A useful tool for anyone working with PHP applications.
DESCRIPTION
————
FIS (File Inclusion Scanner) is a vulnerability scanner for PHP applications. Is scans PHP files mapping PHP/HTTP variables and then performs a security audit,in order to find out which of them are exploitable.
USAGE
——
php fis.php [local file] [remote file] [remote FIS ID file]
[local file]
————–
The local copy of the PHP source file used by FIS to map the variables for the audit.
[remote file]
————–
The remote copy of the source executed by a remote webserver, the file we will audit.
[remote FIS ID file]
———————-
The FIS ID file is used to check whether a variable is exploitable or not. It contains PHP code that simply echoes a unique MD5 hash used for identification.
INTENDED AUDIENCE
——————
FIS is intended to be used by penetration testers, not script kidies nor malicious users. It creates a lot of noise on the remote host and can be easily discovered with a simple glance at
the webserver logs, which makes it useless as a cracking tool.
FEATURES
———
FIS, currently, supports audits using only GET requests. COOKIE & POST support is not yet implemented.
LOGGING
———
FIS automatically logs extra audit information in “fis.log” in the working directory.
You can download FIS directly here.
you guys have a habit of posting web application attack tools which no longer exist. Both Oedipus and now FIS websites no longer exist!
Ah that sucks, it was up when I posted this I checked.
I think I have a copy somewhere, I’ll upload it when I get chance.
I had some probs with my hosting company…
It’s up now, sorry.
Oh yeah, Zapotek here….. hehehe
SegFault.Gr will move again but it’ll be up again shortly. ;)
Thanks for the update Zapotek :)
Since I still get visitor looking for FIS from this article,
I thought I’d let you know that the new link is:
http://segfault.gr/projects/?lang=en&projects_id=11&secid=28
Cheers.