A useful tool for anyone working with PHP applications.
FIS (File Inclusion Scanner) is a vulnerability scanner for PHP applications. Is scans PHP files mapping PHP/HTTP variables and then performs a security audit,in order to find out which of them are exploitable.
php fis.php [local file] [remote file] [remote FIS ID file]
The local copy of the PHP source file used by FIS to map the variables for the audit.
The remote copy of the source executed by a remote webserver, the file we will audit.
[remote FIS ID file]
The FIS ID file is used to check whether a variable is exploitable or not. It contains PHP code that simply echoes a unique MD5 hash used for identification.
FIS is intended to be used by penetration testers, not script kidies nor malicious users. It creates a lot of noise on the remote host and can be easily discovered with a simple glance at
the webserver logs, which makes it useless as a cracking tool.
FIS, currently, supports audits using only GET requests. COOKIE & POST support is not yet implemented.
FIS automatically logs extra audit information in “fis.log” in the working directory.
You can download FIS directly here.
- Agile Security – How Does It Fit Into A World Of Continuous Delivery
- Shadow Daemon – Web Application Firewall
- OpenSSH On Windows – It’s Happening!
- LFIMAP – Scan For Files Vulnerable To LFI (Local File Inclusion)
- inspathx – Tool For Finding Path Disclosure Vulnerabilities
- fimap – Remote & Local File Inclusion (RFI/LFI) Scanner
Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 119,550 views
- Password Hasher Firefox Extension - 117,330 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,616 views