• Automated All-in-One OS Command Injection Exploitation Tool

    Commix (short for [comm]and [i]njection e[x]ploiter) is an open source penetration testing tool, written by Anastasios Stasinopoulos (@ancst), that automates the detection and exploitation of command injection vulnerabilities.


    Automates the detection and exploitation of command injection vulnerabilities in certain vulnerable parameter(s) and/or HTTP header(s).


    Everything you need to perform effective command injection attacks against multiple operating systems and applications is included.


    You are able to develop and easily import your own modules in order to increase the capabilities of commix and/or adapt it to your needs.


    It is compatible with multiple penetration testing tools and freamworks (e.g. Metasploit Freamwork, Burp-suite, SQLMap etc) thereby the detection and exploitation success rate is higly increased.


    It is Written in Python! No need to compile anything, only Python (version 2.6, 2.7 or 3.x) is required for running commix on any platform.

    Free & Open Source Software.

    It is a free and open source project licensed under the GPLv3 License.

    Frequently Ask Questions

    Below you will find the answers to the questions that are most often asked by the users of commix.

    Usage and Example

    Q: Where can I get all the available options, switches and/or some basic ideas on how to use commix?

    A: To get an overview of commix available options, switches and/or basic ideas on how to use commix, check usage , usage examples and filters-bypasses wiki pages on GitHub.

    Gettings Shells

    Q: How can I get shell on a target host via commix?

    A: We all love shells and that's why commix enables you to get bind/reverse shells and/or easily upload web shells (e.g metasploit PHP meterpreter) on a target host. For more, check the getting shells wiki page on GitHub.

    Modules Development

    Q: How can I increase the capabilities of the commix tool and/or to adapt it to my needs?

    A: You can easily develop and import our own modules. For more, check the module development wiki page on GitHub.

    Real-world Scenarios

    Q: How can I test or evaluate the detection and exploitation capabilities of commix?

    A: Check the command injection testbeds wiki page which includes a collection of applications and virtual machines vulnerable to command injection attacks.

    Exploitation Demos

    Q: Is there a place where I can check for demos of commix?

    A: If you want to see a collection of demos, about the exploitation capabilities of commix, take a look at the third party references wiki page on GitHub.

    Bugs and Enhancements

    Q: I found a bug and/or I have to request new features. What can I do?

    A: For bug reports and/or new features, please open an issue on Github .

    Presentations and White Papers

    Q: Is there a place where I can find presentations and/or white papers regarding commix?

    A: For presentations and/or white papers published in conferences, check the presentations wiki page on GitHub.

    Stable Releases

    Q: Where can I find stable releases of commix?

    A: For stable releases check the Releases page on GitHub.

    If you have any other questions, please contact on GitHub or Twitter .