Automated All-in-One OS command injection and exploitation tool

 

Commix (short for [comm]and [i]njection e[x]ploiter) is an automated tool written by Anastasios Stasinopoulos (@ancst) that can be used from web developers, penetration testers or even security researchers in order to test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header.

Change log v1.9-20170502

  • Revised: Minor improvement in results-based techniques, for delaying the OS responses depending on the user-provided time delay.
  • Revised: The time-related (“time-based”/”tempfile-based”) payloads, have been shortly revised.
  • Revised: Minor improvement in file-based technique, for delaying the OS responses depending on the user-provided time delay.
  • Fixed: Minor improvement in file-based technique, regarding τhe directory path that the output file is saved.
  • Added: New option “–ignore-redirects” that ignoring redirection attempts.
  • Added: New functionality for identifying and following URL redirections.
  • Fixed: Minor improvement for adding “/” at the end of the user provided root dir (in case it does not exist).
  • Revised: The file-based payload for deleting files with execution output has been shortly revised.
  • Replaced: The “–root-dir” option has been replaced with “–web-root” option.
  • Added: New option “–wizard” that shows a simple wizard interface for beginner users.

Installation

git clone https://github.com/commixproject/commix.git commix

 139 total views,  1 views today