PHP email injection attack technology (1)

1. Introduction

Today, the use of the Internet has risen sharply, but the vast majority of Internet users have no security knowledge background. Most people use the Internet to communicate with others by Email. For this reason, most websites allow their users to contact them, provide suggestions to the website, report a problem, or request feedback. The user will send an email to the website administrator.

Fortunately, most web developers do not have enough knowledge about secure Code-Security, some of which use existing libraries or frameworks that are vulnerable to many known vulnerabilities. These vulnerabilities have been published, and the vendor has fixed them, and the corresponding attack source code poc can be downloaded on the Internet, but most developers are too reluctant to upgrade to the latest version.

Today we will talk about email injection. Attackers can use your email server to send spam.

2. Mail Injection

From Wikipedia:

Email injection is a security vulnerability widely used in Internet email sending and receiving applications. This is an email injection, similar to an HTTP header injection. Similar to SQL injection attacks, this vulnerability is a common vulnerability that occurs when one programming language is embedded into another, for example, MYSQL is embedded into PHP.

When a form that can submit data to a Web application is added to a Web page, malicious users may use the MIME format to add additional information to the message to be sent (POST/GET), such as a new recipient list or a completely different message body. Because the MIME format uses carriage return to separate the information in the data packet (each line in the HTTP data packet has a line break, and there are two line breaks between POST and http header ), by adding carriage return to submit form data (some plug-ins of FB can be easily used), a simple message board can be used to send thousands of messages. Similarly, a spam sender can use this tactic to maliciously send a large number of anonymous messages.

Email injection is an attack type targeting PHP's built-in email function. It allows malicious attackers to inject any header fields, such as BCC, CC, and subject. It allows hackers to send spam mails from the victim's email server through injection. For this reason, this attack is called email injection or spam. This vulnerability is not limited to PHP. It may affect any application that receives messages from the user UI and sends email messages. The main cause of this attack is the improper user input verification or the application does not have a verification and filtering mechanism at all.

3. Principles of email injection attacks

The old Chinese saying goes well: only by knowing the truth can we know the truth.

To explain how mail injection works, we must first understand the working principles of the PHP Email function. The following describes how to find an API in PHP Manual.

 
 

  
  
mail(): 
  
  
 
  
  
http://www.php.net/manual/en/function.mail.php 
  
  
 
  
  
bool mail ( string $to , string $subject , string $message [, string $additional_headers [, string $additional_parameters ]] ) 
 
 

You can note that this requires three required parameters ("destination, topic, and message") and other optional parameters and functions to return a Boolean value.

 
Let's look at a code with a vulnerability to demonstrate this vulnerability:

 
 

  
  
<?php 
  
  
 $to="littlehann@foxmail.com"; 
  
  
 if (!isset($_POST["send"])) 
  
  
 { 
  
  
?> 
  
  
   <form method="POST" action="<?php echo $_SERVER['PHP_SELF'];?>"> 
  
  
   From: <input type="text" name="sender"> 
  
  
   Subject : <input type="text" name="subject"> 
  
  
   Message : 
  
  
   <textarea name="message" rows="10" cols="60" lines="20"></textarea> 
  
  
   <input type="submit" name="send" value="Send"> 
  
  
   </form> 
  
  
<?php 
  
  
 } 
  
  
 else 
  
  
 { 
  
  
   // the form has been submitted 
  
  
   $from=$_POST['sender']; 
  
  
   // send mail : 
  
  
   if (mail($to,$_POST['subject'],$_POST['message'],"From: $fromn")) 
  
  
   { 
  
  
     echo "Your mail has been sent successfully"; 
  
  
   } 
  
  
   else 
  
  
   { 
  
  
     echo "An error has been occured !"; 
  
  
   } 
  
  
 } 
  
  
 ?> 
 
 

The preceding Code demonstrates the purpose and explains the attack principles. The preceding code is divided into three parts:

Part 1

 
 

  
  
<?php 
  
  
 $to="littlehann@foxmail.com"; 
  
  
 if (!isset($_POST["send"])){ 
  
  
?> 
 
 

This code will check whether the form is submitted or not. The user clicks the submit button and the normal response to the script accessing this page is different. if this code returns True (the final result in the if statement is true), this means that the form is not submitted. The form appears, waiting for user input. On the other hand, if it returns "False", it means the form has been submitted, so the email will be sent.

Part 2

 
 

  
  
<form method="POST" action="<?echo $_SERVER['PHP_SELF'];?>"> 
  
  
 From: <input type="text" name="sender"> 
  
  
 Subject : <input type="text" name="subject"> 
  
  
 Message : 
  
  
 <textarea name="message" rows="10" cols="60" lines="20"></textarea> 
  
  
 <input type="submit" name="send" value="Send"> 
  
  
 </form> 
 
 

The second part is an HTML form tag, which requires user input.

Part 3

 
 

  
  
<?php 
  
  
} 
  
  
else 
  
  
{ 
  
  
   // the form has been submitted 
  
  
   $from=$_POST['sender']; 
  
  
   // send mail : 
  
  
   if (mail($to,$_POST['subject'],$_POST['message'],"From: $fromn")) 
  
  
   { 
  
  
     echo "Your mail has been sent successfully"; 
  
  
   } 
  
  
   else 
  
  
   { 
  
  
     echo "An error has been occured !"; 
  
  
   } 
  
  
} ?> 
 
 

In the previous code, we can pay special attention to this line.Mail ($ to, $ _ POST ['subobject'], $ _ POST ['message'], "From: $ fromn ")The mail () function of PHP requires parameters such as subject, message, and from. If the function is successfully executed, after the PHP engine sends an email, the message "Your mail has been sent successfully" is displayed ". If An error occurs, the message "An error has been occurred" is displayed.

But a friend asked, where is the problem? The main issue does not require necessary verification and filtering of user input. As mentioned in white hat web security, any security issue can be attributed to a trusted question, the problem here is that the program code has unlimited trust in user input. As you can see in the third part of the code, the sending function code receives input (including the subject, message, and source) from the user, and the parameters are not filtered and verified. Therefore, malicious attackers can control the value of these parameters and send inject attacks.