Automated All-in-One OS command injection and exploitation tool.
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github Added Contributor Covenant Code of Conduct Jan 9, 2018
readme Minor update of redirection mechanism. Nov 14, 2018
src Minor fix regarding 5548fff Nov 21, 2018
.gitignore Minor update at ".gitignore" file. Jul 13, 2016
.travis.yml Adding support for Travis CI Nov 5, 2016
LICENSE.txt Minor update Jan 30, 2018 Minor refactoring Nov 19, 2018 Minor update Oct 15, 2018


Build Status Version 2.6 Python 2.6-2.7 GPLv3 License Twitter

General Information

Commix (short for [comm]and [i]njection e[x]ploiter) is an automated tool written by Anastasios Stasinopoulos (@ancst) that can be used from web developers, penetration testers or even security researchers in order to test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header.

Legal Disclaimer

Usage of commix for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.


Python version 2.6.x or 2.7.x is required for running this program.


Download commix by cloning the Git repository:

git clone commix

Commix comes packaged on the official repositories of the following Linux distributions, so you can use the package manager to install it!

Commix also comes as a plugin, on the following penetration testing frameworks:

Supported Platforms

  • Linux
  • Mac OS X
  • Windows (experimental)


To get a list of all options and switches use:

python -h

Q: Where can I check all the available options and switches?

A: Check the 'usage' wiki page.

Usage Examples

Q: Can I get some basic ideas on how to use commix?

A: Just go and check the 'usage examples' wiki page, where there are several test cases and attack scenarios.

Upload Shells

Q: How easily can I upload web-shells on a target host via commix?

A: Commix enables you to upload web-shells (e.g metasploit PHP meterpreter) easily on target host. For more, check the 'upload shells' wiki page.

Modules Development

Q: Do you want to increase the capabilities of the commix tool and/or to adapt it to our needs?

A: You can easily develop and import our own modules. For more, check the 'module development' wiki page.

Command Injection Testbeds

Q: How can I test or evaluate the exploitation abilities of commix?

A: Check the 'command injection testbeds' wiki page which includes a collection of pwnable web applications and/or VMs (that include web applications) vulnerable to command injection attacks.

Exploitation Demos

Q: Is there a place where I can check for demos of commix?

A: If you want to see a collection of demos, about the exploitation abilities of commix, take a look at the 'exploitation demos' wiki page.

Bugs and Enhancements

Q: I found a bug / I have to suggest a new feature! What can I do?

A: For bug reports or enhancements, please open an issue here.

Presentations and White Papers

Q: Is there a place where I can find presentations and/or white papers regarding commix?

A: For presentations and/or white papers published in conferences, check the 'presentations' wiki page.

Support and Donations

Q: Except for tech stuff (bug reports or enhancements) is there any other way that I can support the development of commix?

A: Sure! Commix is the outcome of many hours of work and total personal dedication. Feel free to 'donate' via PayPal to and instantly prove your feelings for it! :).