Description

FIS (File Inclusion Scanner) is a vulnerability scanner for PHP applications.
Is scans PHP files mapping PHP/HTTP GET variables and then performs a security audit,
in order to find out which of them are exploitable.

Content

License
FIS is copyrighted to Zapotek under the GNU General Public License v2.

Description
FIS (File Inclusion Scanner) is a vulnerability scanner for PHP applications.
Is scans PHP files mapping PHP/HTTP GET variables and then performs a security audit,
in order to find out which of them are exploitable.

Usage

php fis.php <local file> <remote file> <remote FIS ID file>

local file
The local copy of the PHP source file used by FIS to map the variables for the audit.

remote file
The remote copy of the source executed by a remote webserver, the file we will audit.

remote FIS ID file
The FIS ID file is used to check whether a variable is exploitable or not.
It contains PHP code that simply echoes a unique MD5 hash used for identification.

Intended audience
FIS is intended to be used by penetration testers, not script kidies nor malicious users.
It creates a lot of noise on the remote host and can be easily discovered with a simple glance at
the webserver logs, which makes it useless as a cracking tool.

Features
FIS, currently, supports audits using only GET requests.

Logging
FIS automatically logs extra audit information in "fis.log" in the working directory.

Releases