PHP email injection attack technology

I. Introduction

Today, the use of the Internet has risen sharply, but the vast majority of Internet users have no security knowledge background. Most people use the Internet to communicate with others by Email. For this reason, most websites allow their users to contact them, provide suggestions to the website, report a problem, or request feedback. The user will send an email to the website administrator.

Unfortunately, most web developers do not have enough knowledge about the Secure Code-Security, some of which use existing libraries or frameworks that are vulnerable to many known vulnerabilities. These vulnerabilities have been published and repaired by the vendor, and the source code poc of the attack can be downloaded on the Internet. However, most developers are too reluctant to upgrade to the latest version.

Today we will talk about email injection. Attackers can use your email server to send spam.

Ii. Mail Injection

From Wikipedia:

Email injection is a security vulnerability widely used in Internet email sending and receiving applications. This is an email injection, similar to an HTTP header injection. Similar to SQL injection attacks, this vulnerability is a common vulnerability that occurs when one programming language is embedded into another, for example, MYSQL is embedded into PHP.

When a form that can submit data to a Web application is added to a Web page, malicious users may use the MIME format to add additional information to the message to be sent (POST/GET), such as a new recipient list or a completely different message body. Because the MIME format uses carriage return to separate the information in the data packet (each line in the HTTP data packet has a line break, and there are two line breaks between POST and http header ), by adding carriage return to submit form data (some plug-ins of FB can be easily used), a simple message board can be used to send thousands of messages. Similarly, a spam sender can use this tactic to maliciously send a large number of anonymous messages.

Email injection is an attack type targeting PHP's built-in email function. It allows malicious attackers to inject any header fields, such as BCC, CC, and subject. It allows hackers to send spam messages from the victim's email server through injection. For this reason, this attack is called email injection or spam. This vulnerability is not limited to PHP. It may affect any application that receives messages from the user UI and sends email messages. The main cause of this attack is the improper user input verification or the application does not have a verification and filtering mechanism at all.

Iii. Principles of email injection attacks

The old Chinese saying goes well: only by knowing the truth can we know the truth.

To explain how mail injection works, we must first understand the working principles of the PHP Email function. The following describes how to find an API in PHP Manual.

mail():http://www.php.net/manual/en/function.mail.phpbool mail ( string $to , string $subject , string $message [, string $additional_headers [, string $additional_parameters ]] )

You can note that this requires three required parameters ("destination, topic, and message") and other optional parameters and functions to return a Boolean value.

Let's look at a code with a vulnerability to demonstrate this vulnerability:

<?php  $to="littlehann@foxmail.com";  if (!isset($_POST["send"]))  { ?>    <form method="POST" action="<?php echo $_SERVER['PHP_SELF'];?>">    From: <input type="text" name="sender">    Subject : <input type="text" name="subject">    Message :    <textarea name="message" rows="10" cols="60" lines="20"></textarea>    <input type="submit" name="send" value="Send">    </form> <?php  }  else  {    // the form has been submitted    $from=$_POST['sender'];    // send mail :    if (mail($to,$_POST['subject'],$_POST['message'],"From: $fromn"))    {      echo "Your mail has been sent successfully";    }    else    {      echo "An error has been occured !";    }  }  ?> 

The preceding Code demonstrates the purpose and explains the attack principles. The preceding code is divided into three parts:

Part 1

<?php  $to="littlehann@foxmail.com";  if (!isset($_POST["send"])){ ?> 

This code will check whether the form is submitted or not. The user clicks the submit button and the normal response to the script accessing this page is different. if this code returns True (the final result in the if statement is true), this means that the form is not submitted. The form appears, waiting for user input. On the other hand, if it returns "False", this means that the form has been submitted, so the email will be sent.

Part 2

<form method="POST" action="<?echo $_SERVER['PHP_SELF'];?>"> From: <input type="text" name="sender"> Subject : <input type="text" name="subject"> Message : <textarea name="message" rows="10" cols="60" lines="20"></textarea> <input type="submit" name="send" value="Send"> </form> 

The second part is an HTML form tag, which requires user input.

