The attacker sends IMAP/SMTP commands to a mail server that is not directly available via a web application. This attack is very similar to CRLF injections.
In advanced cases, the attacker may exploit additional privilege escalation vulnerabilities, which may lead to full web server compromise.
This code may be used to execute operating system commands with the privileges of the user who is running the web application. The attacker injects application code written in the application language. The following is a list of common injection attack types. SQL injection (SQLi) and Cross-site Scripting (XSS) are the most common injection attacks but they are not the only ones. This means that there are many freely available and reliable tools that allow even inexperienced attackers to abuse these vulnerabilities automatically. Furthermore, injection attacks are a very well understood vulnerability class. What makes injection vulnerabilities particularly scary is that the attack surface is enormous (especially for XSS and SQL Injection vulnerabilities). Injection attacks, particularly SQL Injections (SQLi attacks) and Cross-site Scripting (XSS), are not only very dangerous but also widespread, especially in legacy applications. It is listed as the number one web application security risk in the OWASP Top 10 – and for a good reason.
This attack type is considered a major problem in web security. The primary reason for injection vulnerabilities is usually insufficient user input validation. They can lead to data theft, data loss, loss of data integrity, denial of service, as well as full system compromise. Injections are amongst the oldest and most dangerous attacks aimed at web applications. In turn, this alters the execution of that program. This input gets processed by an interpreter as part of a command or query. In an injection attack, an attacker supplies untrusted input to a program. Injection attacks refer to a broad class of attack vectors.