14 DAY TRIAL // A new tool is now freely available to anyone who wants to bump up the security of web apps and uncover possible vulnerabilities that could be exploited via command injection attacks.
Called Commix (abbreviated from “command injection exploiter”), it aims to be an all-in-one OS command injection and exploitation tool that can also be used by security researchers and penetration testers examining security flaws in different environments.
Intended for security testing purpose only
Successful command injection attacks can lead to execution of arbitrary commands on the affected system through a vulnerable application. They can occur if the app does not provide sufficient input validation and passes along commands from the user, via forms, cookies or HTTP headers.
“By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or string,” Anastasios Stasinopoulos, the developer of Commix, writes on the description page on GitHub.
However, although Commix is intended for whitehat activity and testing, it can also be used by a malicious actor, like any other security tool. Stasinopoulos warns about this and says that it “can only be used where strict consent has been given.”
Multiple injection options are available
The features available in Commix include a set of options for specifying which parameters should be injected and to append the injection payloads.
Users can define data in the POST request that should be added as well as employ injection payload suffix and prefix strings to exploit the target. Moreover, there is support for base64 encoding and for multiple injection techniques (classic, eval-based, time-based or file-based).
To get more familiar with Commix, the developer provides a set of usage examples, one of them involving a vulnerable PHP/MySQL web app. Another one exploits the OWASP Mutillidae using extra headers and an HTTP proxy.