Chapter 7 - Attack execution ( 3 ) P a g e | 146
7.7 SMTP command injection
In some cases , the web application itself handles the communication directly through SMTP taking the main data from the input form or passed parameters . Attack requirement : A . No proper input validation for special SMTP keywords B . The application itself manage the initiation of SMTP session
Attack process : The legitimate requested generated when submitting the form
POST feedback . php HTTP / 1.1 Host : vulnerableApp . com Content-Length : 63 From = legitimateSender @ legMailServer . com & Subject = Site + feedback & Message = any message And the generated SMTP conversation will be : MAIL FROM : legitimateSender @ legMailServer . com RCPT TO : feedback @ vulnerableApp . com DATA From : legitimateSender @ legMailServer . com To : feedback @ vulnerableApp . com Subject : Site feedback any message