Commix - Revision history

Unknown user: /* Links */

2025-05-24T13:50:38Z

Links

← Older revision		Revision as of 13:50, 24 May 2025
Line 209:		Line 209:
	* https://github.com/stasinopoulos/commix/wiki/Exploitation-Demos		* https://github.com/stasinopoulos/commix/wiki/Exploitation-Demos
	* https://github.com/stasinopoulos/commix/wiki/Usage-Examples		* https://github.com/stasinopoulos/commix/wiki/Usage-Examples

			==Flags==

			{{KaliFlag}}

Unknown user: /* Links */

2025-05-24T13:42:10Z

Links

← Older revision		Revision as of 13:42, 24 May 2025
Line 161:		Line 161:

	''Note: The Debian package maintainers have disabled the <code>--install</code> and <code>--update</code> flags, as updates and installations should be handled by <code>apt</code> on Kali Linux. The default output directory is also changed to <code>~/.commix/output/</code> in the Kali version.''		''Note: The Debian package maintainers have disabled the <code>--install</code> and <code>--update</code> flags, as updates and installations should be handled by <code>apt</code> on Kali Linux. The default output directory is also changed to <code>~/.commix/output/</code> in the Kali version.''

			==Example Command Log==

			== Commix Command Log Exercise ==

			A security analyst is testing a web application for command injection vulnerabilities. The target page is <code><nowiki>http://vulnerable.site/cat_product.php?cat_id=1</nowiki></code>. The analyst suspects the <code>cat_id</code> parameter might be vulnerable.

			Below is a series of commands the analyst runs using Commix. For each command, explain its purpose and what the analyst is trying to achieve.

			<pre>
			# Step 1: Basic vulnerability check for the 'cat_id' parameter.
			# The analyst starts with a simple test on the suspected parameter.
			# The -u flag specifies the target URL. Commix will automatically test parameters found in the URL.
			# --batch is used to accept default answers to commix's questions.
			python commix.py -u "http://vulnerable.site/cat_product.php?cat_id=1" --batch

			# Step 2: If the first command didn't yield results, or to be more specific,
			# the analyst explicitly tests the 'cat_id' parameter with a higher verbosity level (v=1)
			# to get more information about the tests being performed.
			# -p cat_id explicitly tells commix to test only the 'cat_id' parameter.
			python commix.py -u "http://vulnerable.site/cat_product.php?cat_id=1" -p "cat_id" -v 1 --batch

			# Step 3: Assuming a command injection was found and confirmed by Commix,
			# the analyst now tries to get an interactive operating system shell.
			# --os-shell attempts to provide a pseudo-terminal.
			python commix.py -u "http://vulnerable.site/cat_product.php?cat_id=1" -p "cat_id" --os-shell

			# Step 4: Once in the OS shell (or if direct command execution is preferred after confirmation),
			# the analyst tries to determine the current user.
			# --current-user is an enumeration option to fetch the username running the commands.
			python commix.py -u "http://vulnerable.site/cat_product.php?cat_id=1" -p "cat_id" --current-user --batch

			# Step 5: The analyst attempts to retrieve basic system information.
			# --sys-info tries to gather details about the operating system and architecture.
			python commix.py -u "http://vulnerable.site/cat_product.php?cat_id=1" -p "cat_id" --sys-info --batch

			# Step 6: The analyst wants to read the /etc/passwd file (assuming a *nix-like system
			# was identified or suspected from --sys-info or other means).
			# --file-read specifies a file to read from the target system.
			python commix.py -u "http://vulnerable.site/cat_product.php?cat_id=1" -p "cat_id" --file-read "/etc/passwd" --batch
			</pre>

	==Links==		==Links==

Unknown user: /* Shellshock */

2025-05-24T13:40:14Z

Shellshock

← Older revision		Revision as of 13:40, 24 May 2025
Line 168:		Line 168:
	* https://github.com/stasinopoulos/commix/wiki/Exploitation-Demos		* https://github.com/stasinopoulos/commix/wiki/Exploitation-Demos
	* https://github.com/stasinopoulos/commix/wiki/Usage-Examples		* https://github.com/stasinopoulos/commix/wiki/Usage-Examples

	~~==Shellshock==~~

	~~<pre>~~
	~~python commix.py --url="http://192.168.0.1/cgi.bin/status" --shellshock~~
	~~</pre>~~

Unknown user: /* Web App Penetration Testing */

2025-05-24T13:33:12Z

Web App Penetration Testing

← Older revision		Revision as of 13:33, 24 May 2025
Line 18:		Line 18:

	Commix can then automatically attempt various injection techniques (classic, time-based, file-based, eval-based) to detect if a command injection vulnerability exists. If a vulnerability is found, Commix can provide an OS shell, allowing the professional to further explore the compromised system, enumerate users (<code>--users</code>), read files (<code>--file-read</code>), or even attempt to gain a reverse TCP shell for more interactive control. This automates a significant portion of the discovery and initial exploitation phase.		Commix can then automatically attempt various injection techniques (classic, time-based, file-based, eval-based) to detect if a command injection vulnerability exists. If a vulnerability is found, Commix can provide an OS shell, allowing the professional to further explore the compromised system, enumerate users (<code>--users</code>), read files (<code>--file-read</code>), or even attempt to gain a reverse TCP shell for more interactive control. This automates a significant portion of the discovery and initial exploitation phase.

