Giter Site home page Giter Site logo

qwqoro / mail-injection Goto Github PK

View Code? Open in Web Editor NEW
3.0 1.0 0.0 4.62 MB

📧 [Research] E-Mail Injection: Vulnerable applications

JavaScript 8.66% CSS 20.36% HTML 31.48% Hack 8.45% PHP 2.43% Python 28.62%
arbitrary article command-injection crlf-injection email email-injection imap injection injection-attacks injections

mail-injection's Introduction

gif

[ Have a look at the article: HaHacking_Mail-Injection.pdf / Habr / DeteAct Blog ]

Overview | Usage | More on the topic


My research on E-Mail Injection vulnerabilities & samples of vulnerable applications.

preview


📦 Overview

[⚠️] This repository contains samples of purposefully-vulnerable applications!

These applications were developed for demonstration purposes only. Read the text of the research to better understand the underlying causes + ways to exploit this kind of vulnerabilities.

 – CRLF Injection (SMTP / IMAP Injection)
 – Arbitrary Command Flag Injection
 – Improper Input Validation

Brief overview of applications:

Environment Technologies Exploited vulnerabilities
NodeJS NodeJS Express + smtp-client CRLF Injection (SMTP)
NodeJS PHP mail() CRLF Injection (SMTP) + Arbitrary Command Flag Injection
NodeJS Python Flask + imaplib CRLF Injection (IMAP)
NodeJS Python Flask + email + smtplib Improper Input Validation

⚙️ Usage

1) Install & Configure an SMTP server (e.g: Postfix):

apt install postfix
nano /etc/postfix/main.cf
postfix start

2) Install & Configure an IMAP server (e.g: Dovecot):

apt install dovecot-imapd
nano /etc/dovecot/dovecot.conf
/etc/init.d/dovecot start

3) Set the hahacking.local domain name in /etc/hosts & Add users;
// *Make sure to make changes to the application in case you want to use your own domain name

nano /etc/hosts
adduser contact
...

4) Download this repository:

git clone https://github.com/qwqoro/Mail-Injection

5) Start the application by launching any of the proposed backend implementations:

cd nodejs; npm install express smtp-client; node app.js        # NodeJS
cd php; php -S 127.0.0.1:80                                    # PHP
cd python-imap; python app.py                                  # Python IMAP
cd python-smtp; python app.py                                  # Python Input Validation

6) Go to http://hahacking.local/ OR http://whateveryourdomainnameis/
7) Enjoy!


📑 More on the topic

mail-injection's People

Contributors

qwqoro avatar

Stargazers

avatar avatar avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.