<\/p>\n
A useful tool for anyone working with PHP applications.<\/p>\n
DESCRIPTION<\/strong> USAGE<\/strong> [local file]<\/strong> [remote file]<\/strong> [remote FIS ID file]<\/strong> INTENDED AUDIENCE<\/strong> FEATURES<\/strong> LOGGING<\/strong>
\n————
\nFIS (File Inclusion Scanner) is a vulnerability scanner for PHP applications. Is scans PHP files mapping PHP\/HTTP variables and then performs a security audit,in order to find out which of them are exploitable.<\/p>\n
\n——
\nphp fis.php [local file] [remote file] [remote FIS ID file]<\/p>\n
\n————–
\nThe local copy of the PHP source file used by FIS to map the variables for the audit.<\/p>\n
\n————–
\nThe remote copy of the source executed by a remote webserver, the file we will audit.<\/p>\n
\n———————-
\nThe FIS ID file is used to check whether a variable is exploitable or not. It contains PHP code that simply echoes a unique MD5 hash used for identification.<\/p>\n
\n——————
\nFIS is intended to be used by penetration testers, not script kidies nor malicious users. It creates a lot of noise on the remote host and can be easily discovered with a simple glance at
\nthe webserver logs, which makes it useless as a cracking tool.<\/p>\n
\n———
\nFIS, currently, supports audits using only GET requests. COOKIE & POST support is not yet implemented.<\/p>\n
\n———
\nFIS automatically logs extra audit information in “fis.log” in the working directory.<\/p>\n