All About HackingBindersBlackhat Hacking ToolsHacking

PHP email injection example By Blackhat Pakistan 2023

In this article we will learn about PHP email injection example.

Today, the use of the Internet is growing dramatically, but the vast majority of Internet users do not have a security background. Most people use the Internet to communicate with each other regularly through e-mail messages. For this reason, most webmasters allow their customers to contact them – when they give them a suggestion, report a problem, or ask for feedback, they use a contact form that sends the feedback to the webmaster’s email. Unfortunately, most web developers do not have sufficient information about code security, and some of them use an off-the-shelf library or framework that suffers from many known vulnerabilities. These are already published and patched by the vendor, and their exploits are available on the Internet, but most developers are too lazy to upgrade to the latest version.

Today we’re going to talk about email injections, which an attacker could use to send spam from your mail server using your mail form.

Inserting an email[PHP email injection example]

Embedding email according to Wikipedia:

Email injection is a security vulnerability that can occur in Internet applications that are used to send email messages. It is the email equivalent of HTTP Header Injection. Like SQL injection attacks, this vulnerability is one of a general class of vulnerabilities that occur when one programming language is embedded in another.

Also Read:How UEFI Secure Boot works-Knew everything by Blackhat Pakistan 2023

When a form is added to a web page that sends data to a web application, a malicious user can abuse the MIME format to attach additional information to the message being sent, such as a new list of recipients or a completely different message body. Because the MIME format uses a carriage return to separate information in a message, and only the raw message determines its final destination, adding carriage returns to submitted form data allows a simple guestbook to be used to send thousands of messages at once. A malicious spammer could use this tactic to anonymously send large numbers of messages.

Email injection is a type of injection attack that targets PHP’s built-in mail functionality. It allows a malicious attacker to insert any mail header field such as BCC , CC , Subject , etc., which allows the hacker to send spam from their victims’ mail server through their victims’ contact form. For this reason, this attack is called email embedding or mail form spamming. This vulnerability is not limited to PHP. It can potentially affect any application that sends email messages based on input from arbitrary users. The main reason behind this attack is incorrect user input validation or no validation and filtering at all.

How does email embedding work?

To explore how email embedding works, we should know exactly how the PHP email function works. Let’s look at the description of the PHP mail function from the PHP Mail() manual :

bool mail ( string $to , string $subject , string $message [, string $additional_headers [, string $additional_parameters ]] )

As you can notice, it takes three required parameters (“it, subject, and message”) and some other optional parameters, and the function returns a boolean value that is either True or False.

So let’s take a look at the vulnerable code to demonstrate this vulnerability:


Subject :


The previous code will be used for demonstration purposes and we will split the previous code into 3 parts for explanation:

First part



This code checks if the form is submitted or not. The answer will vary if this code returns “True or False”. If it returns “True”, it means that the form was not submitted. A form will appear and wait for user input. On the other hand, if it returns “False”, it means the form is submitted, so the email will be sent.

Second part


Subject :


The second part is an HTML form tag that will be displayed if the first part returns “True”, which requires user input.

Third part

// the form was sent
// send mail :
if (mail($to,$_POST[‘subject’],$_POST[‘message’],”From: $fromn”)){
echo “Your mail was sent successfully”;
echo “An error occurred!”;

as you can see in the previous code, specially this line mail ($to,$_POST[‘subject’],$_POST[‘message’],”From: $fromn”), the Mail function will take the subject , message and from the parameters and send the mail . If it is sent successfully, it will print “Your mail was sent successfully” and if it is an error, it will return “An error occurred”.

So where is the problem? The main problem with any “Not Only Email Injection” attack is trusting user inputs or improperly validating inputs. As you can see in the third part of the code, the mail function takes its argument directly from the user without any input validation, where the Mail function takes the subject, message, and from parameters without filtering and validation. Thus, a malicious attacker can control these subject, message, and form parameter values, which can be directly used by the developer.

The row output data looks like this:

From an attacker’s perspective, there are many other fields that can be inserted into a mail header. For more information, see RFC 822. For example, we can insert a CC or BCC to allow an attacker to add additional recipients to the message, but before adding a new argument, we must add a new line that separates each field from the other, the hex value for the line offset is “0x0A”. Here are some examples:

Paste Cc and Bcc after the sender argument

From:[email protected]%0ACc:[email protected],%0ABcc:[email protected]

So now the message will be sent to recipient and recipient1 accounts.

Inject This argument

From:[email protected]%0ATTo:[email protected]

Now the message will be sent to the original recipient and the attacker’s account.

Insert subject argument

From:[email protected]%0ASubject:This’s%20Fake%20Subject

The fake item will be added to the original item and in some cases will replace it. It depends on the behavior of the postal service.

Change the message body

Insert a two-line channel and then type your message to change the message body.

From:[email protected]%0A%0AMy%20New%20%0Fake%20Message.

The fake message will be added to the original message.


Never trust user input fields. All user input should be treated as untrusted and potentially malicious. Applications that process untrusted input can become vulnerable to attacks such as buffer overflows, SQL Injection, OS Commanding, Denial of Service, and Email Injection.
Use regular expressions to filter user data. For example, we can search for (r or n) in the input string.
Use external components and libraries that provide protection against this problem, such as ZEND mail, PEAR mail, and swift mailer.
ModSecurity can stop email embedding at the server level. Using ModSecurity, it is possible to scan a POST or GET body for BCC, CC or To and reject any request that contains these letters.


Leave a Reply

Your email address will not be published. Required fields are marked *