__
   ___    ___     ___ ___     ___ ___ /\_\   __  _ 
  /'___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\
 /\ \__//\ \L\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/>  </
 \ \____\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\ \_\/\_/\_\
  \/____/\/___/  \/_/\/_/\/_/\/_/\/_/\/_/\/_/\//\/_/ { v0.2b }

+--
Automated All-in-One OS Command Injection and Exploitation Tool
Copyright (c) 2015 Anastasios Stasinopoulos (@ancst)
+--

####General Information Commix (short for [comm]and [i]njection e[x]ploiter) has a simple environment and it can be used, from web developers, penetration testers or even security researchers to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or string. Commix is written in Python programming language.

####Disclaimer The tool is only for testing and academic purposes and can only be used where strict consent has been given. Do not use it for illegal purposes!!

####Requirements Python version 2.6.x or 2.7.x is required for running this program.

####Installation Download commix by cloning the Git repository:

git clone https://github.com/stasinopoulos/commix.git commix

Commix comes packaged on the official repositories of the following Linux distributions, so you can use the package manager to install it!

• ArchAssault
• BlackArch

Commix also comes pre-installed, on the following penetration testing frameworks:

• The Penetration Testers Framework (PTF)
• PentestBox
• Weakerthan
• CTF-Tools

####Usage To get a list of all options and switches use:

python commix.py -h

Do you want to have a quick look of all available options and switches? Check the 'usage' wiki page.

####Usage Examples So, do you want to get some ideas on how to use commix? Just go and check the 'usage examples' wiki page, where there are several test cases and attack scenarios.

####Upload Shells Commix enables you to upload web-shells (e.g metasploit PHP meterpreter) easily on target host. For more, check the 'upload shells' wiki page.

####Modules Development Do you want to increase the capabilities of the commix tool and/or to adapt it to our needs? You can easily develop and import our own modules. For more, check the 'module development' wiki page.

####Command Injection Testbeds A collection of pwnable VMs, that includes web applications vulnerable to command injection attacks.

• Damn Vulnerable Web App (DVWA)
• Xtreme Vulnerable Web Application (XVWA)
• OWASP: Mutillidae
• bWAPP: bee-box (v1.6)
• Persistence
• Pentester Lab: Web For Pentester
• Pentester Lab: CVE-2014-6271/Shellshock
• Pentester Lab: Rack Cookies and Commands injection
• Pentester Academy: Command Injection ISO: 1
• SpiderLabs: MCIR (ShelLOL)
• Kioptrix: Level 1.1 (#2)
• Kioptrix: 2014 (#5)
• Acid Server: 1
• Flick: 2
• w3af-moth
• commix-testbed

####Exploitation Demos (Video) A collection of video demos, about the exploitation abilities of commix.

• Exploiting DVWA (1.0.8) command injection flaws.
• Exploiting bWAPP command injection flaws (normal & blind).
• Exploiting 'Persistence' blind command injection flaw.
• Exploiting shellshock command injection flaws.
• Upload a PHP shell (i.e. Metasploit PHP Meterpreter) on target host.
• Upload a Weevely PHP web shell on target host.
• Exploiting cookie-based command injection flaws.
• Exploiting user-agent-based command injection flaws.
• Exploiting referer-based command injection flaws.
• Rack cookies and commands injection.

####Bugs and Enhancements For bug reports or enhancements, please open an issue here.

####Supported Platforms

• Linux
• Mac OS X
• Windows (experimental)

####Presentations and White Papers For presentations and white papers published in conferences, check the 'Presentations' wiki page.