Automated All-in-One OS Command Injection and Exploitation Tool
Clone or download
Pull request Compare This branch is 1 commit ahead, 662 commits behind commixproject:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
readme
src
README.md
commix.py

README.md

Logo

Version 0.9b Python 2.6-2.7 GPLv3 License Twitter

General Information

Commix (short for [comm]and [i]njection e[x]ploiter) is an automated tool written by Anastasios Stasinopoulos (@ancst) that can be used from web developers, penetration testers or even security researchers in order to test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header.

Disclaimer

This tool is only for testing and academic purposes and can only be used where strict consent has been given. Do not use it for illegal purposes!

Requirements

Python version 2.6.x or 2.7.x is required for running this program.

Installation

Download commix by cloning the Git repository:

git clone https://github.com/stasinopoulos/commix.git commix

Commix comes packaged on the official repositories of the following Linux distributions, so you can use the package manager to install it!

Commix also comes pre-installed, on the following penetration testing frameworks:

Usage

To get a list of all options and switches use:

python commix.py -h

Do you want to have a quick look of all available options and switches? Check the 'usage' wiki page.

Usage Examples

So, do you want to get some ideas on how to use commix? Just go and check the 'usage examples' wiki page, where there are several test cases and attack scenarios.

Upload Shells

Commix enables you to upload web-shells (e.g metasploit PHP meterpreter) easily on target host. For more, check the 'upload shells' wiki page.

Modules Development

Do you want to increase the capabilities of the commix tool and/or to adapt it to our needs? You can easily develop and import our own modules. For more, check the 'module development' wiki page.

Command Injection Testbeds

Do you want to test or evaluate the exploitation abilities of commix? Cool! Check the 'command injection testbeds' wiki page which includes a collection of pwnable web applications and/or VMs (that includes web applications) vulnerable to command injection attacks.

Exploitation Demos

If you want to see a collection of demos, about the exploitation abilities of commix, take a look at the 'exploitation demos' wiki page.

Bugs and Enhancements

For bug reports or enhancements, please open an issue here.

Supported Platforms

  • Linux
  • Mac OS X
  • Windows (experimental)

Presentations and White Papers

For presentations and white papers published in conferences, check the 'presentations' wiki page.