Commix – OS Command Injection and Exploitation Tool

In terms of security, we also refer to command injection as shell injection and operating system injection. Command injection lies in the OWASP top 10 every year. Command injection is a hacking technique in which hackers execute commands in the host operating system through vulnerable web applications after scanning. This attack can be possible if a web application is sending user data to its system shell through some connectivity. This user data can be of any type which can be HTTP headers or cookies or forms etc. The history of command injection is very interesting because command injection was accidentally discovered by a programmer in Norway in mid-1997. The command injection vulnerability gave rise to another new type of command injection which is SQL command injection. 

Introduction to Commix

Commix is a free and open-source tool available on GitHub. This tool is a powerful tool used for exploiting command injection vulnerabilities in websites and web applications. Command injection is a vulnerability that usually occurred in web applications. In terms of cyber security, command injection is also called shell injection. Commix is written in python language. You must have python installed on your kali Linux operating system. The interactive console is very similar to metasploitable 1 and metasploitable which makes it easy to use. This tool works as a tester of a command injection vulnerability in websites and web applications.

Working of Commix

Commix tool comes with different modules installed within it which lets its user find out vulnerability in the target application. Commix attack on target URL using data strings or HTTP header or cookies also on authentication parameters. In commix, users can find different enumeration options. By using commix user can perform two types of command injection. The first is the result-based command injection technique and the second is the blind command injection technique.

Result Based Command Injection: RBCI or Result Based Command Injection technique is a type of command injection technique in which all commands that the attacker fires in a web application will reflect back to the attacker.

Blind Command Injection Technique: BCIT is a command injection technique where the attacker has not received any reflection back from the browser.

Installation of the commix tool

Step 1: Open your kali Linux operating system and use the following command to install the tool. 

cd Desktop

git clone https://github.com/commixproject/commix.git commix

Step 2: The tool has been installed successfully. Now use the following command to move into the directory of the tool.

cd commix
ls

Step 3: Now you are in the directory of the tool. Use the following command to run the tool.

python3 commix.py

The tool is running successfully. Now we will see examples to use the tool.

Usage

Example 1:  Use the commix tool to find out if the domain has command injection vulnerability or not.

–url = URL    Here, the ‘URL’ is the target web address.  

Example 2: Use the commix tool to find out if the domain has command injection vulnerability or not using batch flag.

python3 commix.py -u <url> --batch

Example 3: Use the commix tool to find out if the domain has command injection vulnerability or not using –all flag.

python3 commix.py -u <url> --all