Commix

Description

Commix, short for COMMand Injection eXploiter, is an open-source penetration testing tool developed by Anastasios Stasinopoulos. Its primary function is to automate the detection and exploitation of command injection vulnerabilities. (Command injection involves executing arbitrary commands on a host operating system through a vulnerable application.) Commix simplifies the process for security professionals to identify and leverage these weaknesses in web applications and other systems.

The tool is written in Python and is compatible with versions 2.6, 2.7, and 3.x. The project is licensed under the GNU General Public License v3 (GPLv3).

The tool documents most of its options on its wiki: https://github.com/commixproject/commix/wiki

The tool's development is ongoing, with a focus on providing a stable and reliable utility for penetration testers. The setup.py file indicates a stable version (e.g., '4.0-stable') and includes project URLs for documentation, source code, and an issue tracker, all hosted on GitHub. This structured approach to development and community engagement helps ensure that Commix remains a relevant and powerful tool in the cybersecurity landscape.

Commix also supports various international users, with translations of its README available in several languages, including Farsi (Persian), Greek, Indonesian, and Turkish. This commitment to accessibility broadens its reach and usability across different regions. The project encourages community involvement through its issue tracker for reporting bugs or suggesting enhancements.

Example Usage Scenarios

Web App Penetration Testing

Imagine a security professional is tasked with performing a black-box penetration test against a web application. They have identified several input fields (e.g., search bars, contact forms, URL parameters) that might be passing user-supplied data to system commands on the backend. Instead of manually crafting and testing countless command injection payloads for each input vector, the professional could use Commix. They can provide the target URL and specify the parameters to test (-u http://target.com/vuln.php?id=test --data "param=val").

Commix can then automatically attempt various injection techniques (classic, time-based, file-based, eval-based) to detect if a command injection vulnerability exists. If a vulnerability is found, Commix can provide an OS shell, allowing the professional to further explore the compromised system, enumerate users (--users), read files (--file-read), or even attempt to gain a reverse TCP shell for more interactive control. This automates a significant portion of the discovery and initial exploitation phase.

(Note: Commix provides a testbed docker container with vulnerable web apps so you can take it for a spin: https://hub.docker.com/r/commixproject/commix-testbed )

Post-Exploitation and Privilege Escalation

In a scenario where a security professional has already gained a limited shell on a server (perhaps through a different vulnerability), they might discover that certain scripts or applications run by other users (or even by root/administrator) take user-supplied input that is then used in a system command. If the initial shell is restrictive or non-interactive, Commix could be used to exploit this secondary command injection vector.

The professional could point Commix to the vulnerable script/parameter from within the compromised system (if network access allows, or by setting up a proxy/tunnel). Commix's enumeration features like --current-user, --is-root (or --is-admin for Windows), and --privileges would be invaluable to quickly assess the context of the newly exploited command injection point and determine if it offers higher privileges than their initial foothold. The tool's ability to upload files (--file-upload) could also be used to introduce privilege escalation scripts.

Automated Vulnerability Scanning

A security team might be responsible for regularly assessing a large number of web applications or API endpoints for command injection vulnerabilities. Manually testing each one would be incredibly time-consuming and prone to human error. Commix can be used in a more automated fashion for this purpose.

Security professionals can create a list of target URLs (potentially with specific parameters identified through other reconnaissance) and feed this list to Commix using the -m BULKFILE option. By using the --batch flag, Commix can run with default behaviors, attempting to identify vulnerabilities across all targets without requiring interactive input for each decision. The results, including identified vulnerable parameters and payloads, can be logged to files (-t TRAFFIC_FILE or via the default output directory) for later review and reporting. This allows for efficient, broad-stroke testing of many potential targets. Commix also supports parsing targets from Burp or WebScarab logs (-l LOGFILE) or even sitemap.xml files (-x SITEMAP_URL), further enhancing its utility in automated scanning workflows.

Command Line Flags

Commix offers a variety of command-line options to control its behavior, categorized into several groups:

General Options

These options relate to general tool operation:

-v VERBOSE: Sets the verbosity level (0-4, default is 0).
--version: Shows the version number and exits.
--output-dir OUTPUT_DIR: Sets a custom directory path for output.
-s SESSION_FILE: Loads a session from a stored .sqlite file.
--flush-session: Flushes session files for the current target.
--ignore-session: Ignores results stored in the session file.
-t TRAFFIC_FILE: Logs all HTTP traffic into a textual file.
--time-limit TIME_LIMIT: Runs the tool with a time limit in seconds (e.g., 3600).
--batch: Never asks for user input and uses default behavior.
--skip-heuristics: Skips heuristic detection for code injection.
--codec CODEC: Forces a specific codec for character encoding (e.g., 'ascii').
--charset CHARSET: Specifies the charset for time-related injection (e.g., '0123456789abcdef').
--check-internet: Checks for an internet connection before assessing the target.
--answers ANSWERS: Sets predefined answers for questions (e.g., 'quit=N,follow=N').

