Commix

From charlesreid1

Description

Commix, short for COMMand Injection eXploiter, is an open-source penetration testing tool developed by Anastasios Stasinopoulos. Its primary function is to automate the detection and exploitation of command injection vulnerabilities. (Command injection involves executing arbitrary commands on a host operating system through a vulnerable application.) Commix simplifies the process for security professionals to identify and leverage these weaknesses in web applications and other systems.

The tool is written in Python and is compatible with versions 2.6, 2.7, and 3.x. The project is licensed under the GNU General Public License v3 (GPLv3).

The tool documents most of its options on its wiki: https://github.com/commixproject/commix/wiki

The tool's development is ongoing, with a focus on providing a stable and reliable utility for penetration testers. The setup.py file indicates a stable version (e.g., '4.0-stable') and includes project URLs for documentation, source code, and an issue tracker, all hosted on GitHub. This structured approach to development and community engagement helps ensure that Commix remains a relevant and powerful tool in the cybersecurity landscape.

Commix also supports various international users, with translations of its README available in several languages, including Farsi (Persian), Greek, Indonesian, and Turkish. This commitment to accessibility broadens its reach and usability across different regions. The project encourages community involvement through its issue tracker for reporting bugs or suggesting enhancements.

Example Usage Scenarios

Web App Penetration Testing

Imagine a security professional is tasked with performing a black-box penetration test against a web application. They have identified several input fields (e.g., search bars, contact forms, URL parameters) that might be passing user-supplied data to system commands on the backend. Instead of manually crafting and testing countless command injection payloads for each input vector, the professional could use Commix. They can provide the target URL and specify the parameters to test (-u http://target.com/vuln.php?id=test --data "param=val").

Commix can then automatically attempt various injection techniques (classic, time-based, file-based, eval-based) to detect if a command injection vulnerability exists. If a vulnerability is found, Commix can provide an OS shell, allowing the professional to further explore the compromised system, enumerate users (--users), read files (--file-read), or even attempt to gain a reverse TCP shell for more interactive control. This automates a significant portion of the discovery and initial exploitation phase.

Post-Exploitation and Privilege Escalation

In a scenario where a security professional has already gained a limited shell on a server (perhaps through a different vulnerability), they might discover that certain scripts or applications run by other users (or even by root/administrator) take user-supplied input that is then used in a system command. If the initial shell is restrictive or non-interactive, Commix could be used to exploit this secondary command injection vector.

The professional could point Commix to the vulnerable script/parameter from within the compromised system (if network access allows, or by setting up a proxy/tunnel). Commix's enumeration features like --current-user, --is-root (or --is-admin for Windows), and --privileges would be invaluable to quickly assess the context of the newly exploited command injection point and determine if it offers higher privileges than their initial foothold. The tool's ability to upload files (--file-upload) could also be used to introduce privilege escalation scripts.

Command Line Flags

Commix offers a variety of command-line options to control its behavior, categorized into several groups:

General Options

These options relate to general tool operation:

  • -v VERBOSE: Sets the verbosity level (0-4, default is 0).
  • --version: Shows the version number and exits.
  • --output-dir OUTPUT_DIR: Sets a custom directory path for output.
  • -s SESSION_FILE: Loads a session from a stored .sqlite file.
  • --flush-session: Flushes session files for the current target.
  • --ignore-session: Ignores results stored in the session file.
  • -t TRAFFIC_FILE: Logs all HTTP traffic into a textual file.
  • --time-limit TIME_LIMIT: Runs the tool with a time limit in seconds (e.g., 3600).
  • --batch: Never asks for user input and uses default behavior.
  • --skip-heuristics: Skips heuristic detection for code injection.
  • --codec CODEC: Forces a specific codec for character encoding (e.g., 'ascii').
  • --charset CHARSET: Specifies the charset for time-related injection (e.g., '0123456789abcdef').
  • --check-internet: Checks for an internet connection before assessing the target.
  • --answers ANSWERS: Sets predefined answers for questions (e.g., 'quit=N,follow=N').

Target Options

These options define the target for the tool:

  • -u URL, --url URL: Specifies the target URL.
  • --url-reload: Reloads the target URL after command execution.
  • -l LOGFILE: Parses the target from an HTTP proxy log file.
  • -m BULKFILE: Scans multiple targets listed in a textual file.
  • -r REQUESTFILE: Loads an HTTP request from a file.
  • --crawl CRAWLDEPTH: Crawls the website starting from the target URL (default depth: 1).
  • --crawl-exclude REGEXP: Excludes pages from crawling using a regular expression (e.g., 'logout').
  • -x SITEMAP_URL: Parses target(s) from a remote sitemap (.xml) file.
  • --method METHOD: Forces the usage of a given HTTP method (e.g., 'PUT').

