Commix (short for [ comm ]and [ i ]njection e[ x ]ploiter) is an automated tool written by Anastasios Stasinopoulos ( @ancst ) that can be used from web developers, penetration testers or even security researchers in order to test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header.
It is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header(s).
You are able to develop and easily import your own modules in order to increase the capabilities of commix and/or adapt it to your needs.
It is compatible with multiple penetration testing tools and freamworks (i.e Metasploit Freamwork, BurpSuite, SQLMap etc) thereby the success rate of a penetration test is increased.
It is Written in Python! No need to compile anything, only Python (version 2.6.x or 2.7.x) is required to be installed for Commix to run over Linux ( _ ), Mac OSX ( _ ) and Windows ( _ _ ).
It is a free (as in beer!) and open source project licensed under the GPLv3 License
This tool is only for testing and academic purposes and can only be used where strict consent has been given. Do not use it for illegal purposes!
Python version 2.6.x or 2.7.x is required for running this program.
Download commix by cloning the Git repository:
git clone https://github.com/commixproject/commix.git commix
Commix comes packaged on the official repositories of the following Linux distributions, so you can use the package manager to install it!
Commix also comes as a plugin , on the following penetration testing frameworks:
To get a list of all options and switches use:
python commix.py -h