Target Options

These options define the target for the tool:

-u URL, --url URL: Specifies the target URL.
--url-reload: Reloads the target URL after command execution.
-l LOGFILE: Parses the target from an HTTP proxy log file.
-m BULKFILE: Scans multiple targets listed in a textual file.
-r REQUESTFILE: Loads an HTTP request from a file.
--crawl CRAWLDEPTH: Crawls the website starting from the target URL (default depth: 1).
--crawl-exclude REGEXP: Excludes pages from crawling using a regular expression (e.g., 'logout').
-x SITEMAP_URL: Parses target(s) from a remote sitemap (.xml) file.
--method METHOD: Forces the usage of a given HTTP method (e.g., 'PUT').

Request Options

These options specify how to connect to the target URL:

-d DATA, --data DATA: Provides the data string to be sent via POST.
--host HOST: Sets the HTTP Host header.
--referer REFERER: Sets the HTTP Referer header.
--user-agent AGENT: Sets the HTTP User-Agent header (default is 'commix/VERSION (https://commixproject.com)').
--random-agent: Uses a randomly selected HTTP User-Agent header.
--param-del PDEL: Sets the character for splitting parameter values.
--cookie COOKIE: Sets the HTTP Cookie header.
--cookie-del CDEL: Sets the character for splitting cookie values.
-H HEADER, --header HEADER: Specifies an extra header (e.g., 'X-Forwarded-For: 127.0.0.1').
--headers HEADERS: Specifies multiple extra headers (e.g., 'Accept-Language: fr\nETag: 123').
--proxy PROXY: Uses a proxy to connect to the target URL.
--tor: Uses the Tor network.
--tor-port TOR_PORT: Sets the Tor proxy port (default: 8118).
--tor-check: Checks if Tor is used properly.
--auth-url AUTH_URL: Specifies the login panel URL.
--auth-data AUTH_DATA: Specifies login parameters and data.
--auth-type AUTH_TYPE: Sets the HTTP authentication type (Basic, Digest, Bearer).
--auth-cred AUTH_CRED: Sets HTTP authentication credentials (e.g., 'admin:admin').
--abort-code ABORT_CODE: Aborts on specified (problematic) HTTP error codes (e.g., 401).
--ignore-code IGNORE_CODE: Ignores specified (problematic) HTTP error codes (e.g., 401).
--force-ssl: Forces the usage of SSL/HTTPS.
--ignore-proxy: Ignores system default proxy settings.
--ignore-redirects: Ignores redirection attempts.
--timeout TIMEOUT: Sets the connection timeout in seconds (default: 30).
--retries RETRIES: Sets the number of retries when the connection timeouts (default: 3).
--drop-set-cookie: Ignores Set-Cookie header from the response.

Enumeration Options

These options are used to enumerate the target host:

--all: Retrieves everything.
--current-user: Retrieves the current username.
--hostname: Retrieves the current hostname.
--is-root: Checks if the current user has root privileges.
--is-admin: Checks if the current user has admin privileges.
--sys-info: Retrieves system information.
--users: Retrieves system users.
--passwords: Retrieves system users' password hashes.
--privileges: Retrieves system users' privileges.
--ps-version: Retrieves PowerShell's version number.

File Access Options

These options are used to access files on the target host:

--file-read FILE_READ: Reads a file from the target host.
--file-write FILE_WRITE: Writes to a file on the target host.
--file-upload FILE_UPLOAD: Uploads a file to the target host.
--file-dest FILE_DEST: Specifies the host's absolute filepath to write and/or upload to.

Modules Options

These options utilize specific modules to enhance detection or injection:

--shellshock: Uses the 'shellshock' injection module.

