Simple College Website 1.0 — RFI


Simple College Website 1.0 is vulnerable to a Remote File Include (RFI) attack. User input could be passed into file include commands and the web application could be tricked into including remote files with malicious code. Attacker can execute commands without authenticating into the system.

Vendor Homepage:

Source Code:

Photo by Markus Spiske on Unsplash

Root cause Analysis and Hacking

Let’s look at the source code which caused the RFI.


line 72 uses “include” expression to include the php. We could clearly see that there is no input validation or sanitisation. Hence, we can include Remote php files and execute it on the target.




  1. To allow inclusion of remote files, the directive allow_url_include must be set to On in php.ini

We can create a local python simple HTTP server and server the remote php file for exploitation.

Burp Req/Res

There is no need for authentication to get the RFI and execute remote code. Hence, it is an unauthenticated RFI.


  1. Authentication of requests made by the user.
  2. Checking for file location when including it.
  3. disabling allow_url_include
  4. Input sanitisation and validation.



Gowthamaraj Rajendran (@fuffsec)

Security Researcher | DevSecOps | Red Teamer | Malware Analyst | Bug Bounty Hunter | Software developer (OSCP, CRTP, eWPTX, SSCP)