Roadmap & Changelog
Version 0.3b [2015]:
+ Added: Time-relative false-positive identification, which identifies unexpected time delays due to unstable requests.
+ Added: New option “-l”, that parses target and data from HTTP proxy log file (i.e Burp or WebScarab).
+ Added: Check if Powershell is enabled in target host, if the applied option’s payload is requiring the use of PowerShell.
+ Added: New option “–ps-version”, that checks PowerShell’s version number.
+ Replaced: Some powershell-based payloads, have been replaced by new (more solid) ones, so to avoid “Microsoft-IIS” server’s incompatibilities.
+ Added: Support (in MacOSX platforms) for a tab completion in shell options.
+ Added: Undocumented parameter “-InputFormat none” so to avoid “Microsoft-IIS” server’s hang.
+ Added: Ability for identification of “Microsoft-IIS” servers.
+ Added: Statistical checks for time-related (“time-based”/”tempfile-based”) techniques.
+ Added: Support for Windows-based (cmd / powershell) payloads for every injection technique.ng..
commix-v-0.4B
Version 0.2b [2015]:
+ Added: Support for recalling previous commands.
+ Added: Versions for “nongit” users (vx.xx-nongit-yyyymmdd).
+ Added: Support for a tab completion in shell options.
+ Added: Support for alternative (Python) os-shell in dynamic code evaluation (aka eval-based) technique.
+ Added: Support for PHP/Python meterpreter on “reverse_tcp” shell option.
+ Added: The “reverse_tcp” shell option.
+ Added: The ability to check for default root directories (Apache/Nginx).
+ Added: Support for removal of (txt) shell files (File-based/Tempfile-based).
+ Added: Support for JSON POST data.
+ Added: The “enumeration” and “file-read” results to log file.
+ Added: The ability to get the user’s approval before re-{enumerate/file-read} target.
+ Added: The ability to stop current injection technique and proceed on the next one(s).
Commix-0-3b
Commix (short for [com]mand [i]njection e[x]ploiter) has a simple environment and it can be used, from web developers, penetration testers or even security researchers to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or string. Commix is written in Python programming language.
Commix v0.2b-7cc57eb
Example screenCapture Updates commix-v-0.1b : Automated All-in-One OS Command Injection and Exploitation Tool. Has been Tested on: Kali Sana, Windows 7/8.1/10, Debian, Ubuntu, Arch-Linux
Disclaimer :
The tool is only for testing and academic purposes and can only be used where strict consent has been given. Do not use it for illegal purposes!!
Command Injection Testbeds
A collection of pwnable VMs, that includes web apps vulnerable to command injections.
+ Damn Vulnerable Web App
+ OWASP: Mutillidae
+ bWAPP: bee-box (v1.6)
+ Persistence
+ Pentester Lab: Web For Pentester
+ Pentester Lab: CVE-2014-6271/Shellshock
+ Pentester Lab: Rack Cookies and Commands injection
+ Pentester Academy: Command Injection ISO: 1
+ SpiderLabs: MCIR (ShelLOL)
+ Kioptrix: Level 1.1 (#2)
+ Kioptrix: 2014 (#5)
+ Acid Server: 1
+ Flick: 2
+ w3af-moth
+ commix-testbed
Exploitation Demos:
+ Exploiting DVWA (1.0.8) command injection flaws.
+ Exploiting bWAPP command injection flaws (normal & blind).
+ Exploiting ‘Persistence’ blind command injection flaw.
+ Exploiting shellshock command injection flaws.
+ Upload a PHP shell (i.e. Metasploit PHP Meterpreter) on target host.
+ Upload a Weevely PHP web shell on target host.
+ Exploiting cookie-based command injection flaws.
+ Exploiting user-agent-based command injection flaws.
+ Exploiting referer-based command injection flaws.
+ Rack cookies and commands injection.
Usage
python commix.py [options]
Options:
-h, --help Show help and exit. --verbose Enable the verbose mode. --install Install 'commix' to your system. --version Show version number and exit. --update Check for updates (apply if any) and exit.
Target:
This options has to be provided, to define the target URL. --url=URL Target URL. --url-reload Reload target URL after command execution.
Request:
These options can be used, to specify how to connect to the target
URL.
--method=METHOD HTTP method (GET or POST).
--host=HOST HTTP Host header.
--referer=REFERER HTTP Referer header.
--user-agent=AGENT HTTP User-Agent header.
--cookie=COOKIE HTTP Cookie header.
--headers=HEADERS Extra headers (e.g. 'Header1:Value1\nHeader2:Value2').
--proxy=PROXY Use a HTTP proxy (e.g. '127.0.0.1:8080').
--auth-url=AUTH_.. Login panel URL.
--auth-data=AUTH.. Login parameters and data.
--auth-cred=AUTH.. HTTP Basic Authentication credentials (e.g.
'admin:admin').Injection:
These options can be used, to specify which parameters to inject and
to provide custom injection payloads.
--param=PARAMETER Parameter(s) to inject (use 'INJECT_HERE' tag).
--suffix=SUFFIX Injection payload suffix string.
--prefix=PREFIX Injection payload prefix string.
--technique=TECH Specify a certain injection technique : 'classic',
'eval-based', 'time-based' or 'boolean-based'.
--maxlen=MAXLEN The length of the output on time-based technique
(Default: 10000 chars).
--delay=DELAY Set Time-delay for time-based and boolean-based
techniques (Default: 1 sec).
--base64 Use Base64 (enc)/(de)code trick to prevent false-
positive results.Enumeration :
These options can be used, to enumerate the target host. --current-user Retrieve current user. --hostname Retrieve server hostname. --is-root Check if the current user have root privs
Installation:
git clone https://github.com/stasinopoulos/commix cd commix python commix.py -h (for helper) python commix.py --update (for update)
Download : Master.zip | Clone Url
Source : https://github.com/stasinopoulos/ | Our post Before