****************************************************** *Create a lightweight E-Mailer (level= Script Kiddie)* ****************************************************** First of all; the disclaimer: ----------------------------- The information in this article is 'as is' and the author can't be held responsible for any activities iof others. Spawning mail under someone elses name is illegal in most countries and re-using someone elses code is theft. This text was written so that this still wide spread ptroblem gets a little more well known thus forcing webmasters to take another look at their code. This out of the way; What is in this text: ------------------------------------------ Well it will explain a little trick that will allow you to use webservers as a mailserver, enabling you to send anonymous mail. This doesn't involve you writing a complex program and reading true the SMTP man pages (although that wouldn't be a waste of time), all you will need is a browser. How do we do that then: HTML ---------------------------- What we are going to use to build our mailng thingy is HTML (plain old HyperText Markup Language). Some basic things you should learn before you continue reading: - HTML is build up with tags, that mark the beginning and ending of code blocks Each page starts with the tag and ends with The page is then devided in a HEAD and a body, with the and tags e.g. The title of my page this text will be displayed on your page - besides these basic tags you also have the
tags, between these two you create a form ( a block of html code that is considered as a whole.) Now, each part in a page has some parameters the for example can have a backgroundcolor, these parameters are stated behind the opening tag of a block e.g. My page a form can be given some parameters as well
the action parameter is the script that will be used to handle all those variables () in the form and METHOD is POST or GET, POST means sending the variables to the action script and letting it run from there on end. GET means the variables are sent to be altered and the pages expects something in return from the script (like a google search page GET me everything with "Fake" and "mailer") This actionscript will be called as soon as one presses the SUBMIT button that's within the
tags. 'Nough crap: lets build ----------------------- We are going to build this fake mailer by using 'open code' (read crappy code) on a webserver. Many Internet Solutions Providers re-use the same script for different clients. It is even common use that the actual scripts stay on their own servers and that the pages on the clients server are linked to it. This is what we are going to use. First of we need one of those client's websites where we look for a CONTACT US form. Most sites have one of those so finding one shouldn't be any trouble. Once you have found one of those contact-us pages we are going to see if we can exploit it. To do this open the source code of the page and look for the
tag. What we need is a form tag that looks kinda like this . Once we found this tag we need to look at the lines beneath it. Many of these pages call a script (the one thats labeled ACTION in the form tag) and send a load of variables to it (method="POST"). NOw we have to look for a variable that states the recipients email. e.g. So here we see that one of the variables sent to the script is the email of the recipient. Once you have found this you know that we can use the providers script to send our own emails. So lets start building. First step is Downloading the entire contact page to your disk. Once downloaded we are going to build our lightweight mailer. Go to the downloaded page and open it with a text editor. Once opened look for the input tag with the recipients adress again. Now set the TYPE property to 'TEXT' and save the page. Open the altered page in your browser. You will see that at new textbox has appeared with the recipients email. Now you can type in the email of the person you wish to send an email and fill in the other boxes. Press SUBMIT or SEND or whatever they called the button and your email is on its way. There, you build a mail program within a minute. Most of those scripts are proteced so that you can't post the altered page on your own webserver and run it from their (domain checking), but using the altered page from your own pc can't be blocked. Another common feature of those re-usable scripts is that they read all the variables in the page and put it in the mail. So you can create your own values and delete those you don't need, this way you can create a mail that suits your needs a little more. Note: Most scripts send the mail in lear text format (bye bye virii) Workarounds: How do I prevent people from reusing my script? ------------------------------------------------------------ Instead of using an html page as contact form, use a client side script that will only display the contact form if a the HTML_REFERER is on your domain. Or you can put all client-side variables in a client side script that functions as a buffer between your contact-script and the page, thus making sure that the home-user only gets to see the variables that he actually needs to fill in. FIn --- See, that wasn't to hard. Now go find yourself a place to practice. **************************************************************************************************************************** ----------------------------------------------------Created by Crim3-------------------------------------------------------- **************************************************************************************************************************** ***************************************************| www.HACK3Z.com |******************************************************* ****************************************************************************************************************************