Commix v0.9b Command Injection Exploiter

Commix v0.9b Command Injection Exploiter

Commix (short for [comm]and [i]njection e[x]ploiter) is an automated tool that can be used from web developers, penetration testers or even security researchers in order to test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks.

By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header.


Changelog v0.9b (2016-06-07)

  • Added: The ability to re-perform the injection request if it has failed.
  • Fixed: The shell output in semiblind (“file-based”) technique has been fixed not to concat new lines.
  • Revised: The ability to execute multiple tamper scripts combined or the one after the other.
  • Added: New tamper script “” that replaces every space (” “) with plus (“+”).
  • Added: New state (“checking”) and the color of that state has been setted.
  • Replaced: The “–base64” option has been replaced with “” tamper script.
  • Added: New tamper script “” that replaces every space (” “) with $IFS (bash) variable.
  • Added: New option “–tamper” that supports tamper injection scripts.
  • Added: Support for verbosity levels (currently supported levels: 0,1).
  • Fixed: Minor rearrangement of prefixes and separators has been implemented.
  • Revised: The “time-based” (blind) technique fr *nix targets has been shortly revised.
  • Revised: The source code has been revised to support “print_state_msg” (i.e error, warning, success etc) functions.



  • Python version 2.6.x or 2.7.x is required for running this program.

Supported Platforms

  • Linux
  • Mac OS X
  • Windows (experimental)

More Information:


[button size=large style=round color=red align=none url=]Commix v0.9b Command Injection Exploiter[/button]

Thanks to our friend Anastasios Stasinopoulos, for sharing this tool with us.

MaxiSoler @maxisoler