Commix v2.7 - Automated All-in-One OS Command Injection And Exploitation Tool

Commix (short for [comm]and [i]njection e[x]ploiter) is an automated tool written by Anastasios Stasinopoulos (@ancst) that can be used from web developers, penetration testers or even security researchers in order to test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header.

Python version 2.6.x or 2.7.x is required for running this program.

Download commix by cloning the Git repository:
git clone commix
Commix comes packaged on the official repositories of the following Linux distributions, so you can use the package manager to install it!
Commix also comes as a plugin, on the following penetration testing frameworks:

Supported Platforms
  • Linux
  • Mac OS X
  • Windows (experimental)

To get a list of all options and switches use:
python -h
Q: Where can I check all the available options and switches?
A: Check the 'usage' wiki page.

Usage Examples
Q: Can I get some basic ideas on how to use commix?
A: Just go and check the 'usage examples' wiki page, where there are several test cases and attack scenarios.

Upload Shells
Q: How easily can I upload web-shells on a target host via commix?
A: Commix enables you to upload web-shells (e.g metasploit PHP meterpreter) easily on target host. For more, check the 'upload shells' wiki page.

Modules Development
Q: Do you want to increase the capabilities of the commix tool and/or to adapt it to our needs?
A: You can easily develop and import our own modules. For more, check the 'module development' wiki page.

Command Injection Testbeds
Q: How can I test or evaluate the exploitation abilities of commix?
A: Check the 'command injection testbeds' wiki page which includes a collection of pwnable web applications and/or VMs (that include web applications) vulnerable to command injection attacks.

Exploitation Demos
Q: Is there a place where I can check for demos of commix?
A: If you want to see a collection of demos, about the exploitation abilities of commix, take a look at the 'exploitation demos' wiki page.

Bugs and Enhancements
Q: I found a bug / I have to suggest a new feature! What can I do?
A: For bug reports or enhancements, please open an issue here.

Presentations and White Papers
Q: Is there a place where I can find presentations and/or white papers regarding commix?
A: For presentations and/or white papers published in conferences, check the 'presentations' wiki page.

Commix v2.7 - Automated All-in-One OS Command Injection And Exploitation Tool Commix v2.7 - Automated All-in-One OS Command Injection And Exploitation Tool Reviewed by Zion3R on 9:28 AM Rating: 5