Need help to understand this php script

[Youkai]

Hi guys,
just out of curiousity (as we get lots of spoofed mails at our office) I was looking into how this actually works and I kind of understand the theory behind it but not exactly how it is done ...

Now I found a nice script written by some guy but I don't get all of it ... I can read the HTML part and some of the PHP but not enough to actually get how the mails are beeing sent, maybe someone can explain ?

<?php
session_start();
if ($_POST['Submit'] == 'Send')
{
if (strcmp(md5($_POST['user_code']),$_SESSION['ckey']))
    {
header("Location: sendmail.php?msg=ERROR: Invalid Verification Code");
exit();
  }

$to = $_POST['toemail'];
$subject = $_POST['subject'];
$message = $_POST['message'];
$fromemail = $_POST['fromemail'];
$fromname = $_POST['fromname'];
$lt= '<';
$gt= '>';
$sp= ' ';
$from= 'From:';
$headers = $from.$fromname.$sp.$lt.$fromemail.$gt;
mail($to,$subject,$message,$headers);
header("Location: sendmail.php?msg= Mail Sent!");
exit();
}
?>
<html>
<head>
<title>Email Pranks</title>
</head>
<body bgcolor="#ffffcc">
<h2 align="center">
Fake Email Prank Script By Srikanth
</h2>
<h3 align="center">
Please do not misuse this script. Use it only for having FUN.
</h3><br>
<p style="margin-left:15px">
<form action="sendmail.php" method="POST">
<b>From Name:</b><br>
<input type="text" name="fromname" size="50"><br>
<br><b>From Email:</b><br>
<input type="text" name="fromemail" size="50"><br>
<br><b>To Email:</b><br>
<input type="text" name="toemail" size="50"><br>
<br><b>Subject:</b><br>
<input type="text" name="subject" size="74"><br>
<br><b>Your Message:</b><br>
<textarea name="message" rows="5" cols="50">
</textarea><br>
<br><b>Verification Code:</b><br>
<input name="user_code" type="text" size="25"> 
<img src="pngimg.php" align="middle"><br><br>
<input type="submit" name="Submit" value="Send">
<input type="reset" value="Reset">
</form>
</p>
<?php if (isset($_GET['msg'])) { echo "<font color=\"red\"><h3 align=\"center\"> $_GET[msg] </h3></font>"; } ?>
<h3 align="center">
WARNING: Use it at your own risk. Do not use this for Spamming!.
</h3>
</body>
</html>

There is actually a second small script but I am pretty sure it's only for generating the captcha picture ^^V

 

[akaishi]

Well... It is a unsafe code and poorly written... For example, it is using md5, an obsolete hash algorithm.


Moreover, let's see this code...

session_start();
if ($_POST['Submit'] == 'Send')
{
if (strcmp(md5($_POST['user_code']),$_SESSION['ckey']))
    {
header("Location: sendmail.php?msg=ERROR: Invalid Verification Code");
exit();
  }

At the first code block, it is checking the session and some credentials. For example, if the md5 of user_code received by the client is the same of the ckey stored locally.

$to = $_POST['toemail'];
$subject = $_POST['subject'];
$message = $_POST['message'];
$fromemail = $_POST['fromemail'];
$fromname = $_POST['fromname'];

Then, in the next lines, it is getting the parameters receive by POST sent by client, like toemail and subject, and it store each parameters in a variable.

$lt= '<';
$gt= '>';
$sp= ' ';
$from= 'From:';
$headers = $from.$fromname.$sp.$lt.$fromemail.$gt;

Here it is just formatting the header of the email.

mail($to,$subject,$message,$headers);

I think that you know how this code sends an email, right? Well... I don't know, because this function do it, and I don't know how it works because I don't have its code =P

header("Location: sendmail.php?msg= Mail Sent!");

It is calling the function header of PHP (php.net/manual/en/function.header.php) to update the page on the browser to sendmail.php and passing by query string the msg "variable" with the value Mail Sent!.

 

[Joom]

as we get lots of spoofed mails at our office

Like, people are spoofing your domain? Because this is easily handled with DKIM. Set it up on all accounts (domains), and problem solved. If you work for a hosting company, do it for all customers.

 

[ELY_M]

It is just a email sender! It will use your server's sendmail. I wrote one page email sender long time ago.
I write alot of php scripts myself.

--------------------- MERGED ---------------------------

here is my own simple emailer that I wrote for my old forums.
I used a list of emails of members on old forum.

<?






