Skip to content

Latest commit

 

History

History
90 lines (71 loc) · 4.44 KB

README.md

File metadata and controls

90 lines (71 loc) · 4.44 KB

gif

[ Have a look at the article: HaHacking_Mail-Injection.pdf / Habr / DeteAct Blog ]

Overview | Usage | More on the topic


My research on E-Mail Injection vulnerabilities & samples of vulnerable applications.

preview


📦 Overview

[⚠️] This repository contains samples of purposefully-vulnerable applications!

These applications were developed for demonstration purposes only. Read the text of the research to better understand the underlying causes + ways to exploit this kind of vulnerabilities.

 – CRLF Injection (SMTP / IMAP Injection)
 – Arbitrary Command Flag Injection
 – Improper Input Validation

Brief overview of applications:

Environment Technologies Exploited vulnerabilities
NodeJS NodeJS Express + smtp-client CRLF Injection (SMTP)
NodeJS PHP mail() CRLF Injection (SMTP) + Arbitrary Command Flag Injection
NodeJS Python Flask + imaplib CRLF Injection (IMAP)
NodeJS Python Flask + email + smtplib Improper Input Validation

⚙️ Usage

1) Install & Configure an SMTP server (e.g: Postfix):

apt install postfix
nano /etc/postfix/main.cf
postfix start

2) Install & Configure an IMAP server (e.g: Dovecot):

apt install dovecot-imapd
nano /etc/dovecot/dovecot.conf
/etc/init.d/dovecot start

3) Set the hahacking.local domain name in /etc/hosts & Add users;
// *Make sure to make changes to the application in case you want to use your own domain name

nano /etc/hosts
adduser contact
...

4) Download this repository:

git clone https://github.com/qwqoro/Mail-Injection

5) Start the application by launching any of the proposed backend implementations:

cd nodejs; npm install express smtp-client; node app.js        # NodeJS
cd php; php -S 127.0.0.1:80                                    # PHP
cd python-imap; python app.py                                  # Python IMAP
cd python-smtp; python app.py                                  # Python Input Validation

6) Go to http://hahacking.local/ OR http://whateveryourdomainnameis/
7) Enjoy!


📑 More on the topic