SMTP Mail Header Injection

Web applications provide functionalities like : - contact us , or contact developers for any query related web application.

If we have an email address field in that then we can try to exploit it by adding other email headers.
The outcome or maximum exploit will be able to send the phishing emails to developers of the application.
How to craft payloads.

1. CC another email : - %0ACc:<<email address>>
2. %0A   is carriage return or starting a new field.
3. In below screenshot, attacker has added an email and then appended the same email value with cc another email.

To leverage the attack into successful phishing attack, we can use templates available on the github:-

• https://github.com/wildbit/postmark-templates/blob/master/templates/basic-full/password-reset/content.html
• This is a template of password reset/change phishing email.
• We can download the whole “postmark templates” folder and use it.
• Open the content.html mentioned in 5 point (above). Copy the text, paste in burp decoder. URL encode it.
• Copy it and use below mentioned screenshot for reference then paste it.
• %0A%0AMessage: <<paste the URL encoded>>
• The phishing email will be sent.