Commix: Difference between revisions

From charlesreid1
Line 86: Line 86:
* <code>--ps-version</code>: Retrieves PowerShell's version number.
* <code>--ps-version</code>: Retrieves PowerShell's version number.


==File Access Options==
===File Access Options===
These options are used to access files on the target host:
These options are used to access files on the target host:
* <code>--file-read FILE_READ</code>: Reads a file from the target host.
* <code>--file-read FILE_READ</code>: Reads a file from the target host.

Revision as of 13:12, 24 May 2025

Description

Commix, short for COMMand Injection eXploiter, is an open-source penetration testing tool developed by Anastasios Stasinopoulos. Its primary function is to automate the detection and exploitation of command injection vulnerabilities. (Command injection involves executing arbitrary commands on a host operating system through a vulnerable application.) Commix simplifies the process for security professionals to identify and leverage these weaknesses in web applications and other systems.

The tool is written in Python and is compatible with versions 2.6, 2.7, and 3.x. The project is licensed under the GNU General Public License v3 (GPLv3).

The tool documents most of its options on its wiki: https://github.com/commixproject/commix/wiki

The tool's development is ongoing, with a focus on providing a stable and reliable utility for penetration testers. The setup.py file indicates a stable version (e.g., '4.0-stable') and includes project URLs for documentation, source code, and an issue tracker, all hosted on GitHub. This structured approach to development and community engagement helps ensure that Commix remains a relevant and powerful tool in the cybersecurity landscape.

Commix also supports various international users, with translations of its README available in several languages, including Farsi (Persian), Greek, Indonesian, and Turkish. This commitment to accessibility broadens its reach and usability across different regions. The project encourages community involvement through its issue tracker for reporting bugs or suggesting enhancements.

Command Line Flags

Commix offers a variety of command-line options to control its behavior, categorized into several groups:

General Options

These options relate to general tool operation:

  • -v VERBOSE: Sets the verbosity level (0-4, default is 0).
  • --version: Shows the version number and exits.
  • --output-dir OUTPUT_DIR: Sets a custom directory path for output.
  • -s SESSION_FILE: Loads a session from a stored .sqlite file.
  • --flush-session: Flushes session files for the current target.
  • --ignore-session: Ignores results stored in the session file.
  • -t TRAFFIC_FILE: Logs all HTTP traffic into a textual file.
  • --time-limit TIME_LIMIT: Runs the tool with a time limit in seconds (e.g., 3600).
  • --batch: Never asks for user input and uses default behavior.
  • --skip-heuristics: Skips heuristic detection for code injection.
  • --codec CODEC: Forces a specific codec for character encoding (e.g., 'ascii').
  • --charset CHARSET: Specifies the charset for time-related injection (e.g., '0123456789abcdef').
  • --check-internet: Checks for an internet connection before assessing the target.
  • --answers ANSWERS: Sets predefined answers for questions (e.g., 'quit=N,follow=N').

Target Options

These options define the target for the tool:

  • -u URL, --url URL: Specifies the target URL.
  • --url-reload: Reloads the target URL after command execution.
  • -l LOGFILE: Parses the target from an HTTP proxy log file.
  • -m BULKFILE: Scans multiple targets listed in a textual file.
  • -r REQUESTFILE: Loads an HTTP request from a file.
  • --crawl CRAWLDEPTH: Crawls the website starting from the target URL (default depth: 1).
  • --crawl-exclude REGEXP: Excludes pages from crawling using a regular expression (e.g., 'logout').
  • -x SITEMAP_URL: Parses target(s) from a remote sitemap (.xml) file.
  • --method METHOD: Forces the usage of a given HTTP method (e.g., 'PUT').

Request Options

These options specify how to connect to the target URL:

  • -d DATA, --data DATA: Provides the data string to be sent via POST.
  • --host HOST: Sets the HTTP Host header.
  • --referer REFERER: Sets the HTTP Referer header.
  • --user-agent AGENT: Sets the HTTP User-Agent header (default is 'commix/VERSION (https://commixproject.com)').
  • --random-agent: Uses a randomly selected HTTP User-Agent header.
  • --param-del PDEL: Sets the character for splitting parameter values.
  • --cookie COOKIE: Sets the HTTP Cookie header.
  • --cookie-del CDEL: Sets the character for splitting cookie values.
  • -H HEADER, --header HEADER: Specifies an extra header (e.g., 'X-Forwarded-For: 127.0.0.1').
  • --headers HEADERS: Specifies multiple extra headers (e.g., 'Accept-Language: fr\nETag: 123').
  • --proxy PROXY: Uses a proxy to connect to the target URL.
  • --tor: Uses the Tor network.
  • --tor-port TOR_PORT: Sets the Tor proxy port (default: 8118).
  • --tor-check: Checks if Tor is used properly.
  • --auth-url AUTH_URL: Specifies the login panel URL.
  • --auth-data AUTH_DATA: Specifies login parameters and data.
  • --auth-type AUTH_TYPE: Sets the HTTP authentication type (Basic, Digest, Bearer).
  • --auth-cred AUTH_CRED: Sets HTTP authentication credentials (e.g., 'admin:admin').
  • --abort-code ABORT_CODE: Aborts on specified (problematic) HTTP error codes (e.g., 401).
  • --ignore-code IGNORE_CODE: Ignores specified (problematic) HTTP error codes (e.g., 401).
  • --force-ssl: Forces the usage of SSL/HTTPS.
  • --ignore-proxy: Ignores system default proxy settings.
  • --ignore-redirects: Ignores redirection attempts.
  • --timeout TIMEOUT: Sets the connection timeout in seconds (default: 30).
  • --retries RETRIES: Sets the number of retries when the connection timeouts (default: 3).
  • --drop-set-cookie: Ignores Set-Cookie header from the response.

