FIS [File Inclusion Scanner] v0.1 – PHP Vulnerability


A useful tool for anyone working with PHP applications.

DESCRIPTION
————
FIS (File Inclusion Scanner) is a vulnerability scanner for PHP applications. Is scans PHP files mapping PHP/HTTP variables and then performs a security audit,in order to find out which of them are exploitable.

USAGE
——
php fis.php [local file] [remote file] [remote FIS ID file]

[local file]
————–
The local copy of the PHP source file used by FIS to map the variables for the audit.

[remote file]
————–
The remote copy of the source executed by a remote webserver, the file we will audit.

[remote FIS ID file]
———————-
The FIS ID file is used to check whether a variable is exploitable or not. It contains PHP code that simply echoes a unique MD5 hash used for identification.

INTENDED AUDIENCE
——————
FIS is intended to be used by penetration testers, not script kidies nor malicious users. It creates a lot of noise on the remote host and can be easily discovered with a simple glance at
the webserver logs, which makes it useless as a cracking tool.

FEATURES
———
FIS, currently, supports audits using only GET requests. COOKIE & POST support is not yet implemented.

LOGGING
———
FIS automatically logs extra audit information in “fis.log” in the working directory.

FIS Website

You can download FIS directly here.

Posted in: Countermeasures, Security Software, Web Hacking

,


Latest Posts:


dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).
WiFi-Dumper - Dump WiFi Profiles and Cleartext Passwords WiFi-Dumper – Dump WiFi Profiles and Cleartext Passwords
WiFi-Dumper is an open-source Python-based tool to dump WiFi profiles and cleartext passwords of the connected access points on a Windows machine.
truffleHog - Search Git for High Entropy Strings with Commit History truffleHog – Search Git for High Entropy Strings with Commit History
truffleHog is a Python-based tool to search Git for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
AIEngine - AI-driven Network Intrusion Detection System AIEngine – AI-driven Network Intrusion Detection System
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go AI-driven Network Intrusion Detection System engine with many capabilities.
Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.


5 Responses to FIS [File Inclusion Scanner] v0.1 – PHP Vulnerability

  1. dre October 8, 2006 at 12:14 am #

    you guys have a habit of posting web application attack tools which no longer exist. Both Oedipus and now FIS websites no longer exist!

  2. Darknet October 8, 2006 at 6:06 pm #

    Ah that sucks, it was up when I posted this I checked.

    I think I have a copy somewhere, I’ll upload it when I get chance.

  3. Zapotek October 9, 2006 at 1:26 pm #

    I had some probs with my hosting company…
    It’s up now, sorry.

    Oh yeah, Zapotek here….. hehehe

    SegFault.Gr will move again but it’ll be up again shortly. ;)

  4. Darknet October 15, 2006 at 3:21 pm #

    Thanks for the update Zapotek :)

  5. Zapotek November 26, 2007 at 1:14 am #

    Since I still get visitor looking for FIS from this article,
    I thought I’d let you know that the new link is:
    http://segfault.gr/projects/?lang=en&projects_id=11&secid=28

    Cheers.