Commix v0.9b Command Injection Exploiter

Commix (short for [comm]and [i]njection e[x]ploiter) is an automated tool that can be used from web developers, penetration testers or even security researchers in order to test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks.

By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header.

Changelog v0.9b (2016-06-07)

Added: The ability to re-perform the injection request if it has failed.
Fixed: The shell output in semiblind (“file-based”) technique has been fixed not to concat new lines.
Revised: The ability to execute multiple tamper scripts combined or the one after the other.
Added: New tamper script “space2plus.py” that replaces every space (” “) with plus (“+”).
Added: New state (“checking”) and the color of that state has been setted.
Replaced: The “–base64” option has been replaced with “base64encode.py” tamper script.
Added: New tamper script “space2ifs.py” that replaces every space (” “) with $IFS (bash) variable.
Added: New option “–tamper” that supports tamper injection scripts.
Added: Support for verbosity levels (currently supported levels: 0,1).
Fixed: Minor rearrangement of prefixes and separators has been implemented.
Revised: The “time-based” (blind) technique fr *nix targets has been shortly revised.
Revised: The source code has been revised to support “print_state_msg” (i.e error, warning, success etc) functions.