Enumeration Options

These options are used to enumerate the target host:

  • --all: Retrieves everything.
  • --current-user: Retrieves the current username.
  • --hostname: Retrieves the current hostname.
  • --is-root: Checks if the current user has root privileges.
  • --is-admin: Checks if the current user has admin privileges.
  • --sys-info: Retrieves system information.
  • --users: Retrieves system users.
  • --passwords: Retrieves system users' password hashes.
  • --privileges: Retrieves system users' privileges.
  • --ps-version: Retrieves PowerShell's version number.

File Access Options

These options are used to access files on the target host:

  • --file-read FILE_READ: Reads a file from the target host.
  • --file-write FILE_WRITE: Writes to a file on the target host.
  • --file-upload FILE_UPLOAD: Uploads a file to the target host.
  • --file-dest FILE_DEST: Specifies the host's absolute filepath to write and/or upload to.

Modules Options

These options utilize specific modules to enhance detection or injection:

  • --shellshock: Uses the 'shellshock' injection module.

Injection Options

These options specify which parameters to inject and provide custom injection payloads:

  • -p TEST_PARAMETER: Specifies testable parameter(s).
  • --skip SKIP_PARAMETER: Skips testing for given parameter(s).
  • --suffix SUFFIX: Sets an injection payload suffix string.
  • --prefix PREFIX: Sets an injection payload prefix string.
  • --technique TECH: Specifies injection technique(s) to use.
  • --skip-technique SKIP_TECH: Specifies injection technique(s) to skip.
  • --maxlen MAXLEN: Sets the max length of output for time-related injection techniques (default: 10000 chars).
  • --delay DELAY: Sets seconds to delay between each HTTP request (default: 0).
  • --time-sec TIMESEC: Sets seconds to delay the OS response (default: 0).
  • --tmp-path TMP_PATH: Sets the absolute path of the web server's temp directory.
  • --web-root WEB_ROOT: Sets the web server document root directory (e.g., '/var/www').
  • --alter-shell ALTER_SHELL: Uses an alternative OS shell (e.g., 'Python').
  • --os-cmd OS_CMD: Executes a single operating system command.
  • --os OS: Forces the back-end operating system (e.g., 'Windows' or 'Unix').
  • --tamper TAMPER: Uses given script(s) for tampering injection data.
  • --msf-path MSF_PATH: Sets a local path where Metasploit is installed.

Detection Options

These options customize the detection phase:

  • --level LEVEL: Sets the level of tests to perform (1-3, default: 1).
  • --skip-calc: Skips mathematic calculation during the detection phase.
  • --skip-empty: Skips testing parameters with empty values.
  • --failed-tries FAILED_TRIES: Sets the number of failed injection tries in file-based technique (default is based on the number of separators).
  • --smart: Performs thorough tests only if positive heuristics are found.

Miscellaneous Options

Various other options:

  • --ignore-dependencies: Ignores all required third-party library dependencies.
  • --list-tampers: Displays a list of available tamper scripts.
  • --alert ALERT: Runs host OS command(s) when an injection point is found.
  • --no-logging: Disables logging to a file.
  • --purge: Safely removes all content from the commix data directory.
  • --skip-waf: Skips heuristic detection of WAF/IPS protection.
  • --mobile: Imitates a smartphone through the HTTP User-Agent header.
  • --offline: Works in offline mode.
  • --wizard: Uses a simple wizard interface for beginner users.
  • --disable-coloring: Disables console output coloring.

Note: The Debian package maintainers have disabled the --install and --update flags, as updates and installations should be handled by apt on Kali Linux. The default output directory is also changed to ~/.commix/output/ in the Kali version.

Links

Shellshock

python commix.py --url="http://192.168.0.1/cgi.bin/status" --shellshock
Retrieved from "https://charlesreid1.com/w/index.php?title=Commix&oldid=30175"