Commix is a command injection exploitation tool used for testing command injection vulnerabilities in web applications. Command injection, also known as shell injection is achieved through vulnerable applications. For the attack to be successful, the application must pass unsecure user supplied data to the system shell. The tool is written in Python language.
Who can be the Victim of Command Injection?
The command injection attacks are independent of the operating system in use. They can target Linux, Unix, and Windows as well. They are also independent of the programming languages used as they can inject themselves into many programming languages including C, C++, PHP, Python, and Java.
Commix Installation
Commix is supported by Linux and Mac OS X. The Commix version for Windows OS has been released as a pilot. Commix comes preinstalled with some Linux distributions including Backbox, BlackArch Linux, Parrot Security OS, and Weakerthan Linux. The tool can be downloaded from Git repository using the following command.
git clone https://github.com/commixproject/commix.git commix
The tool can be installed using the following command
--install
More helping features can be explored using the help command
--help
How Commix Works?
Commix works in three steps. First, the attack vector generator module generates attack vectors. Attack vectors are different attack techniques including classic, eval based, time based, and file based techniques. Attack vectors perform the vulnerability test in the host application (target). If the vulnerability is found, the exploitation step is then launched to exploit the vulnerability.
Command Injection Options
--url = URL Here, the ‘URL’ is the target web address.