Chapter 7- Attack execution( 3) P a g e | 146
7.7 SMTP command injection
In some cases, the web application itself handles the communication directly through SMTP taking the main data from the input form or passed parameters. Attack requirement: A. No proper input validation for special SMTP keywords B. The application itself manage the initiation of SMTP session
Attack process: The legitimate requested generated when submitting the form
POST feedback. php HTTP / 1.1 Host: vulnerableApp. com Content-Length: 63 From = legitimateSender @ legMailServer. com & Subject = Site + feedback & Message = any message And the generated SMTP conversation will be: MAIL FROM: legitimateSender @ legMailServer. com RCPT TO: feedback @ vulnerableApp. com DATA From: legitimateSender @ legMailServer. com To: feedback @ vulnerableApp. com Subject: Site feedback any message