-
-
Notifications
You must be signed in to change notification settings - Fork 806
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG: BULKFILE requires absolute path and parameter injection improvement if not specified #905
Comments
Thank you for your time and the detailed report. |
Also the |
Τake a look at the dev version using |
The path specification works and the issue has been resolved.
However the double slashes hasn't been resolved. But specifying the path wasn't an issue any longer.
|
Fyi the issue regarding help ( |
The "double slashes" issue has been resolved. |
… continue testing the remaining parameters, if one is found vulnerable.. Ref: #905
What are the running context details?
$ sudo apt install -y commix
Client OS is Kali Linux
Target OS is Ubuntu 22.04
Program version
Parameter Injection
In the DNS hosts file for easy navigation in the URL.
Pretty sure you're still aware of the pseudo terminal when I list the files (
ls -l
) it gives meThe rest of the commands are fine.
When I issue help (
?
) command it terminates the console.Two additional front slashes and wrong path:
/usr/share/commix//home/user/.commix/output/dvwa.local/logs.txt
. However, the log file is there along with session and history.The work around is to execute a single command
--os-cmd
and there's no issue so far.I discovered when I use
--batch
and to skip using the console (--answers="pseudo-terminal=N"
) it started to inject commands in theSubmit
POST parameter which I'm suppose to pass the argument (-p Submit
) but that wasn't my intention I think it's the session file (~/.commix/output/dvwa.local/session.db
).Now here's the interesting part it doesn't recieve any output when I wanted to execute a single command with
--os-cmd="uname -a"
? It already worked once so I have no idea what's going on. Probably there is something wrong with the cookies I think. I don't believe this is a bug so you can ignore this part.No output.
The fix is to purge the previous session and re-run the exploit.
I've used the
--batch
and to skip the console (--answers="pseudo-terminal=N"
) but it does the same thing to inject theSubmit
parameter and I didn't specify the parameter with-p Submit
. It's suppose to terminate the program when the adversay is on the post exploitation phase.You can reproduce this with
sqlmap
to see that it's not required to pass the parameters after it was exploited. Which is whycommix
requires a bit of improvement.BULKFILE when scanning URLs
Last but not least the BULKFILE flag (
-m
) requires an absolute path in order to scan the URLs.If not it won't recognize the file existence.
--output-dir
flag is also affected by this bug as well which corresponds with/usr/share/commix//home/user/.commix/output/dvwa.local/logs.txt
the output path.The text was updated successfully, but these errors were encountered: