Commix v2.7 - Automated All-in-One OS Command Injection And Exploitation Tool

Commix (short for [comm]and [i]njection e[x]ploiter) is an automated tool written by**Anastasios Stasinopoulos(@ancst) that can be used from web developers, penetration testers or even security researchers in order to test web-based applications with the view to find bugs, errors or vulnerabilities related tocommand injection** attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header.

Requirements Pythonversion2.6.xor2.7.x is required for running this program.

Installation
Download commix by cloning the Git repository:

git clone https://github.com/commixproject/commix.git commix

Commix comes packaged on the official repositories of the following Linux distributions, so you can use thepackage manager to install it!

• ArchStrike

• BlackArch Linux

• BackBox

• Kali Linux

• Parrot Security OS

• Weakerthan Linux
  Commix also comes as a plugin, on the following penetration testing frameworks:

• TrustedSec’s Penetration Testers Framework (PTF)

• OWASP Offensive Web Testing Framework (OWTF)

• CTF-Tools

• PentestBox

• PenBox

• Katoolin

• Aptive’s Penetration Testing tools

• Homebrew Tap - Pen Test Tools

Supported Platforms

• Linux
• Mac OS X
• Windows (experimental)

Usage
To get a list of all options and switches use:

python commix.py -h

Q: Where can I check all the available options and switches? A: Check the ‘usage’ wiki page.

Usage Examples Q: Can I get some basic ideas on how to use commix? A: Just go and check the ‘usage examples’ wiki page, where there are several test cases and attack scenarios.

Upload Shells Q: How easily can I upload web-shells on a target host via commix? A: Commix enables you to upload web-shells (e.g metasploit PHP meterpreter) easily on target host. For more, check the ‘upload shells’ wiki page.

Modules Development Q: Do you want to increase the capabilities of the commix tool and/or to adapt it to our needs? A: You can easily develop and import our own modules. For more, check the ‘module development’ wiki page.

Command Injection Testbeds Q: How can I test or evaluate the exploitation abilities of commix? A: Check the ‘command injection testbeds’ wiki page which includes a collection of pwnable web applications and/or VMs (that include web applications) vulnerable to command injection attacks.

Exploitation Demos Q: Is there a place where I can check for demos of commix? A: If you want to see a collection of demos, about the exploitation abilities of commix, take a look at the ‘exploitation demos’ wiki page.

Bugs and Enhancements Q: I found a bug / I have to suggest a new feature! What can I do? A: For bug reports or enhancements, please open an issue**here**.

Presentations and White Papers Q: Is there a place where I can find presentations and/or white papers regarding commix? A: For presentations and/or white papers published in conferences, check the ‘presentations’ wiki page.

Download Commix