			(Note: Commix provides a testbed docker container with vulnerable web apps so you can take it for a spin: https://hub.docker.com/r/commixproject/commix-testbed )

	===Post-Exploitation and Privilege Escalation===		===Post-Exploitation and Privilege Escalation===

Unknown user: /* Post-Exploitation and Privilege Escalation */

2025-05-24T13:17:38Z

Post-Exploitation and Privilege Escalation

← Older revision		Revision as of 13:17, 24 May 2025
Line 24:		Line 24:

	The professional could point Commix to the vulnerable script/parameter from within the compromised system (if network access allows, or by setting up a proxy/tunnel). Commix's enumeration features like <code>--current-user</code>, <code>--is-root</code> (or <code>--is-admin</code> for Windows), and <code>--privileges</code> would be invaluable to quickly assess the context of the newly exploited command injection point and determine if it offers higher privileges than their initial foothold. The tool's ability to upload files (<code>--file-upload</code>) could also be used to introduce privilege escalation scripts.		The professional could point Commix to the vulnerable script/parameter from within the compromised system (if network access allows, or by setting up a proxy/tunnel). Commix's enumeration features like <code>--current-user</code>, <code>--is-root</code> (or <code>--is-admin</code> for Windows), and <code>--privileges</code> would be invaluable to quickly assess the context of the newly exploited command injection point and determine if it offers higher privileges than their initial foothold. The tool's ability to upload files (<code>--file-upload</code>) could also be used to introduce privilege escalation scripts.

			===Automated Vulnerability Scanning===

			A security team might be responsible for regularly assessing a large number of web applications or API endpoints for command injection vulnerabilities. Manually testing each one would be incredibly time-consuming and prone to human error. Commix can be used in a more automated fashion for this purpose.

			Security professionals can create a list of target URLs (potentially with specific parameters identified through other reconnaissance) and feed this list to Commix using the <code>-m BULKFILE</code> option. By using the <code>--batch</code> flag, Commix can run with default behaviors, attempting to identify vulnerabilities across all targets without requiring interactive input for each decision. The results, including identified vulnerable parameters and payloads, can be logged to files (<code>-t TRAFFIC_FILE</code> or via the default output directory) for later review and reporting. This allows for efficient, broad-stroke testing of many potential targets. Commix also supports parsing targets from Burp or WebScarab logs (<code>-l LOGFILE</code>) or even sitemap.xml files (<code>-x SITEMAP_URL</code>), further enhancing its utility in automated scanning workflows.

	==Command Line Flags==		==Command Line Flags==

Unknown user: /* Web App Penetration Testing */

2025-05-24T13:16:30Z

Web App Penetration Testing

← Older revision		Revision as of 13:16, 24 May 2025
Line 15:		Line 15:
	===Web App Penetration Testing===		===Web App Penetration Testing===

	Imagine a security professional is tasked with performing a black-box penetration test against a web application. They have identified several input fields (e.g., search bars, contact forms, URL parameters) that might be passing user-supplied data to system commands on the backend. Instead of manually crafting and testing countless command injection payloads for each input vector, the professional could use Commix. They can provide the target URL and specify the parameters to test (<code><nowiki>-u http://target.com/vuln.php?id=test --data "param=val"</nowiki></code>). Commix can then automatically attempt various injection techniques (classic, time-based, file-based, eval-based) to detect if a command injection vulnerability exists. If a vulnerability is found, Commix can provide an OS shell, allowing the professional to further explore the compromised system, enumerate users (<code>--users</code>), read files (<code>--file-read</code>), or even attempt to gain a reverse TCP shell for more interactive control. This automates a significant portion of the discovery and initial exploitation phase.		Imagine a security professional is tasked with performing a black-box penetration test against a web application. They have identified several input fields (e.g., search bars, contact forms, URL parameters) that might be passing user-supplied data to system commands on the backend. Instead of manually crafting and testing countless command injection payloads for each input vector, the professional could use Commix. They can provide the target URL and specify the parameters to test (<code><nowiki>-u http://target.com/vuln.php?id=test --data "param=val"</nowiki></code>).

			Commix can then automatically attempt various injection techniques (classic, time-based, file-based, eval-based) to detect if a command injection vulnerability exists. If a vulnerability is found, Commix can provide an OS shell, allowing the professional to further explore the compromised system, enumerate users (<code>--users</code>), read files (<code>--file-read</code>), or even attempt to gain a reverse TCP shell for more interactive control. This automates a significant portion of the discovery and initial exploitation phase.

