loading
loading
Vulnerabilities
An open-source tool that automates detecting and exploiting command injection.
overview
Commix, short for command injection exploiter, automates the full arc of finding and abusing OS command injection in web applications. Point it at a URL and a parameter and it probes for injectable points, confirms them across classic, eval-based, time-based, and file-based techniques, then drops you into a shell to run commands on the host, read and write files, and pull system details.
It carries the controls a real engagement needs: tune the test level and verbosity, inject through GET or POST data, cookies, or custom headers, route through a proxy or Tor, and tamper payloads to slip past filters. Crawl mode and sitemap parsing let it discover parameters to test instead of relying on one you supply.
As a Trickest Vulnerabilities node, Commix takes a target URL or a file of targets and writes a folder of results. Run it against endpoints that take user input, ideally ones a crawler or prober already surfaced, and treat confirmed injections as high-priority findings for the rest of the workflow.
use cases
Test a URL and its parameters across classic, eval-based, time-based, and file-based techniques so injectable points get confirmed without hand-crafting payloads.
Once a point is found, run host commands with --os-cmd or an interactive os-shell, read and write files, and retrieve system info to demonstrate real impact.
Route requests through --proxy or --tor and apply --tamper scripts so testing reaches targets behind WAFs and network controls.
Enable --crawl or sitemap parsing so Commix discovers parameters to test instead of relying on a single value you pass with -p.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | · | Target URL to test. |
| parameter | STRING | -p | Testable parameter(s) to inject into. |
| data | STRING | --data | Data string sent through POST. |
| level | STRING | --level | Level of tests to perform (1-3, default 1). |
| technique | STRING | --technique | Injection technique(s) to use (classic, eval, time, file). |
| os-cmd | STRING | --os-cmd | Execute a single operating system command on the host. |
| crawl | BOOLEAN | --crawl | Crawl the website starting from the target URL. |
| proxy | STRING | --proxy | Route requests through a proxy to reach the target. |
Showing key inputs. commix exposes 86 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| os | STRING | --os | Force back-end operating system (e.g. 'Windows' or 'Unix'). |
| all | BOOLEAN | --all | Retrieve everything. |
| tor | BOOLEAN | --tor | Use the Tor network. |
| url | STRING | · | Target URL. |
| data | STRING | --data | Data string to be sent through POST. |
| host | STRING | --host | HTTP Host header. |
| skip | STRING | --skip | Skip testing for given parameter(s). |
| urls | FILE | · | Scan multiple targets given in a textual file. |
| alert | STRING | --alert | Run host OS command(s) when injection point is found. |
| codec | STRING | --codec | Force codec for character encoding (e.g. 'ascii'). |
| crawl | BOOLEAN | --crawl | Crawl the website starting from the target URL |
| delay | STRING | --delay | Seconds to delay between each HTTP request. |
| level | STRING | --level | Level of tests to perform (1-3, Default: 1). |
| proxy | STRING | --proxy | Use a proxy to connect to the target URL. |
| purge | BOOLEAN | --purge | Safely remove all content from commix data directory. |
| smart | BOOLEAN | --smart | Perform thorough tests only if positive heuristic(s). |
| users | BOOLEAN | --users | Retrieve system users. |
| cookie | STRING | --cookie | HTTP Cookie header. |
| header | STRING | --header | Extra header (e.g. 'X-Forwarded-For: 127.0.0.1'). |
| maxlen | STRING | --maxlen | Set the max length of output for time-related |
| method | STRING | --method | Force usage of given HTTP method (e.g. PUT) |
| mobile | BOOLEAN | --mobile | Imitate smartphone through HTTP User-Agent header. |
| os-cmd | STRING | --os-cmd | Execute a single operating system command. |
| prefix | STRING | --prefix | Injection payload prefix string. |
| suffix | STRING | --suffix | Injection payload suffix string. |
| tamper | STRING | --tamper | Use given script(s) for tampering injection data. |
| answers | STRING | --answers | Set predefined answers (e.g. "quit=N,follow=N") |
| charset | STRING | --charset | Time-related injection charset (e.g. "0123456789abcdef") |
| headers | STRING | --headers | Extra headers (e.g. 'Accept-Language: fr\nETag: 123'). |
| is-root | BOOLEAN | --is-root | Check if the current user have root privileges. |
| offline | BOOLEAN | --offline | Work in offline mode. |
| referer | STRING | --referer | HTTP Referer header. |
| request | FILE | -r | Load HTTP request from a file. |
| retries | STRING | --retries | Retries when the connection timeouts (Default: 3). |
| session | FILE | -s | Load session from a stored (.sqlite) file. |
| sitemap | BOOLEAN | -x | Parse target(s) from remote sitemap(.xml) file. |
| timeout | STRING | --timeout | Seconds to wait before timeout connection (Default: |
| auth-url | STRING | --auth-url | Login panel URL. |
| hostname | BOOLEAN | --hostname | Retrieve current hostname. |
| is-admin | BOOLEAN | --is-admin | Check if the current user have admin privileges. |
| log-file | FILE | -l | Parse target from HTTP proxy log file. |
| skip-waf | BOOLEAN | --skip-waf | Skip heuristic detection of WAF/IPS/IDS protection. |
