Commix (short for [comm]and [i]njection e[x]ploiter) is an automated tool written by**Anastasios Stasinopoulos(@ancst) that can be used from web developers, penetration testers or even security researchers in order to test web-based applications with the view to find bugs, errors or vulnerabilities related tocommand injection** attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header.
Requirements Pythonversion2.6.xor2.7.x is required for running this program.
Installation
Download commix by cloning the Git repository:
git clone https://github.com/commixproject/commix.git commix
Commix comes packaged on the official repositories of the following Linux distributions, so you can use thepackage manager to install it!
Weakerthan Linux
Commix also comes as a plugin, on the following penetration testing frameworks:
Aptive’s Penetration Testing tools
Supported Platforms
Usage
To get a list of all options and switches use:
python commix.py -h
Q: Where can I check all the available options and switches? A: Check the ‘usage’ wiki page.
Usage Examples Q: Can I get some basic ideas on how to use commix? A: Just go and check the ‘usage examples’ wiki page, where there are several test cases and attack scenarios.
Upload Shells Q: How easily can I upload web-shells on a target host via commix? A: Commix enables you to upload web-shells (e.g metasploit PHP meterpreter) easily on target host. For more, check the ‘upload shells’ wiki page.
Modules Development Q: Do you want to increase the capabilities of the commix tool and/or to adapt it to our needs? A: You can easily develop and import our own modules. For more, check the ‘module development’ wiki page.
Command Injection Testbeds Q: How can I test or evaluate the exploitation abilities of commix? A: Check the ‘command injection testbeds’ wiki page which includes a collection of pwnable web applications and/or VMs (that include web applications) vulnerable to command injection attacks.
Exploitation Demos Q: Is there a place where I can check for demos of commix? A: If you want to see a collection of demos, about the exploitation abilities of commix, take a look at the ‘exploitation demos’ wiki page.
Bugs and Enhancements Q: I found a bug / I have to suggest a new feature! What can I do? A: For bug reports or enhancements, please open an issue**here**.
Presentations and White Papers Q: Is there a place where I can find presentations and/or white papers regarding commix? A: For presentations and/or white papers published in conferences, check the ‘presentations’ wiki page.
github.com/Aptive/penetration-testing-tools
github.com/commixproject/commix
github.com/commixproject/commix/issues
github.com/commixproject/commix/wiki/Command-Injection-Testbeds
github.com/commixproject/commix/wiki/Exploitation-Demos
github.com/commixproject/commix/wiki/Module-Development
github.com/commixproject/commix/wiki/Presentations
github.com/commixproject/commix/wiki/Upload-shells
github.com/commixproject/commix/wiki/Usage
github.com/commixproject/commix/wiki/Usage-Examples
github.com/LionSec/katoolin
github.com/owtf/owtf
github.com/sidaf/homebrew-pentest
github.com/stasinopoulos
github.com/trustedsec/ptf
github.com/x3omdax/PenBox
github.com/zardus/ctf-tools