Commix (short for [comm]and [i]njection e[x]ploiter) is an open source penetration testing tool, written by Anastasios Stasinopoulos (@ancst), that automates the detection and exploitation of command injection vulnerabilities.
Automates the detection and exploitation of command injection vulnerabilities in certain vulnerable parameter(s) and/or HTTP header(s).
Everything you need to perform effective command injection attacks against multiple operating systems and applications is included.
You are able to develop and easily import your own modules in order to increase the capabilities of commix and/or adapt it to your needs.
It is compatible with multiple penetration testing tools and freamworks (e.g. Metasploit Freamwork, Burp-suite, SQLMap etc) thereby the detection and exploitation success rate is higly increased.
It is Written in Python! No need to compile anything, only Python (version 2.6, 2.7 or 3.x) is required for running commix on any platform.
It is a free and open source project licensed under the GPLv3 License.
Below you will find the answers to the questions that are most often asked by the users of commix.
Q: Where can I get all the available options, switches and/or some basic ideas on how to use commix?
A: To get an overview of commix available options, switches and/or basic ideas on how to use commix, check usage , usage examples and filters-bypasses wiki pages on GitHub.
Q: How can I get shell on a target host via commix?
A: We all love shells and that's why commix enables you to get bind/reverse shells and/or easily upload web shells (e.g metasploit PHP meterpreter) on a target host. For more, check the getting shells wiki page on GitHub.
Q: How can I increase the capabilities of the commix tool and/or to adapt it to my needs?
A: You can easily develop and import our own modules. For more, check the module development wiki page on GitHub.
Q: How can I test or evaluate the detection and exploitation capabilities of commix?
A: Check the command injection testbeds wiki page which includes a collection of applications and virtual machines vulnerable to command injection attacks.
Q: Is there a place where I can check for demos of commix?
A: If you want to see a collection of demos, about the exploitation capabilities of commix, take a look at the third party references wiki page on GitHub.
Q: I found a bug and/or I have to request new features. What can I do?
A: For bug reports and/or new features, please open an issue on Github .
Q: Is there a place where I can find presentations and/or white papers regarding commix?
A: For presentations and/or white papers published in conferences, check the presentations wiki page on GitHub.
Q: Where can I find stable releases of commix?
A: For stable releases check the Releases page on GitHub.