| sys-info | BOOLEAN | --sys-info | Retrieve system information. |
| time-sec | STRING | --time-sec | Seconds to delay the OS response (Default: 1). |
| tmp-path | STRING | --tmp-path | Set the absolute path of web server's temp directory. |
| tor-port | STRING | --tor-port | Set Tor proxy port (Default: 8118). |
| web-root | STRING | --web-root | Set the web server document root directory (e.g. '/var/www'). |
| auth-cred | STRING | --auth-cred | HTTP authentication credentials (e.g. 'admin:admin'). |
| auth-data | STRING | --auth-data | Login parameters and data. |
| auth-type | STRING | --auth-type | HTTP authentication type (Basic, Digest, Bearer). |
| file-dest | STRING | --file-dest | Host's absolute filepath to write and/or upload to. |
| file-read | STRING | --file-read | Read a file from the target host. |
| force-ssl | BOOLEAN | --force-ssl | Force usage of SSL/HTTPS. |
| param-del | STRING | --param-del | Set character for splitting parameter values. |
| parameter | STRING | -p | Testable parameter(s). |
| passwords | BOOLEAN | --passwords | Retrieve system users password hashes. |
| skip-calc | BOOLEAN | --skip-calc | Skip the mathematic calculation during the detection |
| technique | STRING | --technique | Specify injection technique(s) to use. |
| tor-check | BOOLEAN | --tor-check | Check to see if Tor is used properly. |
| verbosity | STRING | -v | Verbosity level (0-4, Default: 0). |
| cookie-del | STRING | --cookie-del | Set character for splitting cookie values. |
| file-write | STRING | --file-write | Write to a file on the target host. |
| no-logging | BOOLEAN | --no-logging | Disable logging to a file. |
| privileges | BOOLEAN | --privileges | Retrieve system users privileges. |
| ps-version | BOOLEAN | --ps-version | Retrieve PowerShell's version number. |
| shellshock | BOOLEAN | --shellshock | The 'shellshock' injection module. |
| skip-empty | BOOLEAN | --skip-empty | Skip testing the parameter(s) with empty value(s). |
| url-reload | BOOLEAN | --url-reload | Reload target URL after command execution. |
| user-agent | STRING | --user-agent | HTTP User-Agent header. |
| alter-shell | STRING | --alter-shell | Use an alternative os-shell (e.g. 'Python'). |
| file-upload | STRING | --file-upload | Upload a file on the target host. |
| ignore-code | STRING | --ignore-code | Ignore (problematic) HTTP error code (e.g. 401). |
| current-user | BOOLEAN | --current-user | Retrieve current user name. |
| failed-tries | STRING | --failed-tries | Set a number of failed injection tries, in file-based |
| ignore-proxy | BOOLEAN | --ignore-proxy | Ignore system default proxy settings. |
| list-tampers | BOOLEAN | --list-tampers | Display list of available tamper scripts. |
| random-agent | BOOLEAN | --random-agent | Use a randomly selected HTTP User-Agent header. |
| crawl-exclude | STRING | --crawl-exclude | Regexp to exclude pages from crawling (e.g. "logout"). |
| flush-session | BOOLEAN | --flush-session | Flush session files for current target. |
| check-internet | BOOLEAN | --check-internet | Check internet connection before assessing the target. |
| ignore-session | BOOLEAN | --ignore-session | Ignore results stored in session file. |
| skip-technique | STRING | --skip-technique | Specify injection technique(s) to skip. |
| drop-set-cookie | BOOLEAN | --drop-set-cookie | Ignore Set-Cookie header from response. |
| skip-heuristics | BOOLEAN | --skip-heuristics | Skip heuristic detection for code injection. |
| ignore-redirects | BOOLEAN | --ignore-redirects | Ignore redirection attempts. |
| ignore-dependencies | BOOLEAN | --ignore-dependencies | Ignore all required third-party library dependencies. |
example
# detect and exploit command injection in the 'addr' POST parametercommix -u "https://example.com/ping.php" --data="addr=127.0.0.1" -p addr --level=2 --os-cmd="id"[*] Checking connection to the target URL... [ ok ][*] Setting the POST parameter 'addr' for tests.[*] Testing the (results-based) classic command injection technique... [ succeed ][+] The POST parameter 'addr' seems injectable via (results-based) classic command injection technique. [~] Payload: ;echo VCEKZP$((80+27))$(echo VCEKZP)VCEKZP[*] Type "?" for available options.commix(os_shell) > iduid=33(www-data) gid=33(www-data) groups=33(www-data)commix(os_shell) > hostnameweb01.example.comguidance
Reach for Commix when you suspect OS command injection and want detection plus exploitation in one tool. It is specialized for command injection, so for SQL injection use sqlmap and for broad CVE coverage use nuclei. Feed it endpoints that take user input.
Automates SQL injection. Commix is the command-injection counterpart with the same detect-and-exploit model.
Template scanner for broad coverage. Commix is deeper and interactive on one injection class.
Targets server-side template injection. Different bug class, similar exploitation approach.
faq
related
A Go script for bypassing 403 forbidden responses.
Detect and abuse vulnerable implementations of stateless sessions.
A Python tool to find Cross-Origin Resource Sharing misconfigurations.
A tool to find HTTP splitting vulnerabilities.
Multi-threaded, IPv6-aware username enumeration via CVE-2018-15473.
Accurately fingerprint and detect Netscaler and Citrix ADC versions vulnerable to CVE-2023-3519.
A target feeds katana to surface parameters, then Commix tests them for command injection and writes confirmed injections as output.
Facts on this page come from the live Trickest tool library.