Commix (short for [ comm ]and [ i ]njection e[ x ]ploiter) is an automated tool written by Anastasios Stasinopoulos ( @ancst ) that can be used from web developers, penetration testers or even security researchers in order to test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header.
Python version 2.6.x or 2.7.x is required for running this program.
Download commix by cloning the Git repository:
git clone https://github.com/commixproject/commix.git commix
Commix comes packaged on the official repositories of the following Linux distributions, so you can use the package manager to install it!
- TrustedSec's Penetration Testers Framework (PTF)
- OWASP Offensive Web Testing Framework (OWTF)
- Aptive's Penetration Testing tools
- Mac OS X
- Windows (experimental)
To get a list of all options and switches use:
Q : Where can I check all the available options and switches?
python commix.py -h
A : Check the ' usage ' wiki page.
Q : Can I get some basic ideas on how to use commix?
A : Just go and check the ' usage examples ' wiki page, where there are several test cases and attack scenarios.
Q : How easily can I upload web-shells on a target host via commix?
A : Commix enables you to upload web-shells (e.g metasploit PHP meterpreter) easily on target host. For more, check the ' upload shells ' wiki page.
Q : Do you want to increase the capabilities of the commix tool and/or to adapt it to our needs?
A : You can easily develop and import our own modules. For more, check the ' module development ' wiki page.
Command Injection Testbeds
Q : How can I test or evaluate the exploitation abilities of commix?
A : Check the ' command injection testbeds ' wiki page which includes a collection of pwnable web applications and/or VMs (that include web applications) vulnerable to command injection attacks.
Q : Is there a place where I can check for demos of commix?
A : If you want to see a collection of demos, about the exploitation abilities of commix, take a look at the ' exploitation demos ' wiki page.
Bugs and Enhancements
Q : I found a bug / I have to suggest a new feature! What can I do?
A : For bug reports or enhancements, please open an issue here .
Presentations and White Papers
Q : Is there a place where I can find presentations and/or white papers regarding commix?
A : For presentations and/or white papers published in conferences, check the ' presentations ' wiki page.
Support and Donations
Q : Except for tech stuff (bug reports or enhancements) is there any other way that I can support the development of commix?
A : Sure! Commix is the outcome of many hours of work and total personal dedication. Feel free to ' donate ' via PayPal to
firstname.lastname@example.org instantly prove your feelings for it! :).