commix v1.6 - command injection exploiters.

commix v1.6 – command injection exploiters.

Changelog commix v1.6:
+ Fixed: Improvement regarding json-formated POST data, where whitespace before (and/or after) the “:” exists.
+ Fixed: Minor fix regarding empty value(s) in provided parameter(s).
+ Added: New option “–batch” that never asking for user input (using the default behaviour).
+ Added: New option “-x” for parsing target(s) from remote sitemap(.xml) file.
+ Added: New option “–offline” for working in offline mode.
+ Fixed: Improvement regarding the IP address grabbing (in case of internet in-accessibility).
+ Fixed: Improvement regarding HTTPS based websites, for which scanning fails.
+ Added: New option “-r” for loading HTTP request from a file.
+ Fixed: Improvement regarding the response time estimation, in which the target URL was requested without its POST data.
+ Added: New option “-m” for scanning multiple targets given in a textual file.
+ Fixed: Minor fix regarding the newline display in dynamic code evaluation (“eval-based”) and semiblind (“file-based”) technique.
+ Revised: The dynamic code evaluation (“eval-based”) payloads have been shortly revised.
+ Added: The executed command and the execution results output has been added to log file.

commix v1.6

commix v1.5

commix v1.5

commix-v1-4

commix

commix v1.2

Commix (short for [com]mand [i]njection e[x]ploiter) has a simple environment and it can be used, from web developers, penetration testers or even security researchers to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or string. Commix is written in Python programming language.

Commix v0.2b-7cc57eb Example screenCapture Updates commix-v-0.1b : Automated All-in-One OS Command Injection and Exploitation Tool. Has been Tested on: Kali Sana, Windows 7/8.1/10, Debian, Ubuntu, Arch-Linux

Commix v0.2b-7cc57eb
Example screenCapture Updates commix-v-0.1b : Automated All-in-One OS Command Injection and Exploitation Tool. Has been Tested on: Kali Sana, Windows 7/8.1/10, Debian, Ubuntu, Arch-Linux

Disclaimer :
The tool is only for testing and academic purposes and can only be used where strict consent has been given. Do not use it for illegal purposes!!

Command Injection Testbeds
A collection of pwnable VMs, that includes web apps vulnerable to command injections.
+ Damn Vulnerable Web App
+ OWASP: Mutillidae
+ bWAPP: bee-box (v1.6)
+ Persistence
+ Pentester Lab: Web For Pentester
+ Pentester Lab: CVE-2014-6271/Shellshock
+ Pentester Lab: Rack Cookies and Commands injection
+ Pentester Academy: Command Injection ISO: 1
+ SpiderLabs: MCIR (ShelLOL)
+ Kioptrix: Level 1.1 (#2)
+ Kioptrix: 2014 (#5)
+ Acid Server: 1
+ Flick: 2
+ w3af-moth
+ commix-testbed

Exploitation Demos:
+ Exploiting DVWA (1.0.8) command injection flaws.
+ Exploiting bWAPP command injection flaws (normal & blind).
+ Exploiting ‘Persistence’ blind command injection flaw.
+ Exploiting shellshock command injection flaws.
+ Upload a PHP shell (i.e. Metasploit PHP Meterpreter) on target host.
+ Upload a Weevely PHP web shell on target host.
+ Exploiting cookie-based command injection flaws.
+ Exploiting user-agent-based command injection flaws.
+ Exploiting referer-based command injection flaws.
+ Rack cookies and commands injection.

Usage

Options:

Target:

Request:

Injection:

Enumeration :

Installation:

Download : v1.6.zip | v1.6.tar.gz | Clone Url
Source : https://github.com/stasinopoulos/ | Our post Before