Request Options

These options specify how to connect to the target URL:

  • -d DATA, --data DATA: Provides the data string to be sent via POST.
  • --host HOST: Sets the HTTP Host header.
  • --referer REFERER: Sets the HTTP Referer header.
  • --user-agent AGENT: Sets the HTTP User-Agent header (default is 'commix/VERSION (https://commixproject.com)').
  • --random-agent: Uses a randomly selected HTTP User-Agent header.
  • --param-del PDEL: Sets the character for splitting parameter values.
  • --cookie COOKIE: Sets the HTTP Cookie header.
  • --cookie-del CDEL: Sets the character for splitting cookie values.
  • -H HEADER, --header HEADER: Specifies an extra header (e.g., 'X-Forwarded-For: 127.0.0.1').
  • --headers HEADERS: Specifies multiple extra headers (e.g., 'Accept-Language: fr\nETag: 123').
  • --proxy PROXY: Uses a proxy to connect to the target URL.
  • --tor: Uses the Tor network.
  • --tor-port TOR_PORT: Sets the Tor proxy port (default: 8118).
  • --tor-check: Checks if Tor is used properly.
  • --auth-url AUTH_URL: Specifies the login panel URL.
  • --auth-data AUTH_DATA: Specifies login parameters and data.
  • --auth-type AUTH_TYPE: Sets the HTTP authentication type (Basic, Digest, Bearer).
  • --auth-cred AUTH_CRED: Sets HTTP authentication credentials (e.g., 'admin:admin').
  • --abort-code ABORT_CODE: Aborts on specified (problematic) HTTP error codes (e.g., 401).
  • --ignore-code IGNORE_CODE: Ignores specified (problematic) HTTP error codes (e.g., 401).
  • --force-ssl: Forces the usage of SSL/HTTPS.
  • --ignore-proxy: Ignores system default proxy settings.
  • --ignore-redirects: Ignores redirection attempts.
  • --timeout TIMEOUT: Sets the connection timeout in seconds (default: 30).
  • --retries RETRIES: Sets the number of retries when the connection timeouts (default: 3).
  • --drop-set-cookie: Ignores Set-Cookie header from the response.

Enumeration Options

These options are used to enumerate the target host:

  • --all: Retrieves everything.
  • --current-user: Retrieves the current username.
  • --hostname: Retrieves the current hostname.
  • --is-root: Checks if the current user has root privileges.
  • --is-admin: Checks if the current user has admin privileges.
  • --sys-info: Retrieves system information.
  • --users: Retrieves system users.
  • --passwords: Retrieves system users' password hashes.
  • --privileges: Retrieves system users' privileges.
  • --ps-version: Retrieves PowerShell's version number.

File Access Options

These options are used to access files on the target host:

  • --file-read FILE_READ: Reads a file from the target host.
  • --file-write FILE_WRITE: Writes to a file on the target host.
  • --file-upload FILE_UPLOAD: Uploads a file to the target host.
  • --file-dest FILE_DEST: Specifies the host's absolute filepath to write and/or upload to.

Modules Options

These options utilize specific modules to enhance detection or injection:

  • --shellshock: Uses the 'shellshock' injection module.

Injection Options

These options specify which parameters to inject and provide custom injection payloads:

  • -p TEST_PARAMETER: Specifies testable parameter(s).
  • --skip SKIP_PARAMETER: Skips testing for given parameter(s).
  • --suffix SUFFIX: Sets an injection payload suffix string.
  • --prefix PREFIX: Sets an injection payload prefix string.
  • --technique TECH: Specifies injection technique(s) to use.
  • --skip-technique SKIP_TECH: Specifies injection technique(s) to skip.
  • --maxlen MAXLEN: Sets the max length of output for time-related injection techniques (default: 10000 chars).
  • --delay DELAY: Sets seconds to delay between each HTTP request (default: 0).
  • --time-sec TIMESEC: Sets seconds to delay the OS response (default: 0).
  • --tmp-path TMP_PATH: Sets the absolute path of the web server's temp directory.
  • --web-root WEB_ROOT: Sets the web server document root directory (e.g., '/var/www').
  • --alter-shell ALTER_SHELL: Uses an alternative OS shell (e.g., 'Python').
  • --os-cmd OS_CMD: Executes a single operating system command.
  • --os OS: Forces the back-end operating system (e.g., 'Windows' or 'Unix').
  • --tamper TAMPER: Uses given script(s) for tampering injection data.
  • --msf-path MSF_PATH: Sets a local path where Metasploit is installed.

Detection Options

These options customize the detection phase:

  • --level LEVEL: Sets the level of tests to perform (1-3, default: 1).
  • --skip-calc: Skips mathematic calculation during the detection phase.
  • --skip-empty: Skips testing parameters with empty values.
  • --failed-tries FAILED_TRIES: Sets the number of failed injection tries in file-based technique (default is based on the number of separators).
  • --smart: Performs thorough tests only if positive heuristics are found.

Miscellaneous Options

Various other options:

  • --ignore-dependencies: Ignores all required third-party library dependencies.
  • --list-tampers: Displays a list of available tamper scripts.
  • --alert ALERT: Runs host OS command(s) when an injection point is found.
  • --no-logging: Disables logging to a file.
  • --purge: Safely removes all content from the commix data directory.
  • --skip-waf: Skips heuristic detection of WAF/IPS protection.
  • --mobile: Imitates a smartphone through the HTTP User-Agent header.
  • --offline: Works in offline mode.
  • --wizard: Uses a simple wizard interface for beginner users.
  • --disable-coloring: Disables console output coloring.

Note: The Debian package maintainers have disabled the --install and --update flags, as updates and installations should be handled by apt on Kali Linux. The default output directory is also changed to ~/.commix/output/ in the Kali version.

Links

Shellshock

python commix.py --url="http://192.168.0.1/cgi.bin/status" --shellshock
Retrieved from "https://charlesreid1.com/w/index.php?title=Commix&oldid=30178"