Commix v0.9b Command Injection Exploiter
Commix (short for [comm]and [i]njection e[x]ploiter) is an automated tool that can be used from web developers, penetration testers or even security researchers in order to test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks.
By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header.
Changelog v0.9b (2016-06-07)
- Added: The ability to re-perform the injection request if it has failed.
- Fixed: The shell output in semiblind (“file-based”) technique has been fixed not to concat new lines.
- Revised: The ability to execute multiple tamper scripts combined or the one after the other.
- Added: New tamper script “space2plus.py” that replaces every space (” “) with plus (“+”).
- Added: New state (“checking”) and the color of that state has been setted.
- Replaced: The “–base64” option has been replaced with “base64encode.py” tamper script.
- Added: New tamper script “space2ifs.py” that replaces every space (” “) with $IFS (bash) variable.
- Added: New option “–tamper” that supports tamper injection scripts.
- Added: Support for verbosity levels (currently supported levels: 0,1).
- Fixed: Minor rearrangement of prefixes and separators has been implemented.
- Revised: The “time-based” (blind) technique fr *nix targets has been shortly revised.
- Revised: The source code has been revised to support “print_state_msg” (i.e error, warning, success etc) functions.
- Python version 2.6.x or 2.7.x is required for running this program.
- Mac OS X
- Windows (experimental)
[button size=large style=round color=red align=none url=https://github.com/stasinopoulos/commix]Commix v0.9b Command Injection Exploiter[/button]
Thanks to our friend Anastasios Stasinopoulos, for sharing this tool with us.