$from = "Cyphonic";
$fromemail = "[email protected]";

$subject = "Cyphonic is back!";
$message = " I got your emails from old forum datebase from years ago. ";
$message .= "\n Cyphonic is back ";
$message .= "\n The url is http://cyphonic.net ";
$message .= "\n you have to re-register your accounts ";
$message .= "\n ";
$message .= "\n Mouse ";
$message .= "\n ";

/*
$headers = "MIME-Version: 1.0\r\n"; // don't change
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n"; // don't change
$headers .= "X-Priority: 1\r\n"; // don't change
$headers .= "X-MSMail-Priority: High\r\n"; // don't change
$headers .= "X-Mailer: Outlook Express\r\n"; // change php in what you like
$headers .= "From: \"" . $from . "\" <" . $fromemail . ">\r\n";
$headers .= "Reply-To: \"". $from ."\" <". $fromemail .">\r\n";
*/

$headers = "From: \"" . $from . "\" <" . $fromemail . ">\r\n";
$headers .= "Reply-To: \"". $from ."\" <". $fromemail .">\r\n";
$headers .= "X-Priority: 1\r\n";
$headers .= "X-MSMail-Priority: High\r\n";
$headers .= "X-Mailer: OutLook\n";
$headers .= 'MIME-Version: 1.0' . "\n";




  $toemails = file("emailz.txt");
  sort($toemails);
  print("Sending email to...<br><strong>");
    for($index = 0; $index < count($toemails); $index++)
   {
     $toemails[$index] = ereg_replace("\n", "", $toemails[$index]);
     mail($toemails[$index], $subject, $message, $headers);
     print("$toemails[$index]</strong>...<strong>");
   }
  print("</strong>DONE");
 
 
 

?>

 

[Youkai]

Well... It is a unsafe code and poorly written... For example, it is using md5, an obsolete hash algorithm.

mail($to,$subject,$message,$headers);

I think that you know how this code sends an email, right? Well... I don't know, because this function do it, and I don't know how it works because I don't have its code =P

header("Location: sendmail.php?msg= Mail Sent!");

It is calling the function header of PHP (php.net/manual/en/function.header.php) to update the page on the browser to sendmail.php and passing by query string the msg "variable" with the value Mail Sent!.

Actually No I don't ^^V that's pretty much my question as this is the whole code (except for a tiny extra file which was solely for checking the key) so I was or still am rather surprised by how this thing knows how to send this stuff ... i guess "mail" is some kind of predefined variable ?
And Sendmail.php was the file/page's name

It is just a email sender! It will use your server's sendmail. I wrote one page email sender long time ago.
I write alot of php scripts myself.

So the php script does have acces to the exchange server somehow ?

I just upped the script to some random host to try it, no idea if they have an email service but it is interesting that I would be able to use it just trough uploading such a script ... wouldn't that be some kind of bad security ?



P.S.@Joom
no they are spoofing the mail adress like you get an email by your own address but this is just fake as it didn't come from your address, someone just typed it in as the sending address.

 

[ELY_M]

Be sure to make emailz.txt with your emails in it. Need to be in list like this
[email protected]
[email protected]

Its really old script. I wrote it in early 2000s.

 

[ELY_M]

for anyone who do not know php very well.
read up on mail() function. the php on web server would be set up to use sendmail on the server.
it can access stmp and stuff if someone set it up to send mails for a reason like sending mails to the forums members.
I never have to use keys or md5 in my script.

http://php.net/manual/en/function.mail.php
https://www.w3schools.com/php/func_mail_mail.asp

 

[Roamin64]

Look up the link ELY_M posted, on the function.mail.php

"mail" isn't a predefined variable , it is a function. A function in another piece of code that could be as simple as a single line of code or thousands of lines of code. Parameters can be passed on to functions so that the function can manipulate data. Not every function needs parameters. In this case , the function mail(); is getting the ($to,$subject,$message,$headers) parameters passed on to it. The function will receive the data stored in the VARIABLE to, subject, message, headers and it will proceed to do all it needs to do to send the e-mail. You can find out how mail(); works to send the e-mail by looking at the source code for that function , but you don't NEED to know what it does to work , you just need to know what it needs to work. A variable is a piece of memory that contains data. In this case , like akaishi clearly explained , "Then, in the next lines, it is getting the parameters receive by POST sent by client, like toemail and subject, and it store each parameters in a variable." All the variables contain the appropriate data, and the variables are used as the parameters for the mail(); function. Once the function has done , or tried to do all it needed to do, it returns to where it was called. Functions can also return value, letting you know the outcome of the function. Any piece of code that is to be used more than once would make sense to make a function of it , instead of having to retype the same code over and over. You don't need every PHP coder to know exactly all the steps required to send the e-mail. You just need them to know how to use the function , and any time they need it , they call the function , pass on parameters and wait for results.

So , main(); is a function.
What is passed inside it are called parameters ($to,$subject,$message,$headers).
The semi-colon ; is the end of the statement, telling the compiler that anything after is a new instruction.
The information gathered is in variables.
Variables are passed to a function as their parameters.

I've never coded in PHP , I only know limited C programming, but functions are pretty much always built the same way across programming languages.

Hopefully I didn't make a fool of myself and everything I wrote is correct, if it wasn't please correct me.

(I mostly code in C for microcontrollers like Atmel AVR)