Pentest Tools

Published on April 12th, 2016 📆 | 5746 Views ⚑


Commix — Command Injection Exploiter

natural tts
Commix (short for [comm]and [i]njection e[x]ploiter) is a simple environment that web developers, penetration testers or even security researchers can use to test web applications in order to find bugs, errors or vulnerabilities – related to command injection attacks. Find and exploit a command injection vulnerability with ease.  Commix is written in Python programming language.

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation. A malevolent hacker can exploit that vulnerability to gain unauthorized access to data or network resources or even administrator access to a box

This attack differs from Code Injection, in that code injection allows the attacker to add his own code that is then executed by the application. In Code Injection, the attacker extends the default functionality of the application without the necessity of executing system commands.

Successful command injection attacks can lead to execution of arbitrary commands on the affected system through a vulnerable application. They can occur if the app does not provide sufficient input validation and passes along commands from the user, via forms, cookies or HTTP headers.

The features available in Commix include a set of options for specifying which parameters should be injected and to append the injection payloads.

Users can define data in the POST request that should be added as well as employ injection payload suffix and prefix strings to exploit the target. Moreover, there is support for base64 encoding and for multiple injection techniques (classic, eval-based, time-based or file-based).



Python version 2.6.x or 2.7.x is required for running this program.

Supported Platforms

  • Linux
  • Mac OS X
  • Windows (experimental)



Download commix by cloning the Git repository:

git clone commix

Commix comes packaged on the official repositories of the following Linux distributions:

Commix also comes pre-installed, on the following penetration testing frameworks:


 [adsense size='1']



To get a list of all options and switches use:

python -h

Have a quick look of all available options and switches here.


Usage Examples

So, do you want to get some ideas on how to use commix? Just go and check ‘usage examples‘ wiki page.


Upload Shells

Commix enables you to upload web-shells (e.g metasploit PHP meterpreter) easily on target host. For more, check ‘upload shells‘ wiki page.


Modules Development

Do you want to increase the capabilities of the commix and adapt it to your needs? You can easily develop and import our own modules. For more, check ‘module development‘ wiki page.



Command Injection Exploiter: Commix wiki


Command Injection Exploiter Demos


Command Injection Exploiter: Commix presentation



Source && Download

Leave a Reply

Your email address will not be published.