			===Post-Exploitation and Privilege Escalation===

			In a scenario where a security professional has already gained a limited shell on a server (perhaps through a different vulnerability), they might discover that certain scripts or applications run by other users (or even by root/administrator) take user-supplied input that is then used in a system command. If the initial shell is restrictive or non-interactive, Commix could be used to exploit this secondary command injection vector.

			The professional could point Commix to the vulnerable script/parameter from within the compromised system (if network access allows, or by setting up a proxy/tunnel). Commix's enumeration features like <code>--current-user</code>, <code>--is-root</code> (or <code>--is-admin</code> for Windows), and <code>--privileges</code> would be invaluable to quickly assess the context of the newly exploited command injection point and determine if it offers higher privileges than their initial foothold. The tool's ability to upload files (<code>--file-upload</code>) could also be used to introduce privilege escalation scripts.

	==Command Line Flags==		==Command Line Flags==

Unknown user: /* Web App Penetration Testing */

2025-05-24T13:14:40Z

Web App Penetration Testing

← Older revision		Revision as of 13:14, 24 May 2025
Line 15:		Line 15:
	===Web App Penetration Testing===		===Web App Penetration Testing===

	Imagine a security professional is tasked with performing a black-box penetration test against a web application. They have identified several input fields (e.g., search bars, contact forms, URL parameters) that might be passing user-supplied data to system commands on the backend. Instead of manually crafting and testing countless command injection payloads for each input vector, the professional could use Commix. They can provide the target URL and specify the parameters to test (<code>-u http://target.com/vuln.php?id=test --data "param=val"</code>). Commix can then automatically attempt various injection techniques (classic, time-based, file-based, eval-based) to detect if a command injection vulnerability exists. If a vulnerability is found, Commix can provide an OS shell, allowing the professional to further explore the compromised system, enumerate users (<code>--users</code>), read files (<code>--file-read</code>), or even attempt to gain a reverse TCP shell for more interactive control. This automates a significant portion of the discovery and initial exploitation phase.		Imagine a security professional is tasked with performing a black-box penetration test against a web application. They have identified several input fields (e.g., search bars, contact forms, URL parameters) that might be passing user-supplied data to system commands on the backend. Instead of manually crafting and testing countless command injection payloads for each input vector, the professional could use Commix. They can provide the target URL and specify the parameters to test (<code><nowiki>-u http://target.com/vuln.php?id=test --data "param=val"</nowiki></code>). Commix can then automatically attempt various injection techniques (classic, time-based, file-based, eval-based) to detect if a command injection vulnerability exists. If a vulnerability is found, Commix can provide an OS shell, allowing the professional to further explore the compromised system, enumerate users (<code>--users</code>), read files (<code>--file-read</code>), or even attempt to gain a reverse TCP shell for more interactive control. This automates a significant portion of the discovery and initial exploitation phase.

	==Command Line Flags==		==Command Line Flags==

Unknown user: /* Description */

2025-05-24T13:14:12Z

Description

← Older revision		Revision as of 13:14, 24 May 2025
Line 10:		Line 10:

	Commix also supports various international users, with translations of its README available in several languages, including Farsi (Persian), Greek, Indonesian, and Turkish. This commitment to accessibility broadens its reach and usability across different regions. The project encourages community involvement through its issue tracker for reporting bugs or suggesting enhancements.		Commix also supports various international users, with translations of its README available in several languages, including Farsi (Persian), Greek, Indonesian, and Turkish. This commitment to accessibility broadens its reach and usability across different regions. The project encourages community involvement through its issue tracker for reporting bugs or suggesting enhancements.

			==Example Usage Scenarios==

			===Web App Penetration Testing===

			Imagine a security professional is tasked with performing a black-box penetration test against a web application. They have identified several input fields (e.g., search bars, contact forms, URL parameters) that might be passing user-supplied data to system commands on the backend. Instead of manually crafting and testing countless command injection payloads for each input vector, the professional could use Commix. They can provide the target URL and specify the parameters to test (<code>-u http://target.com/vuln.php?id=test --data "param=val"</code>). Commix can then automatically attempt various injection techniques (classic, time-based, file-based, eval-based) to detect if a command injection vulnerability exists. If a vulnerability is found, Commix can provide an OS shell, allowing the professional to further explore the compromised system, enumerate users (<code>--users</code>), read files (<code>--file-read</code>), or even attempt to gain a reverse TCP shell for more interactive control. This automates a significant portion of the discovery and initial exploitation phase.

	==Command Line Flags==		==Command Line Flags==

Unknown user: /* File Access Options */

2025-05-24T13:12:58Z

File Access Options

← Older revision		Revision as of 13:12, 24 May 2025
Line 86:		Line 86:
	* <code>--ps-version</code>: Retrieves PowerShell's version number.		* <code>--ps-version</code>: Retrieves PowerShell's version number.

	==File Access Options==		===File Access Options===
	These options are used to access files on the target host:		These options are used to access files on the target host:
	* <code>--file-read FILE_READ</code>: Reads a file from the target host.		* <code>--file-read FILE_READ</code>: Reads a file from the target host.

Unknown user: /* Description */

2025-05-24T13:10:44Z

Description

Show changes