akep (aLLy) ‟Эксплуатируем критическую уязвимость в PHPMailer и фреймворках, которые его используют”: xakep.ru/.../phpmailer-exploit