Part 3

<?php } else {    // the form has been submitted    $from=$_POST['sender'];    // send mail :    if (mail($to,$_POST['subject'],$_POST['message'],"From: $fromn"))    {      echo "Your mail has been sent successfully";    }    else    {      echo "An error has been occured !";    } } ?> 

 

In the previous code, we can pay special attention to this line of mail ($ to, $ _ POST ['subobject'], $ _ POST ['message'], "From: $ fromn "), the mail () function of PHP requires parameters such as subject, message, and from. If the function is successfully executed, after the PHP engine sends an email, the message "Your mail has been sent successfully" is displayed ". If An error occurs, the message "An error has been occurred" is displayed"

But a friend asked, where is the problem? The main problem is that user input is not verified and filtered. As mentioned in white hat web security, any security problem can be attributed to the trust problem, the problem here is that the program code has unlimited trust in user input. As you can see in the third part of the code, the sending function code receives input (including the subject, message, and source) from the user, and the parameters are not filtered and verified. Therefore, malicious attackers can control the value of these parameters and send inject attacks.

Iv. Mail injection demonstration

Notice:

To use PHP as the mail sending proxy, we need to perform simple configuration for PHP. INI:

[mail function]; For Win32 only.; http://php.net/smtpSMTP = smtp.qq.com; http://php.net/smtp-portsmtp_port = 25

For demonstration purposes, we will use the previous code with vulnerabilities. In addition, we will submit the following values as parameters for sending emails:


 

mail("littlehann@foxmail.com", "Call me urgent", "Hi,nPlease call me ASAP.nBye", "From: littlehann@foxmail.comn")

HTTP packet sent from the form:

From the attacker's point of view, there are many additional fields that can be injected into the mail title. For more information, see RFC 822. For example, CC (CC) or BCC (BCC) allows attackers to insert more messages.

Note that before adding a new parameter, we must add a line break to separate each field. The hexadecimal value of the line break is "0x0A ". The following is a demo code.

1) Cc/Bcc Injection

Inject Cc and Bcc parameters after the sender field (sender)

From: sender@domain.com % 0ACc: recipient@domain.com % 0 ABcc: recipient1@domain.com

Therefore, the message will be sent to the recipient and recipient1 accounts.

2) parameter Injection

From: sender@domain.com % 0ATo: attacker@domain.com

Now the message will be sent to the original recipient and attacker account. Note that the attacker's account here is passed in through injection.

3) Subject Injection

From: sender@domain.com % 0 ASubject: This's % 20 Fake % 20 Subject

The fake subject injected by the attacker will be added to the original topic and will replace the original topic subject in some cases. This depends on the mail service behavior. This is the fault tolerance of code writing. When two subject items appear in the parameter, the code is discarded or overwritten by the latter.

4) change the message body.

Note the SMTP Mail format. There are two line breaks (the same as HTTP) between the Message Subject and Header ).

From: sender@domain.com % 0A % 0AMy % 20New % 20% 0 Fake % 20Message.

A fake message is added to the original message.

V. Practical demonstration

The following prompt shows how to directly configure php. the native email function of ini may not be easy to use and may be difficult to configure. We recommend that you use some third-party Email systems (WP is quite good) for sending, this module has encapsulated Related interactions and HTTP packet construction.

Some experiments are attached:

1) Send normally

2) Cc/Bcc Injection

Add Inject Payload in The From Field

After an email is sent, the CC function is added:

3) Subject Injection

Add the subject field to the from parameter:

After receiving the email:

We can see that the original subject is overwritten by the injection statement, but whether it is overwritten or appended is related to the specific PHP Code compiling logic, because the common practice of CMS to send emails is to use PHP to construct HTTP/HTTPS data packets. First, construct the data packets locally before sending them to the server.

Therefore, different systems may have different effects on email injection.

4) change the message body.

Note that SMTP distinguishes the message header from the message topic based on the % 0A % 0A double line break.

After the email is sent, we find that the message body has been modified.

The above is the result of simulating the experiment in the local PHP environment. Because of the differences in the environment and program code processing logic, the experiment may be different in different environments, my experience is to analyze the e-mail source code of different php cms systems, clarify the code logic for sending e-mail data packets, and conduct targeted Email injection.

Vi. Solutions

1. Never trust user input fields. All user input should be considered untrusted and potentially malicious. Untrusted input processes of applications may become vulnerable to buffer overflow attacks, SQL injection, OS command injection, denial of service, and email injection.

2. Use regular expressions to filter data submitted by users. For example, we can search (r or n) in the input string ).

3. Use external components and libraries to prevent such problems as ZEND mail, PEAR mail, and swift mailer.

4. ModSecurity can prevent server-level email injection. With ModSecurity, we can detect CC, BCC, or destination addresses submitted through POST or GET and reject any requests containing these letters.

VII. References

1-http://www.securephpwiki.com/

2-http://projects.webappsec.org/

3-http://en.wikipedia.org/

4-http: // www.damonkohler.com

PHP Email InjectionReference From: http://resources.infosecinstitute.com/email-injection/Translated By: LittleHann