Injection Options

These options specify which parameters to inject and provide custom injection payloads:

-p TEST_PARAMETER: Specifies testable parameter(s).
--skip SKIP_PARAMETER: Skips testing for given parameter(s).
--suffix SUFFIX: Sets an injection payload suffix string.
--prefix PREFIX: Sets an injection payload prefix string.
--technique TECH: Specifies injection technique(s) to use.
--skip-technique SKIP_TECH: Specifies injection technique(s) to skip.
--maxlen MAXLEN: Sets the max length of output for time-related injection techniques (default: 10000 chars).
--delay DELAY: Sets seconds to delay between each HTTP request (default: 0).
--time-sec TIMESEC: Sets seconds to delay the OS response (default: 0).
--tmp-path TMP_PATH: Sets the absolute path of the web server's temp directory.
--web-root WEB_ROOT: Sets the web server document root directory (e.g., '/var/www').
--alter-shell ALTER_SHELL: Uses an alternative OS shell (e.g., 'Python').
--os-cmd OS_CMD: Executes a single operating system command.
--os OS: Forces the back-end operating system (e.g., 'Windows' or 'Unix').
--tamper TAMPER: Uses given script(s) for tampering injection data.
--msf-path MSF_PATH: Sets a local path where Metasploit is installed.

Detection Options

These options customize the detection phase:

--level LEVEL: Sets the level of tests to perform (1-3, default: 1).
--skip-calc: Skips mathematic calculation during the detection phase.
--skip-empty: Skips testing parameters with empty values.
--failed-tries FAILED_TRIES: Sets the number of failed injection tries in file-based technique (default is based on the number of separators).
--smart: Performs thorough tests only if positive heuristics are found.

Miscellaneous Options

Various other options:

--ignore-dependencies: Ignores all required third-party library dependencies.
--list-tampers: Displays a list of available tamper scripts.
--alert ALERT: Runs host OS command(s) when an injection point is found.
--no-logging: Disables logging to a file.
--purge: Safely removes all content from the commix data directory.
--skip-waf: Skips heuristic detection of WAF/IPS protection.
--mobile: Imitates a smartphone through the HTTP User-Agent header.
--offline: Works in offline mode.
--wizard: Uses a simple wizard interface for beginner users.
--disable-coloring: Disables console output coloring.

Note: The Debian package maintainers have disabled the --install and --update flags, as updates and installations should be handled by apt on Kali Linux. The default output directory is also changed to ~/.commix/output/ in the Kali version.

Example Command Log

Commix Command Log Exercise

A security analyst is testing a web application for command injection vulnerabilities. The target page is http://vulnerable.site/cat_product.php?cat_id=1. The analyst suspects the cat_id parameter might be vulnerable.

Below is a series of commands the analyst runs using Commix. For each command, explain its purpose and what the analyst is trying to achieve.

# Step 1: Basic vulnerability check for the 'cat_id' parameter.
# The analyst starts with a simple test on the suspected parameter.
# The -u flag specifies the target URL. Commix will automatically test parameters found in the URL.
# --batch is used to accept default answers to commix's questions.
python commix.py -u "http://vulnerable.site/cat_product.php?cat_id=1" --batch

# Step 2: If the first command didn't yield results, or to be more specific,
# the analyst explicitly tests the 'cat_id' parameter with a higher verbosity level (v=1)
# to get more information about the tests being performed.
# -p cat_id explicitly tells commix to test only the 'cat_id' parameter.
python commix.py -u "http://vulnerable.site/cat_product.php?cat_id=1" -p "cat_id" -v 1 --batch

# Step 3: Assuming a command injection was found and confirmed by Commix,
# the analyst now tries to get an interactive operating system shell.
# --os-shell attempts to provide a pseudo-terminal.
python commix.py -u "http://vulnerable.site/cat_product.php?cat_id=1" -p "cat_id" --os-shell

# Step 4: Once in the OS shell (or if direct command execution is preferred after confirmation),
# the analyst tries to determine the current user.
# --current-user is an enumeration option to fetch the username running the commands.
python commix.py -u "http://vulnerable.site/cat_product.php?cat_id=1" -p "cat_id" --current-user --batch

# Step 5: The analyst attempts to retrieve basic system information.
# --sys-info tries to gather details about the operating system and architecture.
python commix.py -u "http://vulnerable.site/cat_product.php?cat_id=1" -p "cat_id" --sys-info --batch

# Step 6: The analyst wants to read the /etc/passwd file (assuming a *nix-like system
# was identified or suspected from --sys-info or other means).
# --file-read specifies a file to read from the target system.
python commix.py -u "http://vulnerable.site/cat_product.php?cat_id=1" -p "cat_id" --file-read "/etc/passwd" --